I think one of my nieces heard that the Sysinternals Bluescreen screensaver would be funny to download on my computer and did so without my knowledge. Now, my desktop background is replaced with a blue background and a "VIRUS ALERT". My screensaver is now defaulted to the stupid Bluescreen one. I also have Antivirus XP 2008 which I can't get rid of as well as IE ads randomly popping up. Right clicking on the desktop shows that I do not have the option tabs to change my display nor my screensaver anymore and my font is different now. I tried Ad-aware as well as a post from Quietman7 that gave directions to first use Anti-Malware, then use ATFcleaner in safe mode and wind up using SuperAntiSpyware. These seemed to have found the bad stuff and gotten rid of it but on reboot, it all comes back again.
Here is my hijackthis log:

C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphc35sj0en59.exe
C:\Program Files\rhc75sj0en59\rhc75sj0en59.exe
C:\WINDOWS\??stem\j?vaw.exe
C:\WINDOWS\system32\pphc35sj0en59.exe
C:\WINDOWS\SEMBLY~1\nslookup.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
O2 - BHO: {e2106b94-3fcf-fea9-1574-d68b6ab6d701} - {107d6ba6-b86d-4751-9aef-fcf349b6012e} - C:\WINDOWS\system32\lelavtto.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphc35sj0en59] C:\WINDOWS\system32\lphc35sj0en59.exe
O4 - HKLM\..\Run: [SMrhc75sj0en59] C:\Program Files\rhc75sj0en59\rhc75sj0en59.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKCU\..\Run: [Eaos] "C:\WINDOWS\SEMBLY~1\nslookup.exe" -vt ndrv
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6319 bytes

Please help!
thanks
jeff

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

You haven't posted the top part of your HijackThis log; please post a new HijackThis log, inluding the header.

Thanks a lot.
Here is a fresh and full log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:24 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
O2 - BHO: (no name) - {3EE86D91-2F18-4027-9157-A16110AC59BE} - C:\WINDOWS\system32\cbXPjIcy.dll
O2 - BHO: (no name) - {438EAB21-EC75-4D6A-A8BE-538AC04F4E1D} - C:\WINDOWS\system32\yayyVmKE.dll
O2 - BHO: {b6dd882f-67d3-3768-9ae4-295537090f47} - {74f09073-5592-4ea9-8673-3d76f288dd6b} - C:\WINDOWS\system32\ftbplk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {D330EE38-2283-0E28-FF3A-7CA2EC9943E3} - C:\WINDOWS\system32\omewjeas.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphc35sj0en59] C:\WINDOWS\system32\lphc35sj0en59.exe
O4 - HKLM\..\Run: [SMrhc75sj0en59] C:\Program Files\rhc75sj0en59\rhc75sj0en59.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKCU\..\Run: [Eaos] "C:\WINDOWS\SEMBLY~1\nslookup.exe" -vt ndrv
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPjIcy - C:\WINDOWS\SYSTEM32\cbXPjIcy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6525 bytes

Hi

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

• On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
• Click on the Run Cleaner button at the bottom right hand corner.
• When the cleaner has completed, click Tools in the Left Pane.
• Verify that Uninstall is highlighted in color, or click on it.
• In the lower right, click Save to Text File.
• Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
• You can leave the filename as install.txt.
• Click Save, then exit Ccleaner.

_____________________

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -

• Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, so we may continue cleansing the system -

- the Combofix log (C:\ComboFix.txt)
- a new HijackThis log
- the CCleaner Uninstall List (install.txt)

