Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My In-laws Are Having Popup Problems


  • Please log in to reply
9 replies to this topic

#1 Jaanilinn

Jaanilinn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 27 January 2008 - 07:36 PM

My in-laws are having problems with popups. They are mainly for virus scan programs, but also some redirects. Explorer seems to close too; I have tried three times to post this. Even the background desktop theme has been hijacked by a scan warning (which will reappear if removed)!

I have read the thread http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/. I ran Stinger (no hits, thoughj), SpywareBlaster, Spyware Search&Destroy, and AdAware. Th last two do get hits, but they reappear after being removed. For the anti-virus scan, I used AGV, with similar results. I downloaded the latest Windows updates. I assume (perhaps incorrectly) that they have Service pack 2 because that did not appear as an outstanding update.

The HijackThis log is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:47 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\YMANTE~1\taskmgr.exe
C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\DOCUME~1\GEORGI~1\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: Google Module - {221BBF54-3327-4548-9006-84385B1A5840} - rtypiclor.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6118AC3F-31A9-625D-FEBF-15A3E6FEF9C2} - C:\WINDOWS\System32\voe.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtqnml.dll
O2 - BHO: (no name) - {71047564-1dd2-11b2-8046-8c8d68d77de6} - C:\WINDOWS\xadwhodm.dll
O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - C:\Program Files\QdrDrive\QdrDrive10.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Player - {99F785E5-5394-4826-A515-034A34A36377} - C:\WINDOWS\orgnavi.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {C1838333-3155-4A0C-9592-B25B29D52302} - C:\WINDOWS\System32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {CC08D489-A73B-4488-AD13-BD1E2372A1A2} - C:\Program Files\Windows Media Player\sadej4444.dll (file missing)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EAB233DF-E727-4CCB-B1B5-034258344F9B} - C:\Program Files\Windows Media Player\sadej83122.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [jyrsfydk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyrsfydk.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\DOCUME~1\GEORGI~1\LOCALS~1\Temp\360132hp132b.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\YMANTE~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [Bxamc] C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ToTP0SMsJe] rundll32.exe "C:\WINDOWS\cfmfgvef.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201476396718
O20 - Winlogon Notify: awtqnml - C:\WINDOWS\SYSTEM32\awtqnml.dll
O20 - Winlogon Notify: __c00931C4 - C:\WINDOWS\System32\__c00931C4.dat (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\baxyqypr.html

--
End of file - 12180 bytes

Just out of curiosity, what do (no file) or (missing file) mean? Instinctively it seems as though they could be purged, but I feel that I am wrong. I vaguely know in principle that there are various catagories to programs (O4, O9, etc.). Thanks for the help. As it is my in-laws’ computer, I may not be able reply immediately, but I will post replies as quickly as possible,

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 29 January 2008 - 09:37 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Jaanilinn
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis.exe to a permanent folder on the hard drive such as C:\HJT
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary.
If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Jaanilinn

Jaanilinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 30 January 2008 - 09:34 PM

I placed HJT in the folder which I had created when downloading it. I did not notice that it was not actually in the folder when I did the initial scan, though.

So, here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:48 PM, on 1/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\stuff Martin has added for Sasa\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: Google Module - {221BBF54-3327-4548-9006-84385B1A5840} - rtypiclor.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6118AC3F-31A9-625D-FEBF-15A3E6FEF9C2} - C:\WINDOWS\System32\voe.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtqnml.dll (file missing)
O2 - BHO: (no name) - {71047564-1dd2-11b2-8046-8c8d68d77de6} - C:\WINDOWS\xadwhodm.dll
O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - C:\Program Files\QdrDrive\QdrDrive10.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Player - {99F785E5-5394-4826-A515-034A34A36377} - C:\WINDOWS\orgnavi.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {C1838333-3155-4A0C-9592-B25B29D52302} - C:\WINDOWS\System32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {CC08D489-A73B-4488-AD13-BD1E2372A1A2} - C:\Program Files\Windows Media Player\sadej4444.dll (file missing)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EAB233DF-E727-4CCB-B1B5-034258344F9B} - C:\Program Files\Windows Media Player\sadej83122.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [jyrsfydk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyrsfydk.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\DOCUME~1\GEORGI~1\LOCALS~1\Temp\360132hp132b.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\YMANTE~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [Bxamc] C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ToTP0SMsJe] rundll32.exe "C:\WINDOWS\cfmfgvef.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201476396718
O20 - Winlogon Notify: awtqnml - awtqnml.dll (file missing)
O20 - Winlogon Notify: __c00931C4 - C:\WINDOWS\System32\__c00931C4.dat (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\baxyqypr.html

