below are ad-aware, hijackthis and combofix log.

combofix removed online security guide and online safey center until it rebooted. i haven't had any luck with vundofix.

i am getting the following pop ups.

psw.x-vir trojan
trojan-spy.win32@mx
online securtiy guide Icon
online safey center Icon
black door trojan
spyware.cyberlog-x
conhook
downloader windownloader.32
vundo
virtumonde
win32:adware-gen
net worm-i.virus@fp
win32.trojandownloader
win32.trojan BHO
win32.myzov.fk@yf
win32:tiny-jc trojan

i constantly scan with spyware doctor, avast, adware se, ave, vundo.exe and it all just keeps coming back


here is my hijack log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:03 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\oizilxds.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPRSManager] "C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [108a7acf] rundll32.exe "C:\WINDOWS\system32\qindmjjh.dll",b
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.meditech.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192567340986
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4706 bytes

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, November 28, 2007 2:37:18 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R206 28.11.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.BHO(generic)(TAC index:3):1 total references
AntivirusPCSuite(TAC index:3):1 total references
MRU List(TAC index:0):3 total references
Other(TAC index:5):2 total references
Tracking Cookie(TAC index:3):1 total references
Win32.Trojan.BHO(TAC index:10):2 total references
Win32.TrojanDownloader.Obfuscated(TAC index:10):25 total references
Win32.Trojandownloader.Zlob(TAC index:10):9 total references
Virtumonde(TAC index:10):11 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-28-2007 2:37:18 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\David Miloy\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 748
ThreadCreationTime : 11-28-2007 7:32:43 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 11-28-2007 7:32:48 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1420
ThreadCreationTime : 11-28-2007 7:32:52 PM
BasePriority : High


Adware.BHO(generic) Object Recognized!
Type : Process
Data : bjzfezxx.dll
TAC Rating : 3
Category : Adware
Comment : upowmocq.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Adware.BHO(generic) Object found in memory(C:\WINDOWS\system32\bjzfezxx.dll)


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1468
ThreadCreationTime : 11-28-2007 7:32:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1480
ThreadCreationTime : 11-28-2007 7:32:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1700
ThreadCreationTime : 11-28-2007 7:33:03 PM
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1732
ThreadCreationTime : 11-28-2007 7:33:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1796
ThreadCreationTime : 11-28-2007 7:33:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1936
ThreadCreationTime : 11-28-2007 7:33:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 128
ThreadCreationTime : 11-28-2007 7:33:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 384
ThreadCreationTime : 11-28-2007 7:33:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [aswupdsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 724
ThreadCreationTime : 11-28-2007 7:33:22 PM
BasePriority : Normal
FileVersion : 4, 7, 1043, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
CompanyName : ALWIL Software
FileDescription : avast! Antivirus updating service
InternalName : aswUpdSv.exe
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswUpdSv.exe

#:13 [ashserv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 1180
ThreadCreationTime : 11-28-2007 7:33:27 PM
BasePriority : High
FileVersion : 4, 7, 1043, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
CompanyName : ALWIL Software
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswServ.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1312
ThreadCreationTime : 11-28-2007 7:33:31 PM
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

Win32.Trojandownloader.Zlob Object Recognized!
Type : Process
Data : bjzfezxx.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Win32.Trojan.BHO Object Recognized!
Type : Process
Data : mwqblmcv.dll
TAC Rating : 10
Category : Malware
Comment : ynlqkntr.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Trojan.BHO Object found in memory(C:\WINDOWS\system32\mwqblmcv.dll)


