I hope someone will look at this log file. I believe this machine is clean, but it's still slow. Is there something in the startup that's causing slow behaviour?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:29:54 PM, on 03/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John Dunleavy\Local Settings\Temporary Internet Files\Content.IE5\89JKCVN6\HiJackThis_v2[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {33329196-5727-76D8-0416-5300CABB8BBB} - C:\WINDOWS\System32\mbbqdn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {A3024AB6-7EDB-4F7F-9E38-D463283E1638} - c:\windows\system32\clnkcln.dll (file missing)
O2 - BHO: (no name) - {B6ADA842-67AB-4909-8E2B-30E604F059B6} - C:\WINDOWS\System32\wzulanqr.dll (file missing)
O2 - BHO: (no name) - {C5F54420-F6BD-4D42-8213-506A79EE771F} - c:\windows\system32\wisbjefe.dll (file missing)
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\PROGRAM FILES\OIN SEARCH\OINSEARCH.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [sitwvotv] C:\WINDOWS\System32\sitwvotv.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [clcl13] C:\WINDOWS\System32\clcl13.exe
O4 - HKLM\..\Run: [Winload32] C:\WINDOWS\System32\explorer32\winload32.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [winload] C:\WINDOWS\System32\explorer32\winload32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Visual V2.1] C:\WINDOWS\msiutil.exe
O4 - HKCU\..\Run: [Ainklrg] "C:\Documents and Settings\John Dunleavy\Application Data\??sembly\s?anregw.exe" 99001275
O4 - HKCU\..\Run: [Rqsr] "C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\n?tepad.exe"
O4 - HKCU\..\Run: [Ddhimgpq] "C:\Documents and Settings\John Dunleavy\Application Data\F?nts\?hkntfs.exe"
O4 - HKCU\..\Run: [sitwvotv] C:\WINDOWS\System32\sitwvotv.exe
O4 - HKCU\..\Run: [Ulmyymfj] "C:\Program Files\Common Files\??crosoft.NET\?pool32.exe"
O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028MFUS
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197591788752
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/verizon/passwdchg/activex/DSLControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_update/cVOLUpdate_1-0-0.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mrwtawxq - clnkcln.dll (file missing)
O20 - Winlogon Notify: tt - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O24 - Desktop Component 0: (no name) - http://www.melissabucci.com/nightmare/images/index_christmas-copy.gif
O24 - Desktop Component 1: (no name) - http://adisney.go.com/disneypictures/pirates/downloads/icons/skull.gif
O24 - Desktop Component 2: (no name) - http://www.timburtoncollective.com/uploaded_images/nmbc3d-739639.jpg

--
End of file - 11227 bytes

Kelly you have problems there
It is far from clean
Seth where are you ??

Tony, I sent you a pm. How much time did you plan on spending on this machine? :frown:

Check out my post on multiple scans as this it the machine I'm concerned about.There was so much on there and I ran scans from various resources - all finding different malware. This may be the most infected machine I've seen. It came in here with XP, SP-1 and no protection. ... and a teeneager user.

This is the hjt after running all those scans ?????????????

yup- I had this hard drive connected to my Vista machine and ran SAS, ewido, AVG, bitdefender, and Norton scans on it - check out my other thread. This is why I've posted the hjt log because even after running all those scans, this machine is still slow.

That's a busy one. NewDotNet, Purity, a Backdoor, the Cult worm. First thing I would do is give the usual option of formatting, and a dire warning if he uses the pc for banking.
It's easily cleaned up though.

A lot of malware in that log. You're also pretty much guaranteed that for every one malware entry that HT shows, there will be even more malware that HT doesn't show.

I would start by clearing msconfig and running the scans from Safe Mode and the online ones from SM With Networking. Then, I would run a chkdsk /f. If you do so, please post a new HT log.

...oh, clear the prefetch and temps too.

Thanks Seth, I've been running scans in Safe Mode and Safe Mode w/Networking as required for on-line scans. I ran MalwareBytes today - it found 360 occurrences of 14 items. So I'm still cleaning at this point.

Thanks Seth, I've been running scans in Safe Mode and Safe Mode w/Networking as required for on-line scans. I ran MalwareBytes today - it found 360 occurrences of 14 items. So I'm still cleaning at this point.

Kelly will you post the MB log please when its finished :)

Kelly,

You probably already know this, but make sure you update and run the full scans with sas and mb.

Also, note that by default, sas detects MyWebSearch, but for legal reasons, does not automatically remove it. You'll have to put a check in the box beside it.

I was going to post what to remove from the HT log, but there is just too much at this point...including numerous MWS entries.

Seth - thanks - I'm running more scans today. After this this is cleaner, I'll post another hjt log.

Donna - I will post a MB log also.

This machine came in with SP-1 and no protection. There's also a teenager in the house. The machine has come a long way from when I first saw it.

Seth - thanks - I'm running more scans today. After this this is cleaner, I'll post another hjt log.