--
End of file - 12171 bytes

Here is the log from the SDfix log:


SDFix: Version 1.134

Run by Administrator on Wed 01/30/2008 at 09:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\ONLINE~1\BAXYQY~1.HTM - Deleted
C:\WINDOWS\rwtrmceq\1.png - Deleted
C:\WINDOWS\rwtrmceq\2.png - Deleted
C:\WINDOWS\rwtrmceq\3.png - Deleted
C:\WINDOWS\rwtrmceq\4.png - Deleted
C:\WINDOWS\rwtrmceq\5.png - Deleted
C:\WINDOWS\rwtrmceq\6.png - Deleted
C:\WINDOWS\rwtrmceq\7.png - Deleted
C:\WINDOWS\rwtrmceq\8.png - Deleted
C:\WINDOWS\rwtrmceq\9.png - Deleted
C:\WINDOWS\rwtrmceq\bottom-rc.gif - Deleted
C:\WINDOWS\rwtrmceq\config.png - Deleted
C:\WINDOWS\rwtrmceq\content.png - Deleted
C:\WINDOWS\rwtrmceq\download.gif - Deleted
C:\WINDOWS\rwtrmceq\frame-bg.gif - Deleted
C:\WINDOWS\rwtrmceq\frame-bottom-left.gif - Deleted
C:\WINDOWS\rwtrmceq\frame-h1bg.gif - Deleted
C:\WINDOWS\rwtrmceq\head.png - Deleted
C:\WINDOWS\rwtrmceq\icon.png - Deleted
C:\WINDOWS\rwtrmceq\indexwp.html - Deleted
C:\WINDOWS\rwtrmceq\main.css - Deleted
C:\WINDOWS\rwtrmceq\memory-prots.png - Deleted
C:\WINDOWS\rwtrmceq\net.png - Deleted
C:\WINDOWS\rwtrmceq\pc.gif - Deleted
C:\WINDOWS\rwtrmceq\pc-mag.gif - Deleted
C:\WINDOWS\rwtrmceq\poloska1.png - Deleted
C:\WINDOWS\rwtrmceq\poloska2.png - Deleted
C:\WINDOWS\rwtrmceq\poloska3.png - Deleted
C:\WINDOWS\rwtrmceq\promowp1.html - Deleted
C:\WINDOWS\rwtrmceq\promowp2.html - Deleted
C:\WINDOWS\rwtrmceq\promowp3.html - Deleted
C:\WINDOWS\rwtrmceq\promowp4.html - Deleted
C:\WINDOWS\rwtrmceq\promowp5.html - Deleted
C:\WINDOWS\rwtrmceq\reg.png - Deleted
C:\WINDOWS\rwtrmceq\repair.png - Deleted
C:\WINDOWS\rwtrmceq\scr-1.png - Deleted
C:\WINDOWS\rwtrmceq\scr-2.png - Deleted
C:\WINDOWS\rwtrmceq\start.png - Deleted
C:\WINDOWS\rwtrmceq\styles.css - Deleted
C:\WINDOWS\rwtrmceq\top-rc.gif - Deleted
C:\WINDOWS\rwtrmceq\vline.gif - Deleted
C:\WINDOWS\rwtrmceq\wp.png - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\WINDOWS\PerfInfo\ToTP0SMsJewp.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\orgnavi.dll - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\ssymman.dll - Deleted
C:\WINDOWS\SYSTEM32\RTYPIC~1.DLL - Deleted



Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\PerfInfo - Removed
Folder C:\WINDOWS\system32\v2 - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 21:18:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\trant.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\spyguard.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\spyguard.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\trant.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\spyguard.exe"="C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\spyguard.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 15 May 2003 73,728 A..H. --- "C:\WINDOWS\SYSTEM32\IETie.dll"
Sat 8 Dec 2007 20,810 A.SH. --- "C:\WINDOWS\SYSTEM32\utovrzdv.dllbox"
Fri 30 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 15 Jan 2008 230,400 A.SHR --- "C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\ico81.tmp"
Sat 26 Jan 2008 0 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\360132hp1320.exe"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico10.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico11.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico12.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico13.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico14.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico15.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico16.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico17.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico18.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico19.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1A.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1B.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1C.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1D.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1E.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico1F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico20.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico21.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico22.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico23.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico24.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico25.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico26.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico27.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico28.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico29.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2A.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2B.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2C.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2D.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2E.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico2F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico30.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico31.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico32.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico33.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico34.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico35.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico36.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico37.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico38.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico39.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3A.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3B.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3C.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3D.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3E.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico3F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico40.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico41.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico42.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico43.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico44.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico45.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico46.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico47.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico48.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico49.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4A.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4B.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4C.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4D.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4E.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico4F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico50.tmp"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico51.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico52.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico53.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico54.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico55.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico56.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico57.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico58.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico59.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5A.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5B.tmp"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5C.tmp"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5D.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5E.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico5F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico60.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico61.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico62.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico63.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico64.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico65.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico66.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico67.tmp"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico68.tmp"
Sat 8 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico69.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6B.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6C.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6D.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6E.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico6F.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico7.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico70.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico71.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico72.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico73.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico74.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico76.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico77.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico78.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico79.tmp"
Thu 6 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico7A.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico8.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\ico9.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoA.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoB.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoC.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoD.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoE.tmp"
Fri 7 Dec 2007 4,286 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\icoF.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 30 Nov 2007 4,348 ...H. --- "C:\Documents and Settings\Georgi Cervenkov\My Documents\My Music\License Backup\drmv1key.bak"
Tue 18 Dec 2007 20 A..H. --- "C:\Documents and Settings\Georgi Cervenkov\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 15 Mar 2006 312 A.SH. --- "C:\Documents and Settings\Georgi Cervenkov\My Documents\My Music\License Backup\drmv2key.bak"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

Finished!

I will do the ComboFix portion now.

Edited by Jaanilinn, 30 January 2008 - 09:35 PM.


#4 Jaanilinn

Jaanilinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 30 January 2008 - 09:48 PM

Here is the log generated by running ComboFix.