#:15 [spoolsv.exe]




combofix log

ComboFix 07-11-19.4C - David Miloy 2007-11-28 18:44:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.182 [GMT -6:00]
Running from: C:\Documents and Settings\David Miloy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\David Miloy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\David Miloy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\David Miloy\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\uninstall information
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bjzfezxx.dllbox
C:\WINDOWS\system32\cbayy.dll
C:\WINDOWS\SYSTEM32\fnonwxrl.ini
C:\WINDOWS\system32\lrxwnonf.dll
C:\WINDOWS\system32\oizilxds.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\q21
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\xfgktelp.exe
C:\WINDOWS\SYSTEM32\yyabc.bak1
C:\WINDOWS\SYSTEM32\yyabc.bak2
C:\WINDOWS\SYSTEM32\yyabc.ini
C:\WINDOWS\SYSTEM32\yyabc.ini2
C:\WINDOWS\SYSTEM32\yyabc.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 18:44 4,672 --a------ C:\WINDOWS\SYSTEM32\bshfridj.exe
2007-11-28 18:41 789,349 --ahs---- C:\WINDOWS\SYSTEM32\gohpkejw.ini
2007-11-28 18:41 85,056 --a------ C:\WINDOWS\SYSTEM32\wjekphog.dll
2007-11-28 18:38 81,984 --a------ C:\WINDOWS\SYSTEM32\uldwslbr.dll
2007-11-28 18:35 789,496 --ahs---- C:\WINDOWS\SYSTEM32\nesjxxak.ini
2007-11-28 16:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 15:09 81,984 --a------ C:\WINDOWS\SYSTEM32\nocynnpd.dll
2007-11-28 15:03 789,496 --ahs---- C:\WINDOWS\SYSTEM32\hjjmdniq.ini
2007-11-28 15:00 145,984 --a------ C:\WINDOWS\SYSTEM32\oizilxds.dll
2007-11-28 14:40 789,349 --ahs---- C:\WINDOWS\SYSTEM32\kwshddov.ini
2007-11-28 14:38 81,984 --a------ C:\WINDOWS\SYSTEM32\kxdhtjpg.dll
2007-11-28 13:58 <DIR> d-------- C:\Deckard
2007-11-28 13:55 789,349 --ahs---- C:\WINDOWS\SYSTEM32\cgplsegi.ini
2007-11-28 13:09 789,418 --ahs---- C:\WINDOWS\SYSTEM32\lwwllanw.ini
2007-11-28 13:06 81,984 --a------ C:\WINDOWS\SYSTEM32\ybbqybvy.dll
2007-11-28 12:26 81,984 --a------ C:\WINDOWS\SYSTEM32\imafsmcr.dll
2007-11-28 12:23 789,349 --ahs---- C:\WINDOWS\SYSTEM32\hylndfhy.ini
2007-11-28 12:16 789,349 --ahs---- C:\WINDOWS\SYSTEM32\tdqlkflt.ini
2007-11-28 12:13 81,984 --a------ C:\WINDOWS\SYSTEM32\vgrnjghk.dll
2007-11-28 10:50 789,821 --ahs---- C:\WINDOWS\SYSTEM32\kwspuihb.ini
2007-11-28 10:47 81,984 --a------ C:\WINDOWS\SYSTEM32\wephjbxc.dll
2007-11-27 21:31 784,675 --ahs---- C:\WINDOWS\SYSTEM32\geuflfjb.ini
2007-11-27 21:26 78,912 --a------ C:\WINDOWS\SYSTEM32\haskhybj.dll
2007-11-27 08:04 784,547 --ahs---- C:\WINDOWS\SYSTEM32\jstvdbpq.ini
2007-11-27 07:58 78,912 --a------ C:\WINDOWS\SYSTEM32\cknpbgvs.dll
2007-11-26 22:58 80,960 --a------ C:\WINDOWS\SYSTEM32\otjferug.dll
2007-11-26 22:52 780,986 --ahs---- C:\WINDOWS\SYSTEM32\jktchpkd.ini
2007-11-26 18:26 80,960 --a------ C:\WINDOWS\SYSTEM32\hlbfrvds.dll
2007-11-26 18:23 780,395 --ahs---- C:\WINDOWS\SYSTEM32\xsivihfu.ini
2007-11-26 18:06 80,960 --a------ C:\WINDOWS\SYSTEM32\wlakoryg.dll
2007-11-26 17:59 780,275 --ahs---- C:\WINDOWS\SYSTEM32\enncykgj.ini
2007-11-26 17:49 80,960 --a------ C:\WINDOWS\SYSTEM32\wycusbmd.dll
2007-11-26 16:38 780,335 --ahs---- C:\WINDOWS\SYSTEM32\ioylfafn.ini
2007-11-26 15:34 780,275 --ahs---- C:\WINDOWS\SYSTEM32\ligbacvb.ini
2007-11-26 15:12 780,275 --ahs---- C:\WINDOWS\SYSTEM32\tyoeukhn.ini
2007-11-26 10:31 780,935 --ahs---- C:\WINDOWS\SYSTEM32\twhlgdmc.ini
