I have been asked by a friend to look at his Windows machine. When I got it, it was ridden with viruses and trojans and keyloggers and adware of all sorts (including "System Antivirus 2008" and "Vista Antivirus 2008"). Anyway I believe I got rid of most of it, but there is one persistent problem: there is a file in the \windows\system32 directory called "basefdrn32.dll". AVG keeps removing it after boot, reporting that it is infected with the Klone.T virus. Once that happens, a short time later the machine reboots itself (even when idling) and then won't reboot unless I put the "basefdrn32.dll" file back in the \windows\system32 folder. The machine will also just spontaneously reboot too.

There are a few other suspicious files in the system32 directory that have the same file date as the original install files (8/4/2004 date) but are not signed by Microsoft (basefdrn32.dll being one example). I have checked a few other Windows XP machines and none have this file. I myself am a Linux guy (Gentoo) so my knowledge here is a bit limited. I do not have this machine hooked up to a network yet; I'd like to be reasonably sure it is no longer "Typhoid Mary" first.

Please note that I installed the Windows Recovery Console after running ComboFix.

I have Googled for this basefdrn32.dll file but there's nothing written about it (that I can find). So I am posting here the ComboFix log and the HJT log. It took some effort to get ComboFix to complete (in safe mode). I can post the basefdrn32.dll file, if it would be helpful. I am grateful for any advice.

Here are the logs:

ComboFix 08-06-20.4 - Compaq_Owner 2008-06-26 17:45:23.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\install.dat
C:\Documents and Settings\Compaq_Owner\err.log
C:\Documents and Settings\Compaq_Owner\g2mdlhlpx.exe
C:\WINDOWS\system32\~.exe
.
---- Previous Run -------
.
C:\WINDOWS\BM7fb60e59.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apuulvkr.dll
C:\WINDOWS\system32\avexkjek.dll
C:\WINDOWS\system32\bgrkqwfl.dll
C:\WINDOWS\system32\biybmavn.ini
C:\WINDOWS\system32\bqroumct.dll
C:\WINDOWS\system32\cbXQhggg.dll
C:\WINDOWS\system32\cgwhropu.dll
C:\WINDOWS\system32\chtnbeej.dll
C:\WINDOWS\system32\cwftmlws.ini
C:\WINDOWS\system32\cynvbbhw.ini
C:\WINDOWS\system32\dkgnggtr.ini
C:\WINDOWS\system32\ecxfeomq.dll
C:\WINDOWS\system32\evaeywiq.ini
C:\WINDOWS\system32\fkongchb.dll
C:\WINDOWS\system32\glgnkwji.dll
C:\WINDOWS\system32\gudjrivw.dll
C:\WINDOWS\system32\ijwknglg.ini
C:\WINDOWS\system32\jxgpbcaq.ini
C:\WINDOWS\system32\jxrudbct.ini
C:\WINDOWS\system32\kkyhoasi.dll
C:\WINDOWS\system32\knksyksv.ini
C:\WINDOWS\system32\lgbgqdca.dll
C:\WINDOWS\system32\lharuorf.dll
C:\WINDOWS\system32\ljgtdqoq.ini
C:\WINDOWS\system32\llejhqny.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgtkopsl.dll
C:\WINDOWS\system32\mnnrappd.dll
C:\WINDOWS\system32\nqokjhim.dll
C:\WINDOWS\system32\nvambyib.dll
C:\WINDOWS\system32\nvuslgiy.ini
C:\WINDOWS\system32\opnkjgef.dll
C:\WINDOWS\system32\oqdkastq.dll
C:\WINDOWS\system32\plkhutvp.ini
C:\WINDOWS\system32\plqodcrq.dll
C:\WINDOWS\system32\qacbpgxj.dll
C:\WINDOWS\system32\qiwyeave.dll
C:\WINDOWS\system32\qWFNmnpo.ini
C:\WINDOWS\system32\qWFNmnpo.ini2
C:\WINDOWS\system32\rsydqciu.dll
C:\WINDOWS\system32\rtggngkd.dll
C:\WINDOWS\system32\srsbwdkd.dll
C:\WINDOWS\system32\swfbxsnb.dll
C:\WINDOWS\system32\swlmtfwc.dll
C:\WINDOWS\system32\tshokgky.ini
C:\WINDOWS\system32\uicqdysr.ini
C:\WINDOWS\system32\vbsbcfor.dll
C:\WINDOWS\system32\vskysknk.dll
C:\WINDOWS\system32\wmbrwekc.dll
C:\WINDOWS\system32\wsftwosh.dll
C:\WINDOWS\system32\wvxqgyja.dll
C:\WINDOWS\system32\xbjrhpfi.dll
C:\WINDOWS\system32\yiglsuvn.dll
C:\WINDOWS\system32\ykgkohst.dll
C:\WINDOWS\system32\ynqhjell.dll
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-26 10:09 . 2004-08-04 06:00 24,576 --a------ C:\WINDOWS\system32\basefdrn32.dll
2008-06-26 09:53 . 2008-06-26 09:53 268 --ah----- C:\sqmdata15.sqm
2008-06-26 09:53 . 2008-06-26 09:53 244 --ah----- C:\sqmnoopt15.sqm
2008-06-26 08:29 . 2008-06-26 08:29 268 --ah----- C:\sqmdata14.sqm
2008-06-26 08:29 . 2008-06-26 08:29 244 --ah----- C:\sqmnoopt14.sqm
2008-06-26 06:46 . 2008-06-26 06:46 268 --ah----- C:\sqmdata13.sqm
2008-06-26 06:46 . 2008-06-26 06:46 244 --ah----- C:\sqmnoopt13.sqm
2008-06-25 23:24 . 2008-06-25 23:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-25 12:26 . 2008-06-26 09:48 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-25 12:24 . 2008-06-25 12:24 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 12:24 . 2008-06-25 23:33 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVGTOOLBAR
2008-06-25 12:24 . 2008-06-25 12:24 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-25 12:24 . 2008-06-25 12:24 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-25 12:24 . 2008-06-25 12:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-25 12:23 . 2008-06-25 12:23 <DIR> d-------- C:\Program Files\AVG
2008-06-25 12:23 . 2008-06-25 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-25 08:41 . 2008-06-25 08:41 294 --ahs---- C:\WINDOWS\system32\hhcchaag.ini
2008-06-25 07:36 . 2008-06-25 07:36 294 --ahs---- C:\WINDOWS\system32\nmtutdta.ini
2008-06-15 21:44 . 2008-06-15 21:44 28,672 --a------ C:\a
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-10 22:22 . 2008-06-10 22:22 <DIR> d-------- C:\Program Files\NetFilter
2008-06-10 16:56 . 2005-04-19 16:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-06-10 16:56 . 2008-06-25 12:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-09 22:38 . 2008-06-09 22:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-08 21:46 . 2008-06-08 21:46 447,488 --a------ C:\19.tmp
2008-06-07 22:40 . 2008-06-07 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-06-07 22:33 . 2008-06-07 22:33 <DIR> d-------- C:\Program Files\QwestInternetSecurity
2008-06-07 22:31 . 2008-06-17 10:15 <DIR> d-------- C:\Program Files\Common Files\Command Software
2008-06-07 22:29 . 2008-06-07 22:33 <DIR> d--h----- C:\Program Files\Common Files\Authentium Shared
2008-06-06 21:26 . 2008-06-06 21:26 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-06-05 17:34 . 2008-06-05 22:37 <DIR> d-------- C:\Program Files\History Clean
2008-06-02 20:45 . 2008-06-02 20:45 <DIR> d-------- C:\Program Files\Panicware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 23:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 13:58 --------- d-----w C:\Program Files\Google
2008-06-17 16:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-07 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 00:12 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2007-07-23 07:03 0 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2004-08-04 12:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