Couple of things i noticed after combofix finished. My clock still reads with military time, combofix did not change it back like it said it would. My desktop background is now solid blue but without the stupid "Spyware found...." message on it. A non-shortcut IE desktop icon is now on my desktop (along with my original shortcut icon)...not sure what that's doing there now.
Here are my logs:
ComboFix 08-06-30.2 - Jeff 2008-07-01 19:56:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.92 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\rhc75sj0en59
C:\Documents and Settings\Administrator\Application Data\shc55sj0en59
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\Jeff\Application Data\rhc75sj0en59
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\rhc75sj0en59
C:\Program Files\shc55sj0en59
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\sembly~1
C:\WINDOWS\sembly~1\??sembly\
C:\WINDOWS\sembly~1\nslookup.exe
C:\WINDOWS\stem~1
C:\WINDOWS\stem~1\j?vaw.exe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\aamhyxrw.dll
C:\WINDOWS\system32\blphc35sj0en59.scr
C:\WINDOWS\system32\coevgycy.ini
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\dwstxxjx.ini
C:\WINDOWS\system32\eaxlmrvp.ini
C:\WINDOWS\system32\EKmVyyay.ini
C:\WINDOWS\system32\EKmVyyay.ini2
C:\WINDOWS\system32\evrdbikd.dll
C:\WINDOWS\system32\f10
C:\WINDOWS\system32\fajhxjhw.dll
C:\WINDOWS\system32\folhcmei.dll
C:\WINDOWS\system32\fxhinrsv.dll
C:\WINDOWS\system32\gdphmtrf.dll
C:\WINDOWS\system32\gfvcewss.ini
C:\WINDOWS\system32\gtxnuepy.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\hpnwtegq.dll
C:\WINDOWS\system32\iemchlof.ini
C:\WINDOWS\system32\lelavtto.dll
C:\WINDOWS\system32\lfbmusby.dll
C:\WINDOWS\system32\ljJBqqNg.dll
C:\WINDOWS\system32\lkhwvpmn.dll
C:\WINDOWS\system32\lphc35sj0en59.exe
C:\WINDOWS\system32\mliyobhr.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtfheqcw.dll
C:\WINDOWS\system32\mvghdawp.dll
C:\WINDOWS\system32\nmpvwhkl.ini
C:\WINDOWS\system32\nmxynuxw.dll
C:\WINDOWS\system32\nnnnLfGA.dll
C:\WINDOWS\system32\nnnnNDsp.dll
C:\WINDOWS\system32\omewjeas.dll
C:\WINDOWS\system32\phc35sj0en59.bmp
C:\WINDOWS\system32\phmipyws.dll
C:\WINDOWS\system32\pphc35sj0en59.exe
C:\WINDOWS\system32\psDNnnnn.ini
C:\WINDOWS\system32\psDNnnnn.ini2
C:\WINDOWS\system32\pvrmlxae.dll
C:\WINDOWS\system32\PzaLav.syz
C:\WINDOWS\system32\qgetwnph.ini
C:\WINDOWS\system32\rgmnpsyc.dll
C:\WINDOWS\system32\rhboyilm.dll
C:\WINDOWS\system32\sibakhky.dll
C:\WINDOWS\system32\uypalhmt.dll
C:\WINDOWS\system32\vsrnihxf.ini
C:\WINDOWS\system32\wgcvyryq.dll
C:\WINDOWS\system32\whjxhjaf.ini
C:\WINDOWS\system32\whruihpe.dll
C:\WINDOWS\system32\xjxxtswd.dll
C:\WINDOWS\system32\XzD1sa.syz
C:\WINDOWS\system32\yayyVmKE.dll
C:\WINDOWS\system32\ybsumbfl.ini
C:\WINDOWS\system32\ycygveoc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 19:43 . 2008-07-01 19:43 106,240 --a------ C:\WINDOWS\system32\qrupsk.dll
2008-07-01 19:43 . 2008-07-01 19:43 106,240 --a------ C:\WINDOWS\system32\jhfaabcc.dll
2008-07-01 17:28 . 2008-07-01 17:28 106,240 --a------ C:\WINDOWS\system32\wvrywrsi.dll
2008-07-01 17:28 . 2008-07-01 17:28 106,240 --a------ C:\WINDOWS\system32\qvvhcl.dll
2008-07-01 15:50 . 2008-07-01 15:50 106,240 --a------ C:\WINDOWS\system32\osfihbjf.dll
2008-07-01 15:50 . 2008-07-01 15:50 106,240 --a------ C:\WINDOWS\system32\dhwmdu.dll
2008-07-01 01:39 . 2008-07-01 01:39 105,904 --a------ C:\WINDOWS\system32\whxjza.dll
2008-07-01 01:39 . 2008-07-01 01:39 105,904 --a------ C:\WINDOWS\system32\ckxseaka.dll
2008-06-30 17:25 . 2008-06-30 17:25 105,872 --a------ C:\WINDOWS\system32\kwffehmh.dll
2008-06-30 17:25 . 2008-06-30 17:25 105,872 --a------ C:\WINDOWS\system32\jdnuuw.dll
2008-06-30 01:34 . 2008-06-30 01:34 105,856 --a------ C:\WINDOWS\system32\uheigqnc.dll
2008-06-30 01:34 . 2008-06-30 01:34 105,856 --a------ C:\WINDOWS\system32\ftbplk.dll
2008-06-29 20:07 . 2008-06-29 20:07 105,856 --a------ C:\WINDOWS\system32\nwjdtxdd.dll
2008-06-29 20:07 . 2008-06-29 20:07 105,856 --a------ C:\WINDOWS\system32\kytrqt.dll
2008-06-29 18:43 . 2008-06-29 18:43 <DIR> d-------- C:\Program Files\AXPFixer
2008-06-29 18:43 . 2008-06-29 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AXPFixer
2008-06-29 17:28 . 2008-06-29 17:28 105,856 --a------ C:\WINDOWS\system32\xzxhzs.dll
2008-06-29 17:28 . 2008-06-29 17:28 105,856 --a------ C:\WINDOWS\system32\ddthqqqp.dll