Donna - I will post a MB log also.

This machine came in with SP-1 and no protection. There's also a teenager in the house. The machine has come a long way from when I first saw it.
Juat a note here
Make sure it is completely clean before you update to sp2 :D

I know you know that

I know this post will get deleted but how many scans do you plan to run over and over before you realise at best you will mask the problem?

Hey Scotty thanks - I'm getting ready to reformat and reload tomorrow. Today, I'm considering it a learning experience as I've never had a machine this badly infected. I'm finding it interesting how the various malware detectors miss items that others find.

Yep, sometimes easier to just wipe and load.

I'm finding it interesting how the various malware detectors miss items that others find.

Keep in mind that a lot of that is just benign remnants (usually registry entries that point to a .exe that was already removed).

Another point do you restart the pc after each scan ??

Wow - I missed that. I haven't been restarting all the time. I must remember to do that. Thanks for the reminder Donna.

Good point Donna.

After a scan, I restart into normal mode then go back into safe mode for another scan.

Seth - what's the reason for booting to normal and then back to Safe Mode for another scan? Why not just reboot to Safe Mode for the next scan and skip the boot to Normal? Is there something in the registry that isn't addressed when booting in Safe Mode?

Seth - what's the reason for booting to normal and then back to Safe Mode for another scan? Why not just reboot to Safe Mode for the next scan and skip the boot to Normal? Is there something in the registry that isn't addressed when booting in Safe Mode?

The main reason is because I don't know if a particular scanner requires itself to be running to complete the removal process. If so, the removal will be incomplete when booting into SM.

I'm interested in hearing some thoughts on that.

I remember someone who I respect said that after doing anything, you need to reboot twice. He had no real reason for it, but he was a seasoned computer repair tech.

So without a tech answer, it can't hurt to reboot at least once to normal mode. Wish I knew more about what happens in the registry.

The reason some tools have to reboot to delete files is because the only way to delete them is before Windows starts up and the process is loaded into memory. They do that automatically.


Cant imagine any situation you would have to reboot twice. That doesnt make any sense.

The reason some tools have to reboot to delete files is because the only way to delete them is before Windows starts up and the process is loaded into memory. They do that automatically.

Yes, that's a given. I was just concerned that a reboot into Safe Mode wouldn't complete the removal process.

Cant imagine any situation you would have to reboot twice. That doesnt make any sense.

I agree.

Here's the latest - is it looking any better?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {33329196-5727-76D8-0416-5300CABB8BBB} - C:\WINDOWS\System32\mbbqdn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {A3024AB6-7EDB-4F7F-9E38-D463283E1638} - c:\windows\system32\clnkcln.dll (file missing)
O2 - BHO: (no name) - {B6ADA842-67AB-4909-8E2B-30E604F059B6} - C:\WINDOWS\System32\wzulanqr.dll (file missing)
O2 - BHO: (no name) - {C5F54420-F6BD-4D42-8213-506A79EE771F} - c:\windows\system32\wisbjefe.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [sitwvotv] C:\WINDOWS\System32\sitwvotv.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [clcl13] C:\WINDOWS\System32\clcl13.exe
O4 - HKLM\..\Run: [Winload32] C:\WINDOWS\System32\explorer32\winload32.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [winload] C:\WINDOWS\System32\explorer32\winload32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Visual V2.1] C:\WINDOWS\msiutil.exe
O4 - HKCU\..\Run: [Ainklrg] "C:\Documents and Settings\John Dunleavy\Application Data\??sembly\s?anregw.exe" 99001275
O4 - HKCU\..\Run: [Rqsr] "C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\n?tepad.exe"
O4 - HKCU\..\Run: [Ddhimgpq] "C:\Documents and Settings\John Dunleavy\Application Data\F?nts\?hkntfs.exe"
O4 - HKCU\..\Run: [sitwvotv] C:\WINDOWS\System32\sitwvotv.exe
O4 - HKCU\..\Run: [Ulmyymfj] "C:\Program Files\Common Files\??crosoft.NET\?pool32.exe"
O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028MFUS
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197591788752
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/verizon/passwdchg/activex/DSLControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_update/cVOLUpdate_1-0-0.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mrwtawxq - clnkcln.dll (file missing)
O20 - Winlogon Notify: tt - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.melissabucci.com/nightmare/images/index_christmas-copy.gif
O24 - Desktop Component 1: (no name) - http://adisney.go.com/disneypictures/pirates/downloads/icons/skull.gif
O24 - Desktop Component 2: (no name) - http://www.timburtoncollective.com/uploaded_images/nmbc3d-739639.jpg

--
End of file - 10338 bytes

In one word NO :D

I agree with BM's "no".

Time to save the data and reload.

Why is it not being cleaned Seth?/
Is it so badly infected
One of the lines is this little nasty i think
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AEU&VSect=T

Tony, It's looking worse than it was two days ago. The Malware is procreating, proliferating and morphing!:D As Dan would say, "Whack and reload"!!

Why is it not being cleaned Seth?/
Is it so badly infected
One of the lines is this little nasty i think
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AEU&VSect=T


You're right Donna, but as someone else said, there is very big difference when cleaning online systems as opposed to making a livening from dong such.


Terry once spoke it very well.

It doesnt seem to be going to well at the minute
Oh i wish i could be let at it ..

Scotty a challenge for you

Come on let Scotty have a go at cleaning it:)

Thats the first time i have seen this infection

OOHH its exciting :D:D

Donna, I'll remove Winlogon per the link you posted. Thanks.

Why dont you do it all at once?

Scotty - I don't understand your post. Do all what at once?

Clean it. Unless you are just going to reinstall.

Stop teasing him Scotty:)

Kelly would you like Scotty to help you clean it ??:D

Might be interesting

I scanned this with SAS, Malwarebytes, ewido, Norton, AVG, and probably a few others.

Any help is appreciated. I'm looking at this as a learning experience.

Thank you.

Go for it, Tony!:D You may or may not ;) regret it!!:eek:

Donna, using the link you sent http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AEU&VSect=T

none of those registry entries exist on this machine.

Donna, using the link you sent http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AEU&VSect=T

none of those registry entries exist on this machine.

i would let Scotty sort you out Kelly:D

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back in your next reply.



If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).

If you can't download it from there, please try these 2 alternative sites:

Forospyware (http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)


Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.



In your next reply post:
Report.txt
ComboFix.txt
New HijackThis log taken after the above scans have run


Note:My posting here has nothing to do with my MRU membership. I am posting here as a member of Whatthetech (formerly Tom Coyote)

OK -- I will certainly do that. Much appreciated. Scans on this computer have been taking about 90 minutes, so it'll be a while before I can post the results.

Here's the SDFix log:

SDFix: Version 1.155

Run by John Dunleavy on 03/11/2008 at 08:58 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
COM+ Messages

Path:
"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213

COM+ Messages - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\windows_log.txt - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 09:09:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 12 Aug 2005 1,441,792 A..H. --- "C:\My Games\Hamsterball\ham.exe"
Mon 15 Aug 2005 372,736 A..H. --- "C:\My Games\Water Bugs\waterbugs.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Mon 4 Jun 2007 1,607,071 ..SH. --- "C:\WINDOWS\SYSTEM32\ilkkj.bak1"
Mon 4 Jun 2007 1,612,926 ..SH. --- "C:\WINDOWS\SYSTEM32\ilkkj.bak2"
Thu 18 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19938f3d2 35fc96f3e6aaed1e5e7a74c\BIT13.tmp"
Thu 18 Aug 2005 4,348 ...H. --- "C:\Documents and Settings\John Dunleavy\My Documents\My Music\License Backup\drmv1key.bak"
Sun 9 Jul 2006 20 A..H. --- "C:\Documents and Settings\John Dunleavy\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 18 Aug 2005 400 A.SH. --- "C:\Documents and Settings\John Dunleavy\My Documents\My Music\License Backup\drmv2key.bak"
Sun 22 Apr 2007 34,308 ...H. --- "C:\Documents and Settings\John Dunleavy\Application Data\Macromedia\Shockwave Player\xtras\download\AndradeArts\Music\BASSMOD.dl l"

Finished!

Here's the ComboFix log:
ComboFix 08-03-10.1 - John Dunleavy 2008-03-11 9:29:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT -4:00]
Running from: C:\Documents and Settings\John Dunleavy\Desktop\ComboFix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\John Dunleavy\Application Data\CROSOF~1.NET
C:\Documents and Settings\John Dunleavy\Application Data\FNTS~1
C:\Documents and Settings\John Dunleavy\Application Data\FunWebProducts
C:\Documents and Settings\John Dunleavy\Application Data\FunWebProducts\Data\John Dunleavy\avatar.dat
C:\Documents and Settings\John Dunleavy\Application Data\ICROSO~1.NET
C:\Documents and Settings\John Dunleavy\Application Data\macromedia\Flash Player\#SharedObjects\8XLX5HX2\www.broadcaster.com
C:\Documents and Settings\John Dunleavy\Application Data\macromedia\Flash Player\#SharedObjects\8XLX5HX2\www.broadcaster.com \played_list.sol
C:\Documents and Settings\John Dunleavy\Application Data\macromedia\Flash Player\#SharedObjects\8XLX5HX2\www.broadcaster.com \video_queue.sol
C:\Documents and Settings\John Dunleavy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www .broadcaster.com
C:\Documents and Settings\John Dunleavy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www .broadcaster.com\settings.sol
C:\Documents and Settings\John Dunleavy\Application Data\MANTEC~1
C:\Documents and Settings\John Dunleavy\Application Data\PPPATC~1
C:\Documents and Settings\John Dunleavy\Application Data\SEMBLY~1
C:\Documents and Settings\John Dunleavy\Application Data\SMANTE~1
C:\Documents and Settings\John Dunleavy\Application Data\SSTEM3~1
C:\Documents and Settings\John Dunleavy\Application Data\YMBOLS~1
C:\Documents and Settings\John Dunleavy\My Documents\APPATC~1
C:\Documents and Settings\John Dunleavy\My Documents\ASKS~1
C:\Documents and Settings\John Dunleavy\My Documents\ASKS~2
C:\Documents and Settings\John Dunleavy\My Documents\ICROSO~1.NET
C:\Documents and Settings\John Dunleavy\My Documents\MANTEC~1
C:\Documents and Settings\John Dunleavy\My Documents\MCROSO~1.NET
C:\Documents and Settings\John Dunleavy\My Documents\PPPATC~1
C:\Documents and Settings\John Dunleavy\My Documents\RACLE~1
C:\Documents and Settings\John Dunleavy\My Documents\RACLE~2
C:\Documents and Settings\John Dunleavy\My Documents\SSEMBL~1
C:\Documents and Settings\John Dunleavy\My Documents\STEM~1
C:\Program Files\Common Files\{3812F~1
C:\Program Files\Common Files\{6812F~1
C:\Program Files\Common Files\{6812F~2
C:\Program Files\Common Files\appatc~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~2
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\ecurit~1
C:\Program Files\icroso~1.net
C:\Program Files\pppatc~1
C:\Program Files\racle~1
C:\Program Files\ssembl~1
C:\Program Files\wnsxs~1
C:\Program Files\ymbols~1
C:\Program Files\ystem~1
C:\WINDOWS\asks~1
C:\WINDOWS\fnts~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\sks~1
C:\WINDOWS\smante~1
C:\WINDOWS\sstem~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\System32\clnkcln.dll
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\remove_spyware_button. gif
C:\WINDOWS\system32\drivers\thvsfvlg.dat
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\wisbjefe.dll
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_JWCJMROK
-------\LEGACY_NNSERV
-------\LEGACY_SOYOLQUZ
-------\jwcjmrok
-------\NNServ
-------\soyolquz


((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-11 08:53 . 2008-03-11 08:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-11 08:45 . 2008-03-11 09:24 <DIR> d-------- C:\SDFix
2008-03-11 07:30 . 2008-03-11 07:30 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\Application Data\SUPERAntiSpyware.com
2008-03-10 14:55 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-03-09 09:13 . 2008-03-10 16:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-09 09:13 . 2008-03-09 09:13 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\Malwarebytes
2008-03-09 09:13 . 2008-03-09 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-08 16:19 . 2008-03-08 16:19 5 --a------ C:\WINDOWS\SYSTEM32\SndDrv32ds_k.ods
2008-03-08 16:19 . 2008-03-08 16:19 5 --ahs---- C:\WINDOWS\SYSTEM32\AuxDrv32ds_k.ods
2008-03-08 16:18 . 2008-03-08 16:19 <DIR> d-------- C:\Program Files\jv16 PowerTools 2005
2008-03-08 15:32 . 2008-03-08 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 15:31 . 2008-03-08 15:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 15:31 . 2008-03-08 15:31 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\SUPERAntiSpyware.com
2008-03-08 15:30 . 2008-03-08 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 15:28 . 2008-03-08 15:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 15:28 . 2008-03-10 15:12 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\AVG7
2008-03-08 15:27 . 2008-03-08 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 15:27 . 2008-03-09 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 18:37 . 2008-03-07 18:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-07 18:23 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-03-07 18:23 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-03-07 18:23 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-03-07 18:13 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-03-07 17:51 . 2008-03-07 17:51 <DIR> d---s---- C:\Documents and Settings\Administrator.D3XXK931\UserData
2008-03-07 17:51 . 2008-03-07 17:51 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-03-07 17:47 . 2003-08-15 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\WINDOWS
2008-03-07 17:47 . 2005-06-01 21:27 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\Application Data\Gtek
2008-03-07 16:47 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-03-07 16:41 . 2008-03-07 16:41 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-07 16:31 . 2008-03-07 16:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-07 16:20 . 2004-07-17 12:40 19,528 --a------ C:\WINDOWS\002293_.tmp
2008-03-07 16:13 . 2008-03-07 16:13 <DIR> d-------- C:\WINDOWS\EHome
2008-02-23 19:44 . 2008-03-04 18:15 53,498 --a------ C:\WINDOWS\SYSTEM32\0.html
2008-02-16 18:54 . 2008-02-16 18:54 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\Yahoo!
2008-02-16 14:54 . 2008-02-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-02-16 14:50 . 2008-02-16 14:52 <DIR> d-------- C:\Program Files\Shockwave.com
2008-02-12 21:24 . 2008-03-07 17:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 21:24 . 2008-02-12 21:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-11 17:44 . 2008-02-11 17:44 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-08 20:11 --------- d-----w C:\Program Files\Yahoo!
2008-03-08 19:53 --------- d-----w C:\Program Files\Google
2008-03-07 17:50 --------- d-----w C:\Program Files\AdVantage
2008-03-06 23:05 --------- d-----w C:\Program Files\WebSecureAlert
2008-03-06 21:11 --------- d-----w C:\Program Files\Sandbox of God
2008-03-06 21:11 --------- d-----w C:\Program Files\Bird Hunter
2008-02-17 20:14 --------- d-----w C:\Program Files\Yahoo! Games
2008-02-17 20:09 --------- d-----w C:\Documents and Settings\John Dunleavy\Application Data\LimeWire
2008-01-29 21:07 --------- d-----w C:\Program Files\RegCure
2008-01-28 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-28 22:52 --------- d-----w C:\Documents and Settings\John Dunleavy\Application Data\McAfee
2008-01-28 01:24 --------- d-----w C:\Program Files\AIM
2008-01-28 01:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 20:44 670 ----a-w C:\Program Files\Common Files\tempeml.html
2007-10-19 20:14 6,166 ----a-w C:\Program Files\Common Files\temp.html
2006-05-31 13:14 108,056 ----a-w C:\Program Files\Common Files\secman.dll
2006-03-11 23:09 626,176 ----a-w C:\Program Files\Common Files\osmax.ocx
2007-06-04 12:15 1,607,071 --sh--w C:\WINDOWS\SYSTEM32\ilkkj.bak1
2007-06-04 12:10 1,612,926 --sh--w C:\WINDOWS\SYSTEM32\ilkkj.bak2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
----a-w 57,344 2005-06-07 03:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 67,112 2006-08-01 19:35:36 C:\Program Files\AIM\bak\aim.exe
----a-w 67,112 2006-08-01 19:35:36 C:\Program Files\AIM\aim.exe