ComboFix 08-01-31.1 - Georgi Cervenkov 2008-01-30 21:37:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.622 [GMT -5:00]
Running from: C:\Documents and Settings\Georgi Cervenkov\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\All Users\Application Data.\jyrsfydk.dll
C:\Documents and Settings\Georgi Cervenkov\Application Data\ShoppingReport
C:\Documents and Settings\Georgi Cervenkov\Application Data\ShoppingReport\cs\Config.xml
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ymante~1\?ymantec\
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive10.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\__c00C9E1.dat
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\ppatch~1\m?iexec.exe
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\t21
C:\WINDOWS\system32\utovrzdv.dllbox
C:\WINDOWS\SYSTEM32\uxmkynpx.ini
C:\WINDOWS\system32\voe.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xadwhodm.dll
C:\WINDOWS\xxxvideo.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 21:15 . 2008-01-30 21:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 21:15 . 2002-11-01 17:26 528,896 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-01-30 21:02 . 2004-08-23 22:14 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Symantec
2008-01-30 21:02 . 2004-08-23 22:11 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Sonic
2008-01-30 21:02 . 2004-08-23 22:13 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Jasc Software Inc
2008-01-30 20:44 . 2008-01-30 20:44 4,286 --a------ C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
2008-01-27 18:33 . 2008-01-27 18:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-27 18:33 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-01-27 18:27 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-01-27 18:27 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-27 18:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-27 18:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-27 18:27 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-26 17:50 . 2008-01-26 17:50 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-01-26 17:41 . 2008-01-30 21:17 <DIR> d-------- C:\WINDOWS\rwtrmceq
2008-01-26 17:41 . 2008-01-26 17:41 189,952 --a------ C:\WINDOWS\cfmfgvef.dll
2008-01-26 17:41 . 2008-01-26 17:41 49 --a------ C:\tmp.bat
2008-01-26 17:24 . 2008-01-26 17:24 270,698 --a------ C:\WINDOWS\SYSTEM32\L415D.tmp
2008-01-26 17:24 . 2008-01-26 17:24 181,965 --a------ C:\WINDOWS\SYSTEM32\L1DE7.tmp
2007-12-30 16:03 . 2007-12-30 16:03 <DIR> d-------- C:\Program Files\MSECache
2007-12-23 16:12 . 2007-12-23 16:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 16:12 . 2007-12-23 16:12 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-09 13:44 . 2008-01-27 16:39 <DIR> d-------- C:\Documents and Settings\Georgi Cervenkov\Application Data\AVG7
2007-12-09 13:43 . 2007-12-09 13:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-09 13:43 . 2007-12-09 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 13:43 . 2007-12-09 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-08 18:28 . 2007-12-08 19:19 354 --ahs---- C:\WINDOWS\SYSTEM32\ldebhkxf.ini
2007-12-08 17:49 . 2004-08-23 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 17:49 . 2004-08-23 22:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 17:49 . 2004-08-23 22:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-07 18:07 . 2007-12-08 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 17:53 . 2007-12-09 12:55 23,040 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2007-12-07 17:40 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-12-07 17:31 . 2007-12-09 15:04 24,249 --a------ C:\Documents and Settings\Georgi Cervenkov\Application Data\info.dat
2007-12-06 15:17 . 2007-12-06 15:17 36,928 --a------ C:\WINDOWS\SYSTEM32\npoypnio.dll
2007-12-05 12:10 . 2007-12-05 12:10 <DIR> d-------- C:\Documents and Settings\Georgi Cervenkov\Application Data\Tenebril
2007-12-05 09:58 . 2007-12-09 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo01
2007-12-05 09:58 . 2007-12-05 10:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ccn6
2007-12-05 09:58 . 2007-12-05 10:40 <DIR> d--hs---- C:\WINDOWS\R2VvcmdpIENlcnZlbmtvdg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 00:36 10,776 ----a-w C:\Documents and Settings\Georgi Cervenkov\Application Data\wklnhst.dat
2007-12-13 04:11 --------- d-----w C:\Documents and Settings\Georgi Cervenkov\Application Data\Skype
2007-12-09 16:49 --------- d-----w C:\Program Files\EarthLink Setup
2007-12-07 22:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 17:12 --------- d-----w C:\Documents and Settings\Georgi Cervenkov\Application Data\MailWasher
2007-12-05 17:10 --------- d-----w C:\Program Files\GhostSurf
2007-02-07 00:34 64,928 ----a-w C:\Documents and Settings\Georgi Cervenkov\Application Data\GDIPFONTCACHEV1.DAT
2006-11-11 00:15 3,151,469 ----a-w C:\Program Files\axplugin-1.1.exe
2006-10-27 22:36 12,754,672 ----a-w C:\Program Files\MP10Setup.exe
2004-11-11 17:01 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-29 23:13 6,811,656 ----a-w C:\Program Files\psa201se_us.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\R2VvcmdpIENlcnZlbmtvdg\lZpSwAxDKHh5wBt5vAQSx0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1838333-3155-4A0C-9592-B25B29D52302}]
C:\WINDOWS\System32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC08D489-A73B-4488-AD13-BD1E2372A1A2}]
C:\Program Files\Windows Media Player\sadej4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAB233DF-E727-4CCB-B1B5-034258344F9B}]
C:\Program Files\Windows Media Player\sadej83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 17:38 68856]
"Bxamc"="C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]
"QdrPack12"="C:\Program Files\QdrPack\QdrPack12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-23 22:08 77824]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 20:37 1544192]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2003-06-12 14:29 32768]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 22:08 50688]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-10 23:15 111816]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-28 17:29 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:14 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 17:38 68856]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-09 13:43 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-23 22:05:43 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\baxyqypr.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnml]
awtqnml.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00931C4]
C:\WINDOWS\System32\__c00931C4.dat