2008-06-29 05:39 . 2008-06-29 05:38 23,040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-06-29 05:39 . 2008-06-29 05:39 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-28 21:08 . 2008-06-28 21:08 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-06-28 20:07 . 2008-06-28 20:07 105,968 --a------ C:\WINDOWS\system32\suelqyyg.dll
2008-06-28 20:07 . 2008-06-28 20:07 105,968 --a------ C:\WINDOWS\system32\dyaywf.dll
2008-06-28 18:04 . 2008-06-28 18:04 105,968 --a------ C:\WINDOWS\system32\wzajyn.dll
2008-06-28 18:04 . 2008-06-28 18:04 105,968 --a------ C:\WINDOWS\system32\tldltalj.dll
2008-06-28 17:26 . 2008-06-28 17:26 105,968 --a------ C:\WINDOWS\system32\ohsksgwe.dll
2008-06-28 17:26 . 2008-06-28 17:26 105,968 --a------ C:\WINDOWS\system32\kuiksb.dll
2008-06-26 22:36 . 2008-06-26 22:36 25,520 --a------ C:\WINDOWS\system32\cbXPjIcy.dll
2008-06-26 15:45 . 2008-06-26 15:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-26 15:38 . 2008-06-26 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 15:37 . 2008-06-26 15:37 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 15:22 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 00:31 . 2008-06-26 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 23:53 . 2008-06-25 23:53 122,272 --a------ C:\WINDOWS\BM13784573.xml
2008-06-25 16:27 . 2008-06-25 16:27 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-25 14:38 . 2008-06-26 17:51 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-25 14:31 . 2008-06-26 07:54 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-25 14:31 . 2008-06-26 07:54 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-25 14:31 . 2008-06-26 07:54 <DIR> d--hs---- C:\WINDOWS\SmVmZiBNZWxsaW5nZXI
2008-06-25 14:27 . 2008-06-25 14:27 <DIR> d-------- C:\WINDOWS\system32\modtrux01
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\DllCache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-06-26 22:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 07:32 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-06-26 07:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 07:30 --------- d-----w C:\Program Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-26 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-19 08:15 --------- d-----w C:\Documents and Settings\Jeff\Application Data\LimeWire
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\DllCache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\DllCache\quartz.dll
2008-04-17 10:46 18,432 ----a-w C:\WINDOWS\system32\DllCache\iedw.exe
2007-03-02 07:10 88,576 ---ha-w C:\Documents and Settings\Jeff\Application Data\rbap550.dll
2007-03-02 07:10 73,728 ---ha-w C:\Documents and Settings\Jeff\Application Data\RBRegEx550.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3EE86D91-2F18-4027-9157-A16110AC59BE}]
2008-06-26 22:36 25520 --a------ C:\WINDOWS\system32\cbXPjIcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40bf4675-4359-468c-80f1-3c1475fff222}]
2008-07-01 19:43 106240 --a------ C:\WINDOWS\system32\qrupsk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 12:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 12:18 101888]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50 155648]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-03-30 14:58 155648]
"Write DVD-R!"="C:\Program Files\Write DVD!\saimon.exe" [2003-07-18 11:34 114688]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [2006-05-25 10:35 35328]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 17:21 185896]
"AXPFixer"="C:\Program Files\AXPFixer\AXPFixer.exe" [2008-05-19 11:03 1564672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 18:45 4898816]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-02-09 17:38:05 189952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
"{3EE86D91-2F18-4027-9157-A16110AC59BE}"= "C:\WINDOWS\system32\cbXPjIcy.dll" [2008-06-26 22:36 25520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPjIcy]
2008-06-26 22:36 25520 C:\WINDOWS\system32\cbXPjIcy.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aim6.exe"=
"F:\\StubInstaller.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Swim TEAM MANAGER Lite 4.0\\TM4.exe"=
"D:\\hy-sport\\SwMM2\\SwimMM2.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 saicdr;saicdr;C:\WINDOWS\system32\drivers\saicdr.sys [2003-07-16 13:20]
R1 saicdrwup;saicdrwup;C:\WINDOWS\system32\drivers\saicdrwup.sys [2003-05-16 14:32]
R1 saiudf;saiudf;C:\WINDOWS\system32\drivers\saiudf.sys [2003-07-09 09:42]
S1 srvv;srvv;C:\WINDOWS\system32\drivers\srvv.sys []

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphc35sj0en59 - C:\WINDOWS\system32\lphc35sj0en59.exe
HKLM-Run-SMrhc75sj0en59 - C:\Program Files\rhc75sj0en59\rhc75sj0en59.exe
HKLM-Run-SMshc55sj0en59 - C:\Program Files\shc55sj0en59\shc55sj0en59.exe
HKLM-Run-104b76ef - C:\WINDOWS\system32\lkhwvpmn.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 20:10:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXPjIcy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-07-01 20:14:31 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-02 03:14:21

Pre-Run: 126,005,248 bytes free
Post-Run: 88,514,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
F:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

263 --- E O F --- 2008-06-22 10:00:38


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17, on 2008-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AXPFixer\AXPFixer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JEFF\Application Data\Mozilla\Profiles\default\3gg5fsiq.slt\prefs.js)
O2 - BHO: (no name) - {3EE86D91-2F18-4027-9157-A16110AC59BE} - C:\WINDOWS\system32\cbXPjIcy.dll
O2 - BHO: {222fff57-41c3-1f08-c864-95345764fb04} - {40bf4675-4359-468c-80f1-3c1475fff222} - C:\WINDOWS\system32\qrupsk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKCU\..\Run: [Eaos] "C:\WINDOWS\SEMBLY~1\nslookup.exe" -vt ndrv
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPjIcy - C:\WINDOWS\SYSTEM32\cbXPjIcy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6487 bytes

This is the CCleaner install.txt log:

AC3Filter (remove only)
Ad-Aware
Adobe After Effects 6.5
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Premiere Pro 1.5
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Ahead Nero - Burning Rom
AIM 6
AntivirXP08
AOL Uninstaller (Choose which Products to Remove)
ATI Display Driver
AXPFixer
Azureus
Canon S300
CCleaner (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy Team Manager II
eMule
ESPN RunTime
Final Draft 7
GSpot Codec Information Appliance
Hardwood Hearts
HijackThis 2.0.2
home box office Screen Saver
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
LimeWire 4.10.3
Malwarebytes' Anti-Malware
MEET MANAGER 2.0 for Swimming
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft PhotoDraw 2000
Mozilla Firefox (2.0.0.14)
Mozilla Thunderbird (2.0.0.14)
MProtector
MySpaceIM
Netflix Movie Viewer
Netscape (7.1)
Netscape Browser (remove only)
Outerinfo
PokerStars
PowerPlayer II
QuickTime
Radio@Netscape Plus
RealPlayer
Roll
Snes9x
Speech
SUPERAntiSpyware Free Edition
SureThing CD Labeler - Stomper Edition 32 bit
TEAM MANAGER 4.0 for Swimming
TEAM MANAGER Lite 4.0 for Swimming
Ulead Burn.Now
Ulead DVD Player
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
WinRAR archiver
Write DVD!
Xvid 1.1.2 final uninstall

Hi

To reset your time format, please follow these instructions -

Click My Computer.

• Open the Control Panel.
• Select Time Options.
  • Classic View: Open Reginal and Language Options.
  • Category View: Click Date, Time, Language and Regional Options, then Change the format of numbers, dates, and times.

• Select the Regional Options tab.
• Next to the box that shows your selected language click Customize.
• Click the Time tab.
• In the Time Format box enter:
  • Standard Format: h:mm:ss:tt
  • Military Format: HH:mm:ss

____________________________

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

Azureus
eMule
LimeWire 4.10.3
____________________________

Also remove the following programs -

AXPFixer
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_02
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
MProtector
Outerinfo
Viewpoint Media Player <-- Optional, only remove this if you haven't installed it yourself or if you don't use/want it.