----a-w 50,760 2006-05-10 00:24:16 C:\Program Files\Common Files\aol\1128791757\EE\bak\AOLSoftware.exe

----a-w 151,597 2003-08-16 00:09:51 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2007-12-08 22:09:47 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 86,102 2003-02-17 22:00:36 C:\Program Files\Dell AIO Printer A940\bak\dlbabmgr.exe

----a-w 306,688 2004-07-19 12:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 278,528 2006-06-14 20:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-12-11 17:10:26 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 49,263 2006-07-26 07:03:14 C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe

----a-w 11,776 2006-01-19 15:06:16 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

----a-w 110,592 2006-01-19 15:06:18 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 183,367 2006-08-30 16:46:34 C:\Program Files\Plaxo\2.11.1.5\bak\PlaxoHelper.exe

----a-w 282,624 2006-12-07 23:18:00 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-12-11 15:56:54 C:\Program Files\QuickTime\QTTask.exe

----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

----a-w 13,312 2002-08-29 10:00:00 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 114,688 2003-04-07 05:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w 155,648 2003-04-07 05:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33329196-5727-76D8-0416-5300CABB8BBB}]
C:\WINDOWS\System32\mbbqdn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6ADA842-67AB-4909-8E2B-30E604F059B6}]
C:\WINDOWS\System32\wzulanqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Ainklrg"="C:\Documents and Settings\John Dunleavy\Application Data\??sembly\s?anregw.exe" [ ]
"Rqsr"="C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\n?tepad.exe" [ ]
"Ddhimgpq"="C:\Documents and Settings\John Dunleavy\Application Data\F?nts\?hkntfs.exe" [ ]
"Ulmyymfj"="C:\Program Files\Common Files\??crosoft.NET\?pool32.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\drivers\video\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="c:\drivers\video\hkcmd.exe" [2003-04-07 01:07 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-08 18:09 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:29 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:28 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-08-15 20:04:41 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WebSecureAlert.lnk]
backup=C:\WINDOWS\pss\WebSecureAlert.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
--a------ 2007-11-05 12:12 884176 C:\Program Files\AdVantage\AdVantage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
--a------ 2002-08-29 06:00 375808 c:\i386\cmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-10-20 10:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eegyvogp]
C:\Documents and Settings\John Dunleavy\Application Data\?ppPatch\r?ndll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gde]
C:\Documents and Settings\John Dunleavy\My Documents\?ppPatch\w?auclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Visual Enhance V2.1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 11:06 110592 c:\program files\musicmatch\musicmatch jukebox\bak\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ofuvyyur]
C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\w?crtupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Okcl]
C:\Program Files\Common Files\S?mantec\?ttrib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