------- Sigcheck -------

2008-04-13 18:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\system32\svchost.exe
2004-08-04 06:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-26_12.58.08.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-26 18:52:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-26 22:35:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6ba45602-2b6b-4e14-86f4-217b3f48da22}]
C:\WINDOWS\system32\nqokjhim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A30DBE02-F151-409E-B55D-12635B1F750B}]
C:\WINDOWS\system32\opnmNFWq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-06-07 15:22 3794248]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll [2008-06-07 15:22 3794248]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"I.R.I.S. Desktop Search"="C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" [2006-01-11 07:37 5193512]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"A00F14B6AC.exe"="C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F14B6AC.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-25 12:23 1177368]
"BM7fb60e59"="C:\WINDOWS\system32\lharuorf.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 02:09:14 972320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disabletaskmgr"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdDTKd]
efcdDTKd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009480C]
C:\WINDOWS\system32\__c009480C.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,avgrsstx.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basefdrn32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 04:21:11 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-22 18:10:43 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 19:40:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basefdrn32.dll
.
Completion time: 2008-06-26 20:30:45
ComboFix-quarantined-files.txt 2008-06-27 02:29:56

Pre-Run: 58,077,802,496 bytes free
Post-Run: 58,065,584,128 bytes free

217 --- E O F --- 2008-05-16 06:24:54



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:19:35 AM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myidentitydefender.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - C:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: Qwest Internet Security Services Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\QwestInternetSecurity\ISS\app\AuthBHO.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [I.R.I.S. Desktop Search] "C:\Program Files\IRIS Desktop Search\IRISDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186008886843
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\qwestinternetsecurity\iss\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7285 bytes

I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.

Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.

Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

Please note that it is important that Deckard's System Scanner be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log.

Please DO NOT post any more logs to this topic, or post a log again in the wrong forum.

The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.

When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Thanks for your cooperation and good luck.
The BC Staff

Sorry for the oversight. I was actually following the instructions from ComboFix, which listed BleepingComputer as a site to post its log output for assistance. I have run Deckards as required in your specific howto (which did not like the new HJT_v2, so I let it run with it's internal one). I will post Deckard's output to a new topic sans the ComboFix output and will add it later if need be. Sorry for the trouble.

Hello capt.frito,

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff