Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Please Help.


  • Please log in to reply
5 replies to this topic

#1 whatabod

whatabod

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 09 November 2007 - 08:50 AM

Hello, I have been having some issues as of late, I have been getting IE pop ups on start up, have strange running exes like (obpxnqdo.exe), odd dlls like C:\WINDOWS\system32\jqksbayr.dll
C:\WINDOWS\system32\rtgsuuvo.dll
C:\WINDOWS\system32\byxwt.dll

can anyone please help me clean up my machine please, I have run spybot, and adaware with very little results.

Here is my hijack this log.

Thank You


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:11 AM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\obpxnqdo.exe
C:\Downloads\stinger.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: 80.190.241.30 home.edonkey.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RamSmash] "C:\Program Files\RamSmash\RamSmash.exe" /start
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [9031b4ba] rundll32.exe "C:\WINDOWS\system32\qreeyngd.dll",b
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125529254252
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\obpxnqdo.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6380 bytes

BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:05 AM

Posted 09 November 2007 - 11:27 AM

Hello whatabod,

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Firstly download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Posted Image

#3 whatabod

whatabod
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 09 November 2007 - 01:08 PM

Hi __RiP_ChAiN_

Thanks so much for your quick reply, I have followed all the steps you posted, and ran into trouble with the dss program, it will not complete and always crashes, but I have my Vundo log and my new hijackthis log.

Here is the Vundo log



VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:31:20 AM 11/09/2007

Listing files found while scanning....

C:\windows\system32\byxwxyv.dll
C:\windows\system32\vtuvtqr.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxwxyv.dll
C:\windows\system32\byxwxyv.dll Could not be deleted.

Attempting to delete C:\windows\system32\vtuvtqr.dll
C:\windows\system32\vtuvtqr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxwxyv.dll
C:\windows\system32\byxwxyv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...


and here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:49 PM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\obpxnqdo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RamSmash] "C:\Program Files\RamSmash\RamSmash.exe" /start
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [9031b4ba] rundll32.exe "C:\WINDOWS\system32\qreeyngd.dll",b
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125529254252
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\obpxnqdo.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5750 bytes


I also ran trojan remover and it says I have a few entries
C:\WINDOWS\system32\qreeyngd.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"9031b4ba"

C:\WINDOWS\system32\byxwt.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9CA4E583-043C-4715-A5EC-4A9A8B6C277F}

Thanks again __RiP_ChAiN_ for your support

Julie

#4 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:05 AM

Posted 09 November 2007 - 03:31 PM

Hello whatabod,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image

#5 whatabod

whatabod
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 09 November 2007 - 04:31 PM

Hello again __RiP_ChAiN_ and thank you for working with me on this.

Here is my uninstall log


µTorrent
3D Ultra Minigolf Adventures
Ad-Aware 2007
Ad-Aware SE Professional
AdCalls_Dialer
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
AnalogX PortBlocker
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Hi-Q Video
AOL Uninstaller (Choose which Products to Remove)
Ares 2.0.9
Audio Notes Recorder 5.30
Austin Powers Pinball
Belltech Small Business Publisher 3.5.1
Best Friends Forever
Big Fish Games Client
Bounce Symphony
Bubble Bobble Gold Edition
BUGDOCPRO
CallWave Internet Answering Machine (remove only)
Claw
CloneCD
Continuum 0.39
Cool Paint
Creative Painter
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DOOM Collector's Edition
Double Top
Dungeon Keeper 2
Easy File Sharing Web Server 4.1
Emoticons Mail 3.1
Fast Browser (Pro Version)
FlashGet(JetCar)
FROGGER 2 3D!
Game Alladin
GetSmile v1.730
Golden Tee Golf Course Addon #1
Google Gmail Notifier
GSpot Codec Information Appliance
Hide IP Platinum 2.0
HijackThis 2.0.2
ImageConverter Plus
InkSaver
IPaddress 2.0.4
J2SE Runtime Environment 5.0 Update 10
Kazaa Lite K++ v2.4.3
Konfabulator
Kristanix Right Click Image Converter
Learn2 Player (Uninstall Only)
LEGO Creator
Lexmark Z600 Series
LimeWire PRO 4.12.3
Logitech MouseWare 9.79
LudoRace
Mario Forever v 2.16 !
MegaSpoof 1.96
Microsoft .NET Framework 1.1
Microsoft Calculator Plus
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Office Word Viewer 2003
Microsoft PowerPoint Viewer 97
Microsoft Text-to-Speech Engine 4.0 (English)
mIRC
Mozilla Firefox (2.0.0.9)
MSN Messenger 7.0
Mystery Case Files: Madame Fate (remove only)
Mystery Solitaire - Secret Island
Neighbors From Hell
Nero 6 Ultra Edition
Net Detective
NetXfer 2.47.373
Nicktoons Challenge! (remove only)
NOD32 Antivirus System
oggcodecs 0.71.0946
Opera 9.24
PCRepair 2005
PeerGuardian 2.0
Pure Networks Port Magic
QuickTime
Radmin Viewer 3.0
RamSmash
ReadPlease 2003/ReadPlease PLUS 2003
RealArcade
RealPlayer
Registry Mechanic 5.1
RegVac - Registered Version
RegVac Registry Cleaner 5.01 (Registered Version)
ResumeMaker Professional
Road Rush v1.6.0
RTC Client API v1.2
Save Flash 3.0
Scholastic's I SPY Fantasy
screen pen 1.1
ScreenPen
SereneScreen Marine Aquarium 2.6
Simon Extreme 1.0
Skype 2.5
SLD Codec Pack
Solaris 104
Souptoys
Souptoys
SPX Instant Screen Capture
Spy Sweeper
Spybot - Search & Destroy
SpyRemover 2.55
Star Wars Racer
STOIK Smart Resizer
Strayfire Version 1.1
Strike! Bowling
Super Fast Shutdown 1.0
SuperMegaSpoof 2.0
Tarzan
TaxACT 2006
The Nightshift Code
The Ultimate Troubleshooter
Tidy Start Menu
Trillian
Trivial Pursuit Silver Screen Edition
Trojan Remover 6.6.2
Tunebite 4.1.0.12
TweakNow PowerPack 2006 Professional
UltimateDefrag
Unlocker 1.8.3
Update for Windows XP (KB898461)
Viewpoint Media Player
Vopt 8.16
Web Page Maker V2.3
WebExe
Window Washer
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
Word Whomp To Go
WWW File Share Pro 5.0
Xeno Assault
XoftSpy
XP Smoker 4.4
XVid;-)
Yahoo! Messenger
Zuma Deluxe

and the first entry on that log was blank in the name field but the uninstall command string is
MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}

My combo fix log is as follows

ComboFix 07-11-08.3 - MadHacker 2007-11-09 15:08:07.2 - NTFSx86
Running from: C:\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 13:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 12:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 11:44 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-09 11:31 <DIR> d-------- C:\VundoFix Backups
2007-11-09 11:19 <DIR> d-------- C:\Deckard
2007-11-09 06:55 35,328 --a------ C:\WINDOWS\system32\byxutrp.dll
2007-11-09 06:54 35,328 --a------ C:\WINDOWS\system32\ssqppol.dll
2007-11-08 17:06 <DIR> d-------- C:\Program Files\The Nightshift Code
2007-11-08 15:24 80,448 --a------ C:\WINDOWS\system32\xtwfmmrl.dll
2007-11-08 15:21 86,080 --a------ C:\WINDOWS\system32\qreeyngd.dll
2007-11-08 15:12 71,232 --a------ C:\WINDOWS\system32\qvjqtiip.exe
2007-11-07 19:22 <DIR> dr-h----- C:\Documents and Settings\MadHacker\Application Data\SecuROM
2007-11-07 19:22 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 15:49 <DIR> d-------- C:\Program Files\Mystery Case Files - Madame Fate
2007-11-07 15:26 <DIR> d-------- C:\Program Files\bfgclient
2007-11-07 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-11-07 15:12 79,936 --a------ C:\WINDOWS\system32\ofsppfya.dll
2007-11-07 15:12 71,232 --a------ C:\WINDOWS\system32\obpxnqdo.exe
2007-11-06 12:58 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-05 21:29 83,008 --a------ C:\WINDOWS\system32\kjjbslek.dll
2007-11-05 21:10 959,591 --a------ C:\WINDOWS\system32\oeutfdpy.ini.ren
2007-11-05 21:10 85,568 --a------ C:\WINDOWS\system32\ypdftueo.dll
2007-11-05 21:08 83,008 --a------ C:\WINDOWS\system32\aypwmdhx.dll
2007-11-05 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 17:16 379,431 --ahs---- C:\WINDOWS\system32\twxyb.ini2.ren
2007-11-05 17:01 408,685 --a------ C:\WINDOWS\system32\twxyb.tmp.ren
2007-11-04 19:59 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-04 19:58 <DIR> d-------- C:\Documents and Settings\MadHacker\.housecall6.6
2007-11-04 19:36 86,080 --a------ C:\WINDOWS\system32\jqksbayr.dll.ren
2007-11-04 19:32 78,912 --a------ C:\WINDOWS\system32\dlhdtfrq.dll
2007-11-04 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-04 17:13 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-04 17:13 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-04 17:13 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-04 17:13 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-04 17:13 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-04 17:12 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-04 17:12 <DIR> d-------- C:\Documents and Settings\MadHacker\Application Data\Simply Super Software
2007-11-04 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-04 17:04 576,785 --a------ C:\WINDOWS\system32\cweymbaa.ini.ren
2007-11-04 17:04 86,080 --a------ C:\WINDOWS\system32\aabmyewc.dll.ren
2007-11-04 17:01 78,912 --a------ C:\WINDOWS\system32\ftuybwdr.dll
2007-11-04 16:59 78,912 --a------ C:\WINDOWS\system32\aujjknbf.dll
2007-11-04 16:56 576,905 --a------ C:\WINDOWS\system32\nhhgbkfj.ini.ren
2007-11-04 16:56 86,080 --a------ C:\WINDOWS\system32\jfkbghhn.dll
2007-11-04 16:54 378,184 --a------ C:\WINDOWS\system32\twxyb.bak2.ren
2007-11-02 21:25 376,868 --a------ C:\WINDOWS\system32\twxyb.bak1.ren
2007-11-02 21:24 416,489 --a------ C:\WINDOWS\system32\twxyb.ini.ren
2007-11-02 21:19 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-02 21:18 34,816 --a------ C:\WINDOWS\system32\byxwxyv.dll
2007-10-29 13:56 51,712 --a------ C:\Documents and Settings\MadHacker\1.exe
2007-10-28 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MinigolfAdventures
2007-10-26 05:17 <DIR> d-------- C:\Program Files\Opera
2007-10-25 06:12 <DIR> d-------- C:\Program Files\Amazing Adventures - The Lost Tomb
2007-10-24 14:13 <DIR> d-------- C:\Documents and Settings\MadHacker\Application Data\Abra Academy2
2007-10-19 15:32 <DIR> d-------- C:\Documents and Settings\MadHacker\Application Data\Super-Cow
2007-10-19 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 19:29 --------- d-----w C:\Program Files\Lavasoft
2007-11-09 18:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 16:46 --------- d-----w C:\Program Files\FlashGet
2007-11-08 23:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-07 21:07 --------- d-----w C:\Program Files\RegVac Registry Cleaner
2007-11-05 01:34 --------- d-----w C:\Program Files\XoftSpy
2007-10-30 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-29 16:34 --------- d-----w C:\Documents and Settings\MadHacker\Application Data\iWin
2007-10-28 23:08 --------- d-----w C:\Program Files\RegVac
2007-10-28 22:46 286,720 ----a-w C:\WINDOWS\iun506.exe
2007-10-28 05:45 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-27 19:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-10-25 17:40 --------- d-----w C:\Program Files\Ares
2007-10-25 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-10-18 13:46 --------- d-----w C:\Program Files\MegaSpoof
2007-10-07 15:13 --------- d-----w C:\Documents and Settings\MadHacker\Application Data\Legends of pirates
2007-10-07 04:44 --------- d-----w C:\Program Files\Hawaiian Explorer Pearl Harbor
2007-10-07 01:50 --------- d-----w C:\Program Files\Mini Golf Mayhem
2007-09-30 22:29 --------- d-----w C:\Documents and Settings\MadHacker\Application Data\Thinstall
2007-09-21 22:57 --------- d-----w C:\Documents and Settings\MadHacker\Application Data\ForgottenRiddles
2007-09-16 17:34 --------- d-----w C:\Program Files\The Scruffs
2007-09-13 22:43 --------- d-----w C:\Documents and Settings\MadHacker\Application Data\uTorrent
2005-09-06 10:58 280,064 ----a-w C:\Documents and Settings\MadHacker\Application Data\tizhook.bin
2004-12-21 03:02 339 ----a-w C:\Documents and Settings\MadHacker\Application Data\shell.dll
2003-03-28 19:37 38,528 ----a-r C:\WINDOWS\inf\FASTNIC.SYS
2002-08-21 18:04 127,488 ----a-w C:\Documents and Settings\MadHacker\fmod.dll
2001-08-23 15:00:00 989 --sha-r C:\WINDOWS\ntosboot.dat
1757-03-16 10:00:12 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-09_13.10.42.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-09 19:32:13 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-09 19:32:14 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-09 19:32:13 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-09 19:32:13 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-11-09 19:41:58 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eafd526f-1faa-4720-b1f6-f9e9839e27a4}]
2007-11-08 15:24 80448 --a------ C:\WINDOWS\system32\xtwfmmrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-14 14:51]
"RamSmash"="C:\Program Files\RamSmash\RamSmash.exe" [2004-12-04 14:11]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 02:51]
"HostManager"="C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe" [2006-09-25 18:52]
"9031b4ba"="C:\WINDOWS\system32\qreeyngd.dll" [2007-11-08 15:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=00000000

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wwSecSvc"=2 (0x2)

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R3 FastNIC;SMC EZ Card 10/100 (SMC1244TX V2);C:\WINDOWS\system32\DRIVERS\FastNIC.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys

*Newly Created Service* - AAWSERVICE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 15:16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-09 15:19:37
C:\ComboFix2.txt ... 2007-11-09 13:13
.
--- E O F ---
the hijack this file is next

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:44 PM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: {4a72e938-9e9f-6f1b-0274-aaf1f625dfae} - {eafd526f-1faa-4720-b1f6-f9e9839e27a4} - C:\WINDOWS\system32\xtwfmmrl.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RamSmash] "C:\Program Files\RamSmash\RamSmash.exe" /start
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152987789\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [9031b4ba] rundll32.exe "C:\WINDOWS\system32\qreeyngd.dll",b
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125529254252
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6438 bytes


Thanks again

Julie

#6 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:05:05 AM

Posted 10 November 2007 - 03:35 AM

Hello whatabod,

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

Viewpoint Media Player
LimeWire PRO 4.12.3


A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: {4a72e938-9e9f-6f1b-0274-aaf1f625dfae} - {eafd526f-1faa-4720-b1f6-f9e9839e27a4} - C:\WINDOWS\system32\xtwfmmrl.dll
    O4 - HKLM\..\Run: [9031b4ba] rundll32.exe "C:\WINDOWS\system32\qreeyngd.dll",b


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\byxutrp.dll
C:\WINDOWS\system32\ssqppol.dll
C:\WINDOWS\system32\xtwfmmrl.dll
C:\WINDOWS\system32\qreeyngd.dll
C:\WINDOWS\system32\qvjqtiip.exe
C:\WINDOWS\system32\ofsppfya.dll
C:\WINDOWS\system32\obpxnqdo.exe
C:\WINDOWS\system32\kjjbslek.dll
C:\WINDOWS\system32\oeutfdpy.ini.ren
C:\WINDOWS\system32\ypdftueo.dll
C:\WINDOWS\system32\aypwmdhx.dll
C:\WINDOWS\system32\twxyb.ini2.ren
C:\WINDOWS\system32\twxyb.tmp.ren
C:\WINDOWS\system32\jqksbayr.dll.ren
C:\WINDOWS\system32\dlhdtfrq.dll
C:\WINDOWS\system32\cweymbaa.ini.ren
C:\WINDOWS\system32\aabmyewc.dll.ren
C:\WINDOWS\system32\ftuybwdr.dll
C:\WINDOWS\system32\aujjknbf.dll
C:\WINDOWS\system32\nhhgbkfj.ini.ren
C:\WINDOWS\system32\jfkbghhn.dll
C:\WINDOWS\system32\twxyb.bak2.ren
C:\WINDOWS\system32\twxyb.bak1.ren
C:\WINDOWS\system32\twxyb.ini.ren
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\byxwxyv.dll
C:\Documents and Settings\MadHacker\1.exe

Folder::
C:\VundoFix Backups
C:\Program Files\Viewpoint



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users