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 21:39:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
.
**************************************************************************
.
Completion time: 2008-01-30 21:41:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 02:41:25

Here is a new HJT log as well, done after the SDFix and ComboFix logs just posted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:37 PM, on 1/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\stuff Martin has added for Sasa\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C1838333-3155-4A0C-9592-B25B29D52302} - C:\WINDOWS\System32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {CC08D489-A73B-4488-AD13-BD1E2372A1A2} - C:\Program Files\Windows Media Player\sadej4444.dll (file missing)
O2 - BHO: (no name) - {EAB233DF-E727-4CCB-B1B5-034258344F9B} - C:\Program Files\Windows Media Player\sadej83122.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Bxamc] C:\WINDOWS\SYSTEM32\??pPatch\m?iexec.exe
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201476396718
O20 - Winlogon Notify: awtqnml - awtqnml.dll (file missing)
O20 - Winlogon Notify: __c00931C4 - C:\WINDOWS\System32\__c00931C4.dat (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\baxyqypr.html

--
End of file - 9117 bytes


There were no problems with the virus detection and ComboFix. I think that I have done all which you have reqeusted. What jumps out at you?

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 31 January 2008 - 05:04 AM

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\cfmfgvef.dll
C:\WINDOWS\SYSTEM32\ldebhkxf.ini
C:\WINDOWS\SYSTEM32\L415D.tmp
C:\WINDOWS\SYSTEM32\L1DE7.tmp
C:\WINDOWS\SYSTEM32\npoypnio.dll
Folder::
C:\WINDOWS\SYSTEM32\daSgo01
C:\WINDOWS\SYSTEM32\ccn6
C:\WINDOWS\R2VvcmdpIENlcnZlbmtvdg
C:\WINDOWS\rwtrmceq
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe"=-
"%windir%\\system32\\winav.exe"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Georgi Cervenkov\\Application Data\\printer.exe"=-
"%windir%\\system32\\winav.exe"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1838333-3155-4A0C-9592-B25B29D52302}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC08D489-A73B-4488-AD13-BD1E2372A1A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAB233DF-E727-4CCB-B1B5-034258344F9B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bxamc"=-
"QdrModule12"=-
"QdrPack12"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnml]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00931C4]
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#6 Jaanilinn

Jaanilinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 31 January 2008 - 06:29 PM

II rebooted after the scan, in case you need to know that. Here is the log from the ComboFix scan:

ComboFix 08-01-31.1 - Georgi Cervenkov 2008-01-31 18:18:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.652 [GMT -5:00]
Running from: C:\Documents and Settings\Georgi Cervenkov\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Georgi Cervenkov\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\cfmfgvef.dll
C:\WINDOWS\SYSTEM32\L1DE7.tmp
C:\WINDOWS\SYSTEM32\L415D.tmp
C:\WINDOWS\SYSTEM32\ldebhkxf.ini
C:\WINDOWS\SYSTEM32\npoypnio.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cfmfgvef.dll
C:\WINDOWS\R2VvcmdpIENlcnZlbmtvdg
C:\WINDOWS\R2VvcmdpIENlcnZlbmtvdg\lZpSwAxDKHh5wBt5vAQSx0.vbs
C:\WINDOWS\rwtrmceq
C:\WINDOWS\rwtrmceq\Thumbs.db
C:\WINDOWS\SYSTEM32\ccn6
C:\WINDOWS\SYSTEM32\daSgo01
C:\WINDOWS\SYSTEM32\L415D.tmp
C:\WINDOWS\SYSTEM32\ldebhkxf.ini
C:\WINDOWS\SYSTEM32\npoypnio.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 21:15 . 2008-01-30 21:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 21:15 . 2002-11-01 17:26 528,896 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-01-30 21:02 . 2004-08-23 22:14 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Symantec
2008-01-30 21:02 . 2004-08-23 22:11 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Sonic
2008-01-30 21:02 . 2004-08-23 22:13 <DIR> d-------- C:\Documents and Settings\Administrator.D6KVTK51\Application Data\Jasc Software Inc
2008-01-30 20:44 . 2008-01-30 20:44 4,286 --a------ C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
2008-01-27 18:33 . 2008-01-27 18:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-27 18:33 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-01-27 18:27 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-01-27 18:27 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-27 18:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-27 18:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-27 18:27 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-26 17:50 . 2008-01-26 17:50 4,286 --a------ C:\WINDOWS\SYSTEM32\Jamster.ico
2008-01-26 17:41 . 2008-01-26 17:41 49 --a------ C:\tmp.bat
2007-12-30 16:03 . 2007-12-30 16:03 <DIR> d-------- C:\Program Files\MSECache
2007-12-23 16:12 . 2007-12-23 16:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 16:12 . 2007-12-23 16:12 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-09 13:44 . 2008-01-30 22:11 <DIR> d-------- C:\Documents and Settings\Georgi Cervenkov\Application Data\AVG7
2007-12-09 13:43 . 2007-12-09 13:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-09 13:43 . 2007-12-09 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 13:43 . 2007-12-09 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-08 17:49 . 2004-08-23 22:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 17:49 . 2004-08-23 22:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 17:49 . 2004-08-23 22:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-07 18:07 . 2007-12-08 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 17:53 . 2007-12-09 12:55 23,040 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2007-12-07 17:40 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-12-07 17:31 . 2007-12-09 15:04 24,249 --a------ C:\Documents and Settings\Georgi Cervenkov\Application Data\info.dat
2007-12-05 12:10 . 2007-12-05 12:10 <DIR> d-------- C:\Documents and Settings\Georgi Cervenkov\Application Data\Tenebril