2007-11-26 09:22 79,936 --a------ C:\WINDOWS\SYSTEM32\yccaeews.dll
2007-11-26 08:19 79,936 --a------ C:\WINDOWS\SYSTEM32\xkemiqqc.dll
2007-11-25 19:15 781,104 --ahs---- C:\WINDOWS\SYSTEM32\flskjjny.ini
2007-11-25 19:09 79,936 --a------ C:\WINDOWS\SYSTEM32\eeopusiu.dll
2007-11-23 11:51 776,210 --ahs---- C:\WINDOWS\SYSTEM32\sroisojc.ini
2007-11-23 11:26 775,952 --ahs---- C:\WINDOWS\SYSTEM32\uhfpkvhq.ini
2007-11-23 11:23 <DIR> d-------- C:\VundoFix Backups
2007-11-23 11:23 83,520 --a------ C:\WINDOWS\SYSTEM32\ywojmixc.dll
2007-11-23 10:54 750 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-23 10:53 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-23 10:53 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-23 10:53 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-23 10:14 769,501 --ahs---- C:\WINDOWS\SYSTEM32\wpamwber.ini
2007-11-22 09:48 79,936 --a------ C:\WINDOWS\SYSTEM32\imircynv.dll
2007-11-22 09:44 737,078 --ahs---- C:\WINDOWS\SYSTEM32\fxrbgfiw.ini
2007-11-21 19:07 1,133,982 --ahs---- C:\WINDOWS\SYSTEM32\ehorwsyb.ini
2007-11-21 19:04 80,960 --a------ C:\WINDOWS\SYSTEM32\faaixvtd.dll
2007-11-21 12:58 1,133,886 --ahs---- C:\WINDOWS\SYSTEM32\jkgbgnhw.ini
2007-11-21 12:55 80,960 --a------ C:\WINDOWS\SYSTEM32\enwfagmm.dll
2007-11-21 10:24 1,311,489 --ahs---- C:\WINDOWS\SYSTEM32\fxcdbrbr.ini
2007-11-20 19:12 689,463 --ahs---- C:\WINDOWS\SYSTEM32\bcvgyjdh.ini
2007-11-20 16:31 689,343 --ahs---- C:\WINDOWS\SYSTEM32\gmpdoaou.ini
2007-11-20 10:55 84,544 --a------ C:\WINDOWS\SYSTEM32\ftcvgwth.dll
2007-11-20 10:52 689,223 --ahs---- C:\WINDOWS\SYSTEM32\ojbdomsx.ini
2007-11-20 08:26 1,489,843 --ahs---- C:\WINDOWS\SYSTEM32\gwuoopao.ini
2007-11-19 18:38 1,435,264 --ahs---- C:\WINDOWS\SYSTEM32\cgndsdtr.ini
2007-11-19 18:34 83,008 --a------ C:\WINDOWS\SYSTEM32\jepeudhi.dll
2007-11-19 14:47 83,008 --a------ C:\WINDOWS\SYSTEM32\utiobybi.dll
2007-11-19 14:44 1,436,198 --ahs---- C:\WINDOWS\SYSTEM32\oghdsgjn.ini
2007-11-19 13:19 1,434,672 --ahs---- C:\WINDOWS\SYSTEM32\uakinxxy.ini
2007-11-19 08:16 1,363,726 --ahs---- C:\WINDOWS\SYSTEM32\gvugfade.ini
2007-11-19 08:16 83,008 --a------ C:\WINDOWS\SYSTEM32\hefacclx.dll
2007-11-17 23:32 79,424 --a------ C:\WINDOWS\SYSTEM32\ngapbbmg.dll
2007-11-17 23:29 1,368,124 --ahs---- C:\WINDOWS\SYSTEM32\mibnbeng.ini
2007-11-16 16:49 81,984 --a------ C:\WINDOWS\SYSTEM32\ffexmxqw.dll
2007-11-16 16:44 1,278,015 --ahs---- C:\WINDOWS\SYSTEM32\kgvxefxm.ini
2007-11-15 07:51 79,936 --a------ C:\WINDOWS\SYSTEM32\mhhphvlx.dll
2007-11-14 17:01 79,424 --a------ C:\WINDOWS\SYSTEM32\cnjhsbjs.dll
2007-11-13 18:44 1,247,526 --ahs---- C:\WINDOWS\SYSTEM32\umhamqna.ini
2007-11-13 09:11 669,173 --ahs---- C:\WINDOWS\SYSTEM32\bxyluqml.ini
2007-11-12 20:13 590,434 --ahs---- C:\WINDOWS\SYSTEM32\uglbmvcw.ini
2007-11-12 20:06 81,472 --a------ C:\WINDOWS\SYSTEM32\cyuracvd.dll
2007-11-12 18:09 89,664 --a------ C:\WINDOWS\SYSTEM32\oshiwajq.dll
2007-11-12 16:10 81,472 --a------ C:\WINDOWS\SYSTEM32\vepygiec.dll
2007-11-12 14:07 530,594 --ahs---- C:\WINDOWS\SYSTEM32\vrjqkuly.ini
2007-11-11 22:56 524,806 --ahs---- C:\WINDOWS\SYSTEM32\gvygqkfo.ini
2007-11-11 17:31 581,718 --ahs---- C:\WINDOWS\SYSTEM32\ftdaudne.ini
2007-11-10 17:32 563,849 --ahs---- C:\WINDOWS\SYSTEM32\jmpxlrxb.ini
2007-11-07 21:50 563,684 --ahs---- C:\WINDOWS\SYSTEM32\ohnjbwdb.ini
2007-11-06 17:59 563,624 --ahs---- C:\WINDOWS\SYSTEM32\sxmjaqsc.ini
