I am running Windows XP service pack 2, with Mcafee 8.5.0i, ScanEnginee 5200.2160. A few days back while I visited the website associated with a scientific publisher, Mcafee started complaining about viruses and deleting them. I ran the virus scan and it found a whole bunch of viruses that it deleted. I then ran Spybot and Adaware and they also found different malware. The trojans were named PWS-LegMir.gen.h, New Malware.n PWS-OnlineGames.l.gen, PWS-Mmorpg.gen and similar. When I rebooted after sometime Mcafee had similar complaints. I rebooted in safe mode and repeated the scans and again similar tojans were found. On rebooting in normal mode Mcafee again started giving popup messages. In the task manager I saw a couple of suspecious proceses like arp.exe which was not running from windows system folder and gpr21.exe which was running from windows system folder. On killing these processes, some other process will pop up with similar names and the whole cycle repeats, the trojans are downloaded, Mcafee kills some of them and so on. If I unplug the network cable immediately after startup then these trojans are not downloaded. The moment I plug in the network cable there is an immediate spike in the activity of one of the proceses, sometimes it is svchost.exe and then Mcafee starts giving those pop up messages. At one point windows complained that some system files seem to have been changed and asked for service pack 2 cd but when I insert the cd while running sfc it does not recognize it as the right one. Hijackthis log follows. Any help will be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:52 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
D:\ghost\ngctw32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
G:\setup.exe
C:\WINDOWS\notepad.exe
E:\wa\MalwareRemoval\IttyBitty Process Manager\IBProcMan.exe
C:\WINDOWS\system32\rundll32.exe
E:\wa\MalwareRemoval\IttyBitty Process Manager\IBProcMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 128.210.61.52 cyto
O1 - Hosts: 128.210.61.52 pucl
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: erxyaloe.dll - {10909876-4567-3908-4056-909834565101} -
C:\WINDOWS\system32\erxyaloe.dll
O2 - BHO: apzhbtde.dll - {2D698451-2015-6358-9871-2015987452D2} -
C:\WINDOWS\system32\apzhbtde.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} -
C:\WINDOWS\system32\yxcschlp.dll
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} -
C:\WINDOWS\system32\nhmxcjkl.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} -
C:\WINDOWS\system32\zptlcsys.dll
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} -
C:\WINDOWS\system32\ptjhehlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -
E:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} -
C:\WINDOWS\system32\ozfyebyt.dll
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} -
C:\WINDOWS\system32\oohxdbyt.dll
O2 - BHO: apsgejba.dll - {5FD45A54-9875-698F-E56E-65102358FDF5} -
C:\WINDOWS\system32\apsgejba.dll
O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} -
C:\WINDOWS\system32\zxmscwin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program
Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} -
C:\WINDOWS\system32\yzztimsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} -
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [NGClient] D:\ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan
Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common
Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0
\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKLM\..\Policies\Explorer\Run: [kcomi] kcomi32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://E:\Program Files\Adobe\Acrobat 7.0
\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://E:\Program Files\Adobe\Acrobat 7.0
\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://E:\Program Files\Adobe\Acrobat 7.0
\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://E:\Program Files\Adobe\Acrobat 7.0
\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://E:\Program Files\Adobe\Acrobat 7.0
\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1
\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
D:\PUBLIS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
E:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\Spybot\SPYBOT~1
\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center
Base Module) -
http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupd...6/client/wuweb_
site.cab?1200524037343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftu...x86/client/muwe
b_site.cab?1200636760890
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://128.210.160.3/activex/AxisCamControl.cab
O20 - AppInit_DLLs:
utgnehz.dll,nauhgnem.dll,auhad.dll,nuygnef.dll,uohsom.dll,uyom.dll,gnolnait.dll,

ijiq.dll,ijougiemnaw.dll,iemnaw.dll,niluw.dll,naixuhz.dll,xhtd.dll,oadgnohiac.dl

l,iqnauhc.dll,nahzij.dll,gnefnaib.dll,gsqq.dll,3auhad.dll,naijoad.dll,aixauh.dll

,xhqq.dll,QQ.dll,hjxr.dll,zqhs.dll,oadnew.dll,dgzg.dll,hz.dll,2ty.dll,jsfg.dll,r

j.dll,fmxh.dll,jmx.dll,wtwx.dll,ddtj.dll,fz.dll,gnaixnauhuoyizqq.dll,gnaixnauhqq

.dll,2nauygniqaixnaij.dll,naijihzeuyouhz.dll,uyomielnux.dll,vlihzouhgnfe.dll,sfh

x.dll,eve.dll,jsqc.dll,wtiemnaw.dll,dqncj.dll,yzztimsn.dll,nhmxcjkl.dll
O21 - SSODL: midimaptl - {4F4F0064-71E0-4f0d-0017-708476C7815F} - (no file)
O21 - SSODL: midimapmy - {4F4F0064-71E0-4f0d-0015-708476C7815F} -
C:\WINDOWS\system32\midimapmy.dll (file missing)
O21 - SSODL: midimapjr - {4F4F0064-71E0-4f0d-0012-708476C7815F} -
C:\WINDOWS\system32\midimapjr.dll (file missing)
O21 - SSODL: midimapzt - {4F4F0064-71E0-4f0d-0001-708476C7815F} -
C:\WINDOWS\system32\midimapzt.dll
O21 - SSODL: midimappt - {4F4F0064-71E0-4f0d-0021-708476C7815F} -
C:\WINDOWS\system32\midimappt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program
Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache
Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. -
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program
Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program
Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation -
D:\ghost\ngctw32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86
\3\HPZipm12.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file
missing)

Hello Dreamer12, Welcome to Bleeping Computer.

I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware analysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.

Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.

Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

Please note that it is important that Deckard's System Scanner be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log.

Please DO NOT post any more logs to this topic, or post a log again in the wrong forum.

This Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.

When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Thanks for your cooperation and good luck.
The BC Staff/TMacK