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 00:36 10,776 ----a-w C:\Documents and Settings\Georgi Cervenkov\Application Data\wklnhst.dat
2007-12-13 04:11 --------- d-----w C:\Documents and Settings\Georgi Cervenkov\Application Data\Skype
2007-12-09 16:49 --------- d-----w C:\Program Files\EarthLink Setup
2007-12-07 22:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 17:12 --------- d-----w C:\Documents and Settings\Georgi Cervenkov\Application Data\MailWasher
2007-12-05 17:10 --------- d-----w C:\Program Files\GhostSurf
2007-02-07 00:34 64,928 ----a-w C:\Documents and Settings\Georgi Cervenkov\Application Data\GDIPFONTCACHEV1.DAT
2006-11-11 00:15 3,151,469 ----a-w C:\Program Files\axplugin-1.1.exe
2006-10-27 22:36 12,754,672 ----a-w C:\Program Files\MP10Setup.exe
2004-11-11 17:01 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-09-29 23:13 6,811,656 ----a-w C:\Program Files\psa201se_us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 17:38 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 12:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-23 22:08 77824]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 20:37 1544192]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2003-06-12 14:29 32768]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 22:08 50688]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-28 17:29 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:14 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 17:38 68856]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-09 13:43 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-23 22:05:43 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 18:19:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 18:20:12
ComboFix-quarantined-files.txt 2008-01-31 23:20:10
ComboFix2.txt 2008-01-31 02:41:29


Here is the newest HJT scan after the ComboFix above and reboot. It getting shorter, which I take as a good sign.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:43 PM, on 1/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\stuff Martin has added for Sasa\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201476396718
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

--
End of file - 8301 bytes

Just to add, the computer is showing much progress, as you can imagine from the logs. Even the background hijack has been removed.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 01 February 2008 - 04:31 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
• Now click on the Save as Text button.
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#8 Jaanilinn

Jaanilinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 03 February 2008 - 03:23 PM

I have done what you have recommended. Java has been updated. ATF Cleaner has been installed and run. The items from the HijackThis log have been marked and cleansed. SuperAntiSpyware has been installed and run. I used the second Kaspersky link, because I did not see an online scan from the first. Logs are below (include one for HJT).

SuperAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 01:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Quick Scan
Total Scan Time : 00:12:35

Memory items scanned : 481
Memory threats detected : 0
Registry items scanned : 1079
Registry threats detected : 10
File items scanned : 15732
File threats detected : 5

Adware.Zango Toolbar/Hb
HKCR\InstIE.HbInstObj
HKCR\InstIE.HbInstObj\CLSID
HKCR\InstIE.HbInstObj\CurVer
HKCR\InstIE.HbInstObj.1
HKCR\InstIE.HbInstObj.1\CLSID
HKCR\Toolbar.HtmlMenuUI
HKCR\Toolbar.HtmlMenuUI\CLSID
HKCR\Toolbar.HtmlMenuUI\CurVer
HKCR\Toolbar.HtmlMenuUI.1
HKCR\Toolbar.HtmlMenuUI.1\CLSID

Adware.AdSponsor/ISM
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRDRIVE\QDRDRIVE10.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRMODULE\QDRMODULE12.EXE.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\R2VVCMDPIENLCNZLBMTVDG\LZPSWAXDKHH5WBT5VAQSX0.VBS.VIR

Adware.ClickSpring
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\PPATCH~1\MIEXEC~1.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VOE.DLL.VIR

HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:42 PM, on 2/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\stuff Martin has added for Sasa\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201476396718
O20 - Winlogon Notify: !SASWinLogon - C:\stuff Martin has added for Sasa\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

--
End of file - 7786 bytes

Here is the Kaspersky log.

Sunday, February 03, 2008 3:21:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546420


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 52677
Number of viruses found 16
Number of infected objects 49
Number of suspicious objects 4
Duration of the scan process 00:35:03

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip/wbeInst$.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak3.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak3.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip/trant.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender1.zip/spyguard.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.c skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender6.zip/spyguard.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.c skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender6.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip/shell.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip/spoolvs.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip/findfast.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip/printer.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip/shell.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip/spoolvs.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip/findfast.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip/printer.exe Infected: Trojan-Downloader.Win32.Agent.fag skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/uakgqlpu.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Georgi Cervenkov\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temp\Perflib_Perfdata_7e4.dat Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\ntuser.dat Object is locked skipped

C:\Documents and Settings\Georgi Cervenkov\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll.vir Infected: not-a-virus:AdWare.Win32.Shopper.q skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\npoypnio.dll.vir Infected: Trojan-Downloader.Win32.ConHook.hw skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\__c00C9E1.dat.vir Infected: Trojan-Downloader.Win32.ConHook.hw skipped

C:\SDFix\backups\backups.zip/backups/baxyqypr.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\SDFix\backups\backups.zip/backups/orgnavi.dll Infected: Trojan-Downloader.Win32.Delf.efu skipped

C:\SDFix\backups\backups.zip/backups/ToTP0SMsJewp.exe Infected: not-a-virus:Downloader.Win32.Agent.ad skipped

C:\SDFix\backups\backups.zip/backups/Yazzle1552OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\SDFix\backups\backups.zip/backups/Yazzle1552OinUninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\SDFix\backups\backups.zip ZIP: infected - 5 skipped

C:\stuff Martin has added for Sasa\dllfix\programs\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP188\A0067958.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bl skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP194\A0076050.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.c skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP209\A0089848.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091163.exe Infected: not-a-virus:Downloader.Win32.Agent.ad skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091165.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091165.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091168.dll Infected: Trojan-Downloader.Win32.Delf.efu skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091177.dll Infected: Trojan-Downloader.Win32.Delf.efu skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091179.exe Infected: not-a-virus:Downloader.Win32.Agent.ad skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091181.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\A0091181.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP214\A0091227.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP214\A0091252.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP214\A0091255.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP215\A0091475.dll Infected: Trojan-Downloader.Win32.ConHook.hw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#9 Jaanilinn

Jaanilinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 03 February 2008 - 03:28 PM

You also asked how the PC is running. The in-laws seem happy, and as best I can tell, things look fine. Does anything in the above logs look suspicious to you?

When scanning with HijackThis, as a rule of thumb, can items with (no file) or (file missing) be checked and cleansed? Also, once you feel that they system is back to where it should be, which of the programs should I keep and which can be removed? For example, SuperAntiSpyware seems to be something to run regularly, but not SDFix. What do you recommend?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 03 February 2008 - 04:10 PM

When scanning with HijackThis, as a rule of thumb, can items with (no file) or (file missing) be checked and cleansed?

No,not in all cases,it all depends on the entry.

which of the programs should I keep and which can be removed? For example, SuperAntiSpyware seems to be something to run regularly

Keep SuperAntiSpyware,we'll remove the rest in a moment.

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image


Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users