Then download and install Java Runtime Environment (JRE) 6 Update 6.
____________________________

Download RogueRemover (by Rubber Ducky).

• Double-click rr-free-setup.exe to start the installation of RogueRemover.
• Follow the prompts to install the program.
• Once installed, be sure Launch RogueRemover FREE is checked.
• RogueRemover will now be launched.
• The programs will search for updates, and will automatically download/install them. You can also check manually for updates by clicking Check for updates
• Once updated, Click Scan.
• If RogueRemover found something, it will present a list of detected items.
• Put a check next to every item, then click Remove selected.
• Click YES at the prompt.
• Click OK when it informs you it's saved a logfile.
• Wait for removal to complete, then close RogueRemover.
• A log will be saved here: C:\Program Files\RogueRemover\RRLog******.txt (Note: ****** is the time when you ran RogueRemover)

____________________________

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:



Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.



Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.
____________________________

I see that you have Malwarebytes' Anti-Malware installed. Please open it.

• Once the program has loaded, click on the Update tab, then click Check for Updates.
• If an update is found, it will download and install the latest version.
• Click on the Scanner tab, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• You can also access the log by doing the following:
  
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

____________________________

In your next reply, please post:

• the RogueRemover log (C:\Program Files\RogueRemover\RRLog******.txt)
• the Combofix log (C:\Combofix.txt)
• the Malwarebytes' Anti-Malware log
• a new HijackThis log

I went to remove all the programs and I removed all by Mprotector and Outerinfo. Those were not in the Add/Remove Program list. Can I continue with the next step(s) even though I didn't remove those programs yet?

Yes, please continue

Malwarebytes' RogueRemover
Malwarebytes ©2007 http://www.malwarebytes.org
6290 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: File
Vendor: MalwareProtector2008
Location: C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
Selected for removal: Yes

Type: File
Vendor: MalwareProtector2008
Location: C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk
Selected for removal: Yes

RogueRemover has found the objects above.

ComboFix 08-06-30.2 - Jeff 2008-07-04 0:58:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cbXPjIcy.dll
C:\WINDOWS\system32\ckxseaka.dll
C:\WINDOWS\system32\ddthqqqp.dll
C:\WINDOWS\system32\dhwmdu.dll
C:\WINDOWS\system32\drivers\srvv.sys
C:\WINDOWS\system32\dyaywf.dll
C:\WINDOWS\system32\ftbplk.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jdnuuw.dll
C:\WINDOWS\system32\jhfaabcc.dll
C:\WINDOWS\system32\kuiksb.dll
C:\WINDOWS\system32\kwffehmh.dll
C:\WINDOWS\system32\kytrqt.dll
C:\WINDOWS\system32\nwjdtxdd.dll
C:\WINDOWS\system32\ohsksgwe.dll
C:\WINDOWS\system32\osfihbjf.dll
C:\WINDOWS\system32\qrupsk.dll
C:\WINDOWS\system32\qvvhcl.dll
C:\WINDOWS\system32\suelqyyg.dll
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tldltalj.dll
C:\WINDOWS\system32\uheigqnc.dll
C:\WINDOWS\system32\whxjza.dll
C:\WINDOWS\system32\wvrywrsi.dll
C:\WINDOWS\system32\wzajyn.dll
C:\WINDOWS\system32\xzxhzs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\AXPFixer
C:\WINDOWS\SmVmZiBNZWxsaW5nZXI
C:\WINDOWS\system32\bam
C:\WINDOWS\system32\cbXPjIcy.dll
C:\WINDOWS\system32\ckxseaka.dll
C:\WINDOWS\system32\ddthqqqp.dll
C:\WINDOWS\system32\dhwmdu.dll
C:\WINDOWS\system32\dyaywf.dll
C:\WINDOWS\system32\ftbplk.dll
C:\WINDOWS\system32\fxbshnhr.ini
C:\WINDOWS\system32\gomnyorq.ini
C:\WINDOWS\system32\iifdawWO.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jdnuuw.dll
C:\WINDOWS\system32\jhfaabcc.dll
C:\WINDOWS\system32\kuiksb.dll
C:\WINDOWS\system32\kwffehmh.dll
C:\WINDOWS\system32\kytrqt.dll
C:\WINDOWS\system32\lhdjamuq.ini
C:\WINDOWS\system32\modtrux01
C:\WINDOWS\system32\modtrux01\modtrux011065.exe
C:\WINDOWS\system32\nwjdtxdd.dll
C:\WINDOWS\system32\ohsksgwe.dll
C:\WINDOWS\system32\osfihbjf.dll
C:\WINDOWS\system32\OWwadfii.ini
C:\WINDOWS\system32\OWwadfii.ini2
C:\WINDOWS\system32\pctnquui.dll
C:\WINDOWS\system32\qroynmog.dll
C:\WINDOWS\system32\qrupsk.dll
C:\WINDOWS\system32\qumajdhl.dll
C:\WINDOWS\system32\qvvhcl.dll
C:\WINDOWS\system32\rhnhsbxf.dll
C:\WINDOWS\system32\suelqyyg.dll
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tldltalj.dll
C:\WINDOWS\system32\uheigqnc.dll
C:\WINDOWS\system32\vec3
C:\WINDOWS\system32\whxjza.dll
C:\WINDOWS\system32\wvrywrsi.dll
C:\WINDOWS\system32\wzajyn.dll
C:\WINDOWS\system32\xzxhzs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVV
-------\Service_srvv