S3 cel90xbe;cel90xbe;C:\DOCUME~1\JOHNDU~1\LOCALS~1\Te mp\cel90xbe.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 23:03:08 C:\WINDOWS\Tasks\McAfee Cleanup.job"
- C:\DOCUME~1\JOHNDU~1\LOCALS~1\Temp\MCPR.tmp\mcclea nup.exeC-p mpfpcu,mpfp,mps,shred,mpscu,mskcu,msk,emproxy,mas, fwdriver,hw,mbk,mcproxy,mhn,mqccu,mqc,shrd,nmc,red ir,mna,mwl,msad,vs,msc,mcpr -log
"2008-03-11 13:41:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-Anna).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-03-11 13:40:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-John Dunleavy).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-03-11 13:43:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-03-11 13:38:17 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-21 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-20 00:07:40 C:\WINDOWS\Tasks\WebReg Photosmart C6200 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 09:38:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
************************************************** ************************
.
Completion time: 2008-03-11 9:45:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 13:45:00
.
2008-03-08 20:09:18 --- E O F ---

Here's the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:51, on 2008-03-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\drivers\video\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {33329196-5727-76D8-0416-5300CABB8BBB} - C:\WINDOWS\System32\mbbqdn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {B6ADA842-67AB-4909-8E2B-30E604F059B6} - C:\WINDOWS\System32\wzulanqr.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] c:\drivers\video\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] c:\drivers\video\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ainklrg] "C:\Documents and Settings\John Dunleavy\Application Data\??sembly\s?anregw.exe" 99001275
O4 - HKCU\..\Run: [Rqsr] "C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\n?tepad.exe"
O4 - HKCU\..\Run: [Ddhimgpq] "C:\Documents and Settings\John Dunleavy\Application Data\F?nts\?hkntfs.exe"
O4 - HKCU\..\Run: [Ulmyymfj] "C:\Program Files\Common Files\??crosoft.NET\?pool32.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028MFUS
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197591788752
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/verizon/passwdchg/activex/DSLControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_update/cVOLUpdate_1-0-0.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tt - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8558 bytes

Hi


We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

http://i149.photobucket.com/albums/s63/Mac701/KB310994.gif


Download the file & save it as it's originally named, next to ComboFix.exe.

http://i149.photobucket.com/albums/s63/Mac701/rc1.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Here's the log:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Heres a little something I prepared earlier.;)

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\SYSTEM32\SndDrv32ds_k.ods
Click Submit.
Please post the results of this scan to this thread.
Do the same for these:
C:\WINDOWS\SYSTEM32\AuxDrv32ds_k.ods
c:\drivers\video\igfxtray.exe
c:\drivers\video\hkcmd.exe


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::

File::
C:\WINDOWS\002293_.tmp
C:\WINDOWS\SYSTEM32\0.html
C:\Program Files\Common Files\tempeml.html
C:\Program Files\Common Files\temp.html
C:\WINDOWS\SYSTEM32\ilkkj.bak1
C:\WINDOWS\SYSTEM32\ilkkj.bak2
C:\DOCUME~1\JOHNDU~1\LOCALS~1\Temp\cel90xbe.sys
C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job

Folder::
C:\Program Files\AdVantage
C:\Program Files\WebSecureAlert
C:\Program Files\RegCure

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33329196-5727-76D8-0416-5300CABB8BBB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6ADA842-67AB-4909-8E2B-30E604F059B6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Ainklrg"=-
"Rqsr"=-
"Ddhimgpq"=-
"Ulmyymfj"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WebSecureAlert.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eegyvogp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gde]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ofuvyyur]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Okcl]

Driver::
cel90xbe

AWF::
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
C:\Program Files\AIM\bak\aim.exe
C:\Program Files\Common Files\aol\1128791757\EE\bak\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Dell AIO Printer A940\bak\dlbabmgr.exe
C:\Program Files\Dell Support\bak\DSAgnt.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\Plaxo\2.11.1.5\bak\PlaxoHelper.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

DirLook::
C:\Program Files\Shockwave.com
C:\Documents and Settings\All Users\Application Data\Gogii



Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

http://images.malwareremoval.com/cfscript/CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
Jotti results
ComboFix.txt
New HijackThis log taken after the above scan has run

I'll be on it right away.

http://virusscan.jotti.org/ results - all returned OK - Found nothing.

I'm running the script right now.

ComboFix log is too long for this forum it 70,000 and max here is 25,000. I can put it on a web site and provide a link if you like.

Here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:44, on 2008-03-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\drivers\video\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Downloads\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] c:\drivers\video\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] c:\drivers\video\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ainklrg] "C:\Documents and Settings\John Dunleavy\Application Data\??sembly\s?anregw.exe" 99001275
O4 - HKCU\..\Run: [Rqsr] "C:\Documents and Settings\John Dunleavy\Application Data\s?stem32\n?tepad.exe"
O4 - HKCU\..\Run: [Ddhimgpq] "C:\Documents and Settings\John Dunleavy\Application Data\F?nts\?hkntfs.exe"
O4 - HKCU\..\Run: [Ulmyymfj] "C:\Program Files\Common Files\??crosoft.NET\?pool32.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028MFUS
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197591788752
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices.verizon.net/portal/verizon/passwdchg/activex/DSLControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_update/cVOLUpdate_1-0-0.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8261 bytes

Here's a link to the ComboFix log www.dipiano.net/ComboFIx_log1400.txt

c:\drivers\video\igfxtray.exe
c:\drivers\video\hkcmd.exe

Both of those are familiar to decent techs and unnecessary. Neither of which is malware.