2007-11-05 17:55 569,755 --ahs---- C:\WINDOWS\SYSTEM32\xlvkkxyd.ini
2007-11-04 18:08 577,085 --ahs---- C:\WINDOWS\SYSTEM32\elgdqthr.ini
2007-11-03 15:04 576,923 --ahs---- C:\WINDOWS\SYSTEM32\ddvwgmtt.ini
2007-11-02 10:36 576,172 --ahs---- C:\WINDOWS\SYSTEM32\xvtclwkv.ini
2007-10-31 07:31 1,226,670 --ahs---- C:\WINDOWS\SYSTEM32\thlwpxqk.ini
2007-10-30 10:01 <DIR> d-------- C:\Program Files\RegCure
2007-10-30 09:51 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-30 07:29 1,259,461 --ahs---- C:\WINDOWS\SYSTEM32\yrjwiqvm.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 19:09 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-23 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 18:51 --------- d-----w C:\Program Files\Dell
2007-11-18 18:23 --------- d-----w C:\Documents and Settings\David Miloy\Application Data\dvdcss
2007-11-13 23:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-12 21:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 13:54 --------- d-----w C:\Program Files\TOPO!
2007-10-23 15:02 --------- d-----w C:\Program Files\QuickTime
2007-10-16 21:53 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-16 19:45 --------- d-----w C:\Program Files\Dell TrueMobile 5100
2007-10-16 19:45 --------- d-----w C:\Program Files\Common Files\Paltalk
2007-10-09 20:36 --------- d-----w C:\Program Files\CCleaner
2007-10-09 02:04 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-04 22:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 22:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 22:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 22:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2006-12-09 17:48 107,257,856 -c--a-w C:\Program Files\GNC400_Trainer_5.01.exe
2006-12-05 03:34 8,282,187 -c--a-w C:\Program Files\vlc-0.8.5-win32.exe
2006-11-29 02:38 12,343,168 -c--a-w C:\Program Files\setupengpro.exe
2006-11-08 00:58 10,435,793 -c--a-w C:\Program Files\MP10Setup.exe
2006-10-10 17:30 1,439,644 -c--a-w C:\Program Files\TarasconPalm_41_125.zip
2006-10-10 17:17 5,523,284 -c--a-w C:\Program Files\TarasconPalm_OE_v02_02_09.exe
2006-10-06 17:39 16,141,867 -c--a-w C:\Program Files\PalmDesktopWin414EN.zip
2006-09-23 23:17 1,248,544 -c--a-w C:\Program Files\abasetup162.exe
2006-09-12 01:12 22,083,376 -c--a-w C:\Program Files\QuickTimeInstaller.exe
2006-09-02 14:49 13,951,112 -c--a-w C:\Program Files\MPSetup.exe
2006-09-02 14:42 1,416,944 -c--a-w C:\Program Files\WM9Codecs.exe
2006-09-02 04:43 15,030,904 -c--a-w C:\Program Files\DivXInstaller.exe
2006-06-29 03:19 26,904 -c--a-w C:\Documents and Settings\David Miloy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 03:07 22 -c--a-w C:\Program Files\EMPG2_Dec_Strm_Pack_3_0.zip
2006-06-20 02:17 166,144 -c--a-w C:\Program Files\DECCHECKSetup.EXE
2006-04-05 22:46 369,228 --sha-w C:\WINDOWS\SYSTEM32\jkllm.bak1
2006-04-08 22:46 505,558 --sha-w C:\WINDOWS\SYSTEM32\jkllm.bak2
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 75,392 2007-04-18 16:13:25 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 327,680 2003-05-22 22:15:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 180,269 2006-07-19 01:17:13 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2004-01-07 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 282,624 2006-09-12 01:14:30 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe

----a-w 28,672 2003-08-13 16:27:40 C:\WINDOWS\SYSTEM32\bak\DSentry.exe

----a-w 122,939 2004-08-13 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01171248-d66d-432f-b8dd-d1aa9b915d71}]
2007-11-28 18:38 81984 --a------ C:\WINDOWS\system32\uldwslbr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{899ADFAA-6451-435D-AF41-7FD5E65DA81F}]
C:\Program Files\Windows NT\nixyjeqoC:\WINDOWS\SYSTEM32\q21\ade83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-28 15:00 145984 --a------ C:\WINDOWS\system32\oizilxds.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\oizilxds.dll [2007-11-28 15:00 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]
"GPRSManager"="C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" [2003-08-15 10:10]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 17:17 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"RegistryMechanic"="" []
"108a7acf"="C:\WINDOWS\system32\wjekphog.dll" [2007-11-28 18:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Togd"="C:\WINDOWS\System32\l?######.exe" [2004-08-04 01:56]

C:\Documents and Settings\David Miloy\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2004-04-13 16:03:10]
SonicWALL Global VPN Client.lnk - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe [2005-10-31 07:14:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
PowerReg Scheduler.exe [2004-03-09 17:52:37]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bjzfezxx]
bjzfezxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywvs]
gebywvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllkj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oizilxds]
oizilxds.dll 2007-11-28 15:00 145984 C:\WINDOWS\SYSTEM32\oizilxds.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbayy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 afrhkwl;afrhkwl;\??\C:\WINDOWS\system32\fhyhsubc\afrhkwl
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 kyushgc;kyushgc;\??\C:\WINDOWS\system32\tckt\kyushgc
S3 niuqajh;niuqajh;\??\C:\WINDOWS\system32\tnirvsta\niuqajh.sys
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;C:\WINDOWS\system32\DRIVERS\WPC300Nv1.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 00:57:15 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-30 16:02:08 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 00:57:16 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-10-30 15:52:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 18:55:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\oizilxds.dllbox 20810 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-28 19:00:02 - machine was rebooted
.
--- E O F ---

Hello.jennifer234 & Welcome

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter". A text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.

===========================

Please download
VundoFix.exe
to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt

==========================

Make sure to come back here with the Vundofix.txt, SmitfraudFix report, And new HijackThis log

Gogo

Hi and thank you for taking time to help me. Also thank you for your good directions...talk slow!

I was working with another computer expert and he had me run option 2 of Smithfraud.

I have run VundoFix several times since i was introduced to it from the other computer person. I did notice this time that it didn't pick up as many problems. I still have the icons = security guide and online safety center.

here are my reports. thanks again -

SmitFraudFix v2.253

Scan done at 17:06:55.93, Fri 11/30/2007
Run from C:\Documents and Settings\David Miloy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David Miloy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David Miloy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVIDM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell TrueMobile 1300 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 24.93.41.125
DNS Server Search Order: 24.93.41.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ACF46345-38CF-4E2E-B029-0AD88A528CC9}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ACF46345-38CF-4E2E-B029-0AD88A528CC9}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\..\{ACF46345-38CF-4E2E-B029-0AD88A528CC9}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.125 24.93.41.126


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------------------------------------------------------------------------------------------------


VundoFix V6.6.2

Checking Java version...

Scan started at 11:23:59 AM 11/23/2007

Listing files found while scanning....

C:\windows\SYSTEM32\cwifxoag.dll
C:\windows\SYSTEM32\cwifxoag.dllbox
C:\windows\SYSTEM32\eqigyecz.dllbox
C:\windows\SYSTEM32\gqvpmzis.dllbox
C:\windows\SYSTEM32\jrxwmexv.dllbox
C:\windows\SYSTEM32\mtxtivco.dll
C:\windows\SYSTEM32\ooqlhbid.dllbox
C:\windows\SYSTEM32\ukczqvlb.dllbox
C:\windows\SYSTEM32\wmubnutz.dllbox

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\cwifxoag.dll
C:\windows\SYSTEM32\cwifxoag.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\cwifxoag.dllbox
C:\windows\SYSTEM32\cwifxoag.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\eqigyecz.dllbox
C:\windows\SYSTEM32\eqigyecz.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\gqvpmzis.dllbox
C:\windows\SYSTEM32\gqvpmzis.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\jrxwmexv.dllbox
C:\windows\SYSTEM32\jrxwmexv.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\mtxtivco.dll
C:\windows\SYSTEM32\mtxtivco.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ooqlhbid.dllbox
C:\windows\SYSTEM32\ooqlhbid.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ukczqvlb.dllbox
C:\windows\SYSTEM32\ukczqvlb.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\wmubnutz.dllbox
C:\windows\SYSTEM32\wmubnutz.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 1:23:16 PM 11/23/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Scan started at 12:03:06 PM 11/26/2007

Listing files found while scanning....

C:\windows\SYSTEM32\alqskoop.dll
C:\windows\SYSTEM32\alqskoop.dllbox
C:\windows\SYSTEM32\fqmxioxh.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\alqskoop.dll
C:\windows\SYSTEM32\alqskoop.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\alqskoop.dllbox
C:\windows\SYSTEM32\alqskoop.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\fqmxioxh.dll
C:\windows\SYSTEM32\fqmxioxh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 3:25:56 PM 11/26/2007

Listing files found while scanning....


VundoFix V6.6.2

Checking Java version...

Scan started at 4:30:14 PM 11/26/2007

Listing files found while scanning....

C:\windows\SYSTEM32\apfbmibn.dllbox
C:\windows\SYSTEM32\gcafkoxh.dll
C:\windows\SYSTEM32\gcafkoxh.dllbox
C:\windows\SYSTEM32\hgnrxxyu.dll
C:\windows\SYSTEM32\pkmjuvqy.dllbox

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\apfbmibn.dllbox
C:\windows\SYSTEM32\apfbmibn.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\gcafkoxh.dll
C:\windows\SYSTEM32\gcafkoxh.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\gcafkoxh.dllbox
C:\windows\SYSTEM32\gcafkoxh.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\hgnrxxyu.dll
C:\windows\SYSTEM32\hgnrxxyu.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\pkmjuvqy.dllbox
C:\windows\SYSTEM32\pkmjuvqy.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\gcafkoxh.dll
C:\windows\SYSTEM32\gcafkoxh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 11:27:46 AM 11/28/2007

Listing files found while scanning....