((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 20:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-03 20:27 . 2008-07-03 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-03 20:25 . 2008-07-03 20:25 106,192 --a------ C:\WINDOWS\system32\uspuuy.dll
2008-07-03 20:25 . 2008-07-03 20:25 106,192 --a------ C:\WINDOWS\system32\beupjskn.dll
2008-07-02 20:24 . 2008-07-02 20:24 106,272 --a------ C:\WINDOWS\system32\eluehv.dll
2008-07-02 20:24 . 2008-07-02 20:24 106,272 --a------ C:\WINDOWS\system32\ekyomgec.dll
2008-07-01 20:24 . 2008-07-01 20:24 106,240 --a------ C:\WINDOWS\system32\hjitvx.dll
2008-07-01 20:24 . 2008-07-01 20:24 106,240 --a------ C:\WINDOWS\system32\fnfyoevu.dll
2008-07-01 20:16 . 2008-07-01 20:16 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\AXPFixer
2008-06-26 15:45 . 2008-06-26 15:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-26 15:38 . 2008-06-26 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 15:37 . 2008-06-26 15:37 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 15:22 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 00:31 . 2008-06-26 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 23:53 . 2008-06-25 23:53 122,272 --a------ C:\WINDOWS\BM13784573.xml
2008-06-25 16:27 . 2008-06-25 16:27 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-25 14:38 . 2008-06-26 17:51 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\DllCache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-04 03:29 --------- d-----w C:\Program Files\Java
2008-07-04 03:23 --------- d-----w C:\Program Files\Viewpoint
2008-07-04 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-04 03:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 22:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 07:32 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-06-26 07:30 --------- d-----w C:\Program Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-26 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-19 08:15 --------- d-----w C:\Documents and Settings\Jeff\Application Data\LimeWire
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\DllCache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\DllCache\quartz.dll
2008-04-17 10:46 18,432 ----a-w C:\WINDOWS\system32\DllCache\iedw.exe
2007-03-02 07:10 88,576 ---ha-w C:\Documents and Settings\Jeff\Application Data\rbap550.dll
2007-03-02 07:10 73,728 ---ha-w C:\Documents and Settings\Jeff\Application Data\RBRegEx550.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-01_20.13.32.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 03:09:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 08:05:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86f50084-6f81-4228-a916-bb5791e5bf9c}]
2008-07-03 20:25 106192 --a------ C:\WINDOWS\system32\uspuuy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 12:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 12:18 101888]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50 155648]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-03-30 14:58 155648]
"Write DVD-R!"="C:\Program Files\Write DVD!\saimon.exe" [2003-07-18 11:34 114688]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [2006-05-25 10:35 35328]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 17:21 185896]
"104b76ef"="C:\WINDOWS\system32\rhnhsbxf.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 18:45 4898816]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-02-09 17:38:05 189952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aim6.exe"=
"F:\\StubInstaller.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Swim TEAM MANAGER Lite 4.0\\TM4.exe"=
"D:\\hy-sport\\SwMM2\\SwimMM2.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 saicdr;saicdr;C:\WINDOWS\system32\drivers\saicdr.sys [2003-07-16 13:20]
R1 saicdrwup;saicdrwup;C:\WINDOWS\system32\drivers\saicdrwup.sys [2003-05-16 14:32]
R1 saiudf;saiudf;C:\WINDOWS\system32\drivers\saiudf.sys [2003-07-09 09:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 01:06:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-07-04 1:09:44 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-04 08:09:38
ComboFix2.txt 2008-07-02 03:14:35