Im sure they are known to decent tech's Seth, but they are in unfamiliar locations to me and I couldnt just overlook them. Researching those locations mainly turned up logs with AWF that's why I had them scanned.

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Ainklrg"=-
"Rqsr"=-
"Ddhimgpq"=-
"Ulmyymfj"=-


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

http://images.malwareremoval.com/cfscript/CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe



Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

+ Extended(If available otherwise Standard)

Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.


With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.

In your next reply post:
Kaspersky report
ComboFix.txt
New HijackThis log taken after the above scan has run

Im sure they are known to decent tech's Seth, but they are in unfamiliar locations to me and I couldnt just overlook them. Researching those locations mainly turned up logs with AWF that's why I had them scanned.

That's cool Scotty.:)

Good luck my friend.

Scotty - I'm calling it a day right now. So I'll get to the script you provided maybe later tonight. I can't do it tomorrow early because I have a meeting to attend. I may get back to it later in the day. If not, then on Thursday.

Thanks for all the help. I'm learning new tools. Can you talk to what these scripts are doing and what SDFix and ComboFix are doing so that members of this forum have an understanding of what's happening in the background?

Again, thank you for the help.

I hope you understand the developers of these tools dont want the ins and outs of them being discussed in public, for good reason. Not that I really know how they work, as Ive no clue about programming or the like.
I used SDFix first because it targets SDBots specifically and would remove it's associations too.
Combofix targets a number of different infections then I can see from it's different reports what else needs to go and write a script to remove them.
Which took me an hour on this one because I had to do a fair bit of researching.:smash:

Now maybe I can get a bit of tech input from yourself and Seth.
As I said above, Ive never seen those two files in that location before, and but it appears to be common. Is a normal location instead of System32?

Thanks - understood. I've seen the files that Seth mentioned, however, I haven't taken note as to their normal location.

As I said above, Ive never seen those two files in that location before, and but it appears to be common. Is a normal location instead of System32?

Scotty, The files, (c:\drivers\video\igfxtray.exe) and (c:\drivers\video\hkcmd.exe) are normally run in (c:\windows\system32)

That's what I thought, and why I was suspicious of them. Ill ask around about them.

That's what I thought, and why I was suspicious of them. Ill ask around about them.

Please do, as I was profoundly hammered when writing my last two posts. I'm interested in the outcome.

Both of those executables are relevant, but the path is not. I just assumed HP and Dell had even crazier rules than Blockbuster..lol

Meh...you win some, you lose some.

Hello Seth

Still waiting for a defintive answer, but I been looking around and those files tend to disappear once the original uninfected copies are pulled out of the Bak folders.

Just waiting for Kelly to come back.

Scotty - I'm back on it. Right now I'm just about done the Kapesky scan. I'll post the logs files probably within the next 30 minutes. I can see that the scan has already found 4 viruses, 5 infected objects, and one suspicious object.

You bet!!! Stay tuned, the Kapersky scan just completed.

KASPERSKY ONLINE SCANNER REPORT
2008-03-12 18:07
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 626238
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 112053
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 1
Duration of the scan process: 01:38:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John Dunleavy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John Dunleavy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\Local Settings\History\History.IE5\MSHist012008031220080 313\index.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\ntuser.dat Object is locked skipped
C:\Documents and Settings\John Dunleavy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\AntWar_Setup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Program Files\Activision\Asteroids\asteroids.exe Suspicious: Type_Win32 skipped
C:\QooBox\Quarantine\C\Program Files\AdVantage\AdVantage.exe.vir Infected: not-a-virus:AdTool.Win32.WhenU.t skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\th vsfvlg.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-03-11_ 93839.04.zip/thvsfvlg.dat Infected: Trojan.Win32.BHO.bbo skipped
C:\QooBox\Quarantine\catchme2008-03-11_ 93839.04.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000134.exe Infected: not-a-virus:AdTool.Win32.WhenU.t skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{757FFF EB-6FCE-4E2D-8F08-2590F3FAE653}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