C:\windows\SYSTEM32\alphzvep.dll
C:\windows\SYSTEM32\alphzvep.dllbox
C:\windows\SYSTEM32\chsdpnhf.exe
C:\windows\SYSTEM32\gcafkoxh.dllbox
C:\windows\SYSTEM32\hmuruqvk.exe
C:\windows\SYSTEM32\kpugnuci.exe
C:\windows\SYSTEM32\uiqflhox.exe
C:\windows\SYSTEM32\vearkieh.dll
C:\windows\SYSTEM32\zloonpng.dllbox

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\alphzvep.dll
C:\windows\SYSTEM32\alphzvep.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\alphzvep.dllbox
C:\windows\SYSTEM32\alphzvep.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\chsdpnhf.exe
C:\windows\SYSTEM32\chsdpnhf.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\gcafkoxh.dllbox
C:\windows\SYSTEM32\gcafkoxh.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\hmuruqvk.exe
C:\windows\SYSTEM32\hmuruqvk.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\kpugnuci.exe
C:\windows\SYSTEM32\kpugnuci.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\uiqflhox.exe
C:\windows\SYSTEM32\uiqflhox.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\vearkieh.dll
C:\windows\SYSTEM32\vearkieh.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\zloonpng.dllbox
C:\windows\SYSTEM32\zloonpng.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 5:08:06 PM 11/30/2007

Listing files found while scanning....

C:\windows\SYSTEM32\bshfridj.exe
C:\WINDOWS\system32\oizilxds.dll
C:\windows\SYSTEM32\oizilxds.dllbox

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\bshfridj.exe
C:\windows\SYSTEM32\bshfridj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oizilxds.dll
C:\WINDOWS\system32\oizilxds.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\oizilxds.dllbox
C:\windows\SYSTEM32\oizilxds.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

----------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:30 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {17d519b9-aa1d-dd8b-f234-d66d84217110} - {01171248-d66d-432f-b8dd-d1aa9b915d71} - C:\WINDOWS\system32\uldwslbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {899ADFAA-6451-435D-AF41-7FD5E65DA81F} - C:\Program Files\Windows NT\nixyjeqoC:\WINDOWS\SYSTEM32\q21\ade83122.exe.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPRSManager] "C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [108a7acf] rundll32.exe "C:\WINDOWS\system32\wjekphog.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SonicWALL Global VPN Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.meditech.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192567340986
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: bjzfezxx - bjzfezxx.dll (file missing)
O20 - Winlogon Notify: gebywvs - gebywvs.dll (file missing)
O20 - Winlogon Notify: mllkj - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5236 bytes

Hi.jennifer234

Now may I ask that you run me, the ComboFix! tool show me it's log.But first do this here--->

Disable AVG Anti-Spyware (formerly ewido):

Please disable AVG Anti-Spyware, as it may interfere with the fix.
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an ‘S’ in the system tray.
In the Resident Shield section, toggle the AVG Anti-Spyware active protection ‘off’ by clicking Change state which will then change the protection status to 'inactive'.
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
Reply ‘no’ and set it to ‘inactive’ for the duration of your cleanup.

Once your log is clean you can re-enable Ewido.

====================

SPYWARE DOCTOR

* Click the Spyware Doctor icon in the System Tray.
* Click Settings.
* Click Startup Settings under Pick a Category.
* Uncheck "Run at Windows startup".
* Click Apply and Exit Spyware Doctor.
* From within Spyware Doctor, click the "OnGuard" button on the left side.
* Uncheck "Activate OnGuard".
* (When we are done, you can reenable Spyware Doctor)

====================

Then run ComboFix show me it's log, and a new HijackThis logfile.

Gogo

hey,

it already seems to be running faster...

AVG and Spyware Doctor were already disabled, but i did have Avast Antivirus running so i terminated it....or at least i think i did.

i have had the computer pretty clean before - pop ups stopped for a short time and then rebooted and they came back. When this first started, i could clean the computer (seemed like it anyway) and then at 10:20 p.m. it would all come back and no one would be using the computer. it did that for a few days before it got worse. thought that was odd.

here are the new logs. thx.

ComboFix 07-11-19.4C - David Miloy 2007-11-30 19:19:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.282 [GMT -6:00]
Running from: C:\Documents and Settings\David Miloy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\David Miloy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\David