Pre-Run: 362,999,808 bytes free
Post-Run: 391,004,160 bytes free

218 --- E O F --- 2008-06-22 10:00:38

Malwarebytes' Anti-Malware 1.19
Database version: 920
Windows 5.1.2600 Service Pack 2

01:23:50 2008-07-04
mbam-log-7-4-2008 (01-23-50).txt

Scan type: Quick Scan
Objects scanned: 39598
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\104b76ef (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Jeff\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24, on 2008-07-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {c9fb5e19-75bb-619a-8224-18f648005f68} - {86f50084-6f81-4228-a916-bb5791e5bf9c} - C:\WINDOWS\system32\uspuuy.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKCU\..\Run: [Eaos] "C:\WINDOWS\SEMBLY~1\nslookup.exe" -vt ndrv
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7925 bytes

Hi

Looking better, but you're still infected. Please follow the steps below -

You aren't running anti-virus software. Please make sure you download and install one anti-virus program.

Use an Anti-Virus Program - It is very important that your computer has an anti-virus program running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few (free) anti-virus programs, please download and install one of them:

• avast! Home Edition (Registration Page)
• Avira AntiVir

Update your Anti-Virus Software - It is very important that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.
_________________________

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:



Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.



Referring to the picture above, drag CFScript into ComboFix.exe.

* When CF finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

It will create a log. Plaese post it in your next reply, along with a new HijackThis log.

ComboFix 08-06-30.2 - Jeff 2008-07-04 22:28:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM13784573.xml
C:\WINDOWS\system32\beupjskn.dll
C:\WINDOWS\system32\ekyomgec.dll
C:\WINDOWS\system32\eluehv.dll
C:\WINDOWS\system32\fnfyoevu.dll
C:\WINDOWS\system32\hjitvx.dll
C:\WINDOWS\system32\uspuuy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM13784573.xml
C:\WINDOWS\system32\beupjskn.dll
C:\WINDOWS\system32\ekyomgec.dll
C:\WINDOWS\system32\eluehv.dll
C:\WINDOWS\system32\fnfyoevu.dll
C:\WINDOWS\system32\hjitvx.dll
C:\WINDOWS\system32\uspuuy.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 20:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-03 20:27 . 2008-07-03 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-26 15:45 . 2008-06-26 15:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-26 15:38 . 2008-06-26 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-26 15:37 . 2008-06-26 15:37 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-26 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 15:22 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 15:22 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 00:31 . 2008-06-26 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 16:27 . 2008-06-25 16:27 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-25 14:38 . 2008-06-26 17:51 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 23:15 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\DllCache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-04 03:29 --------- d-----w C:\Program Files\Java
2008-07-04 03:23 --------- d-----w C:\Program Files\Viewpoint
2008-07-04 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-04 03:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 22:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 07:32 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-06-26 07:30 --------- d-----w C:\Program Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-06-26 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-26 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-19 08:15 --------- d-----w C:\Documents and Settings\Jeff\Application Data\LimeWire
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\DllCache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\DllCache\quartz.dll
2008-04-17 10:46 18,432 ----a-w C:\WINDOWS\system32\DllCache\iedw.exe
2007-03-02 07:10 88,576 ---ha-w C:\Documents and Settings\Jeff\Application Data\rbap550.dll
2007-03-02 07:10 73,728 ---ha-w C:\Documents and Settings\Jeff\Application Data\RBRegEx550.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-01_20.13.32.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 03:09:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 08:05:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wjqq"="C:\WINDOWS\??stem\j?vaw.exe" [?]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 17:24 50760]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe" [2006-05-09 17:24 50760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 12:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 12:18 101888]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-08 21:50 155648]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-03-30 14:58 155648]
"Write DVD-R!"="C:\Program Files\Write DVD!\saimon.exe" [2003-07-18 11:34 114688]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [2006-05-25 10:35 35328]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 17:21 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 18:45 4898816]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-02-09 17:38:05 189952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136771408\\ee\\aim6.exe"=
"F:\\StubInstaller.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"F:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Swim TEAM MANAGER Lite 4.0\\TM4.exe"=
"D:\\hy-sport\\SwMM2\\SwimMM2.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 saicdr;saicdr;C:\WINDOWS\system32\drivers\saicdr.sys [2003-07-16 13:20]
R1 saicdrwup;saicdrwup;C:\WINDOWS\system32\drivers\saicdrwup.sys [2003-05-16 14:32]
R1 saiudf;saiudf;C:\WINDOWS\system32\drivers\saiudf.sys [2003-07-09 09:42]