ComboFix 08-03-10.1 - John Dunleavy 2008-03-12 15:08:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.157 [GMT -4:00]
Running from: C:\Downloads\ComboFix.exe
Command switches used :: C:\Downloads\CFScript2.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-11 08:53 . 2008-03-11 08:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-11 08:45 . 2008-03-11 09:24 <DIR> d-------- C:\SDFix
2008-03-11 07:30 . 2008-03-11 07:30 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\Application Data\SUPERAntiSpyware.com
2008-03-10 14:55 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-03-09 09:13 . 2008-03-10 16:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-09 09:13 . 2008-03-09 09:13 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\Malwarebytes
2008-03-09 09:13 . 2008-03-09 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-08 16:19 . 2008-03-08 16:19 5 --a------ C:\WINDOWS\SYSTEM32\SndDrv32ds_k.ods
2008-03-08 16:19 . 2008-03-08 16:19 5 --ahs---- C:\WINDOWS\SYSTEM32\AuxDrv32ds_k.ods
2008-03-08 16:18 . 2008-03-08 16:19 <DIR> d-------- C:\Program Files\jv16 PowerTools 2005
2008-03-08 15:32 . 2008-03-08 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-08 15:31 . 2008-03-08 15:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-08 15:31 . 2008-03-08 15:31 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\SUPERAntiSpyware.com
2008-03-08 15:30 . 2008-03-08 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 15:28 . 2008-03-08 15:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 15:28 . 2008-03-10 15:12 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\AVG7
2008-03-08 15:27 . 2008-03-08 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 15:27 . 2008-03-09 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 18:37 . 2008-03-07 18:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-07 18:23 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-03-07 18:23 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-03-07 18:23 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-03-07 18:13 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-03-07 17:51 . 2008-03-07 17:51 <DIR> d---s---- C:\Documents and Settings\Administrator.D3XXK931\UserData
2008-03-07 17:51 . 2008-03-07 17:51 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-03-07 17:47 . 2003-08-15 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\WINDOWS
2008-03-07 17:47 . 2005-06-01 21:27 <DIR> d-------- C:\Documents and Settings\Administrator.D3XXK931\Application Data\Gtek
2008-03-07 16:47 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-03-07 16:41 . 2008-03-07 16:41 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-07 16:31 . 2008-03-07 16:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-07 16:13 . 2008-03-07 16:13 <DIR> d-------- C:\WINDOWS\EHome
2008-02-16 18:54 . 2008-02-16 18:54 <DIR> d-------- C:\Documents and Settings\John Dunleavy\Application Data\Yahoo!
2008-02-16 14:54 . 2008-02-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-02-16 14:50 . 2008-02-16 14:52 <DIR> d-------- C:\Program Files\Shockwave.com
2008-02-12 21:24 . 2008-03-07 17:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 21:24 . 2008-02-12 21:24 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-11 18:34 --------- d-----w C:\Program Files\QuickTime
2008-03-11 18:34 --------- d-----w C:\Program Files\iTunes
2008-03-11 18:34 --------- d-----w C:\Program Files\Dell Support
2008-03-11 18:34 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-11 18:34 --------- d-----w C:\Program Files\AIM
2008-03-08 20:11 --------- d-----w C:\Program Files\Yahoo!
2008-03-08 19:53 --------- d-----w C:\Program Files\Google
2008-03-06 21:11 --------- d-----w C:\Program Files\Sandbox of God
2008-03-06 21:11 --------- d-----w C:\Program Files\Bird Hunter
2008-02-17 20:14 --------- d-----w C:\Program Files\Yahoo! Games
2008-02-17 20:09 --------- d-----w C:\Documents and Settings\John Dunleavy\Application Data\LimeWire
2008-01-28 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2008-01-28 22:52 --------- d-----w C:\Documents and Settings\John Dunleavy\Application Data\McAfee
2008-01-28 01:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2006-05-31 13:14 108,056 ----a-w C:\Program Files\Common Files\secman.dll
2006-03-11 23:09 626,176 ----a-w C:\Program Files\Common Files\osmax.ocx
.

((((((((((((((((((((((((((((( snapshot@2008-03-11_ 9.44.35.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 05:56:50 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
+ 2003-04-07 05:07:38 114,688 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
+ 2003-04-07 05:19:52 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\drivers\video\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="c:\drivers\video\hkcmd.exe" [2003-04-07 01:07 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-08-15 20:09 151597]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:29 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:28 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-08-15 20:04:41 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-10-20 10:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Visual Enhance V2.1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
c:\program files\musicmatch\musicmatch jukebox\bak\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-07 19:18 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 23:03:08 C:\WINDOWS\Tasks\McAfee Cleanup.job"
- C:\DOCUME~1\JOHNDU~1\LOCALS~1\Temp\MCPR.tmp\mcclea nup.exeC-p mpfpcu,mpfp,mps,shred,mpscu,mskcu,msk,emproxy,mas, fwdriver,hw,mbk,mcproxy,mhn,mqccu,mqc,shrd,nmc,red ir,mna,mwl,msad,vs,msc,mcpr -log
"2008-03-12 19:21:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-Anna).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-03-12 19:20:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-John Dunleavy).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-03-12 19:23:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D3XXK931-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-02-20 00:07:40 C:\WINDOWS\Tasks\WebReg Photosmart C6200 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 15:15:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
************************************************** ************************
.
Completion time: 2008-03-12 15:24:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 19:24:47
ComboFix2.txt 2008-03-11 18:40:57
ComboFix3.txt 2008-03-11 13:45:05
.
2008-03-08 20:09:18

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:14, on 2008-03-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\drivers\video\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] c:\drivers\video\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] c:\drivers\video\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028MFUS
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/insta