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Eaos - C:\WINDOWS\SEMBLY~1\nslookup.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 22:29:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 22:31:31
ComboFix-quarantined-files.txt 2008-07-05 05:31:18
ComboFix2.txt 2008-07-04 08:09:45
ComboFix3.txt 2008-07-02 03:14:35

Pre-Run: 319,823,872 bytes free
Post-Run: 326,393,856 bytes free

145 --- E O F --- 2008-06-22 10:00:38

also, while running combofix, a file appeared on my desktop: [4]-Submit_2008-07-04@22.27.zip
what is that?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:32 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7697 bytes

Hi


I need you to upload that file, to this site > http://www.bleepingcomputer.com/submit-malware.php?channel=4

In the Link to topic where this file was requested: box, enter http://www.bleepingcomputer.com/forums/topic154529.html

Click Browse..., navigate to [4]-Submit_2008-07-04@22.27.zip on your desktop, then click Open.

Click Send File.

You haven't installed an anti-virus program. Please do so (see instructions in my previous post), then post a new HijackThis log.

I installed Avira. It's running a scan right now. What should I do with everything when it's done? It's creating that Qoobox folder on my C: drive. I've set it to quarantine everything so how do I go about deleting it all when I'm done? Should I post a log for you to see first?

Hi

To remove the items in Avira's quarantine, do the following -

Open Avira AntiVir by double-clicking on the icon in the bottom right of your screen (next to your clock)
Click on Administration in the left column, then click Quarantine.
Select all the items in the list, and click Delete selected object(s) from quarantine (icon of a recycle bin).

Please post a new HijackThis log in your next reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:08 AM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\aim6\anotify.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 8428 bytes

Hi

Open HijackThis, perform a scan and put a check next to the following items (if present):

O4 - HKCU\..\Run: [Wjqq] C:\WINDOWS\??stem\j?vaw.exe
O4 - Startup: PowerReg Scheduler.exe

Close all programs except HijackThis and click on Fix checked.
_____________________

Please open Malwarebytes' Anti-Malware.

• Once the program has loaded, click on the Update tab, then click Check for Updates.
• If an update is found, it will download and install the latest version.
• Click on the Scanner tab, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• You can also access the log by doing the following:
  
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

_____________________

Post the log from Malwarebytes' Anti-Malware and a new HijackThis log in your next reply. Also let me know how your computer is currently running.

should I delete those two files?

Malwarebytes' Anti-Malware 1.19
Database version: 930
Windows 5.1.2600 Service Pack 2

11:39:39 PM 7/7/2008
mbam-log-7-7-2008 (23-39-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|I:\|)
Objects scanned: 118752
Time elapsed: 55 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{C232945B-5F22-47E7-9116-B88F46952712}\RP7\A0000799.exe (Rogue.AdvancedXPFixer) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:09 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Write DVD!\saimon.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\JEFF\\APPLICATION DATA\\Mozilla\\Profiles\\default\\3gg5fsiq.slt");
user_pref("browser.download.dir", "D:\\downloads");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone",
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136771408\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://H:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 8322 bytes

Hi


No need for that... How is your computer running?

it seems to be running pretty smoothly. no more random IE pop ups or stupid "Anti virus" programs. But my start menu still has what look like shortcuts to Advanced XP fixer and Antivirus XP 2008. how do I get rid of those?

Hi


Please right-click on those shortcuts and press Delete. Answer Yes to the prompt, then empty your Recycle Bin.

Done.
anything else?

Hi

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

• Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
  
  
  
  
• This will uninstall Combofix.

Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

• Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:

• Kerio Personall Firewall
• Comodo Free Firewall

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutorials/tutorial49.html

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Since this issue appears to be resolved ... this topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a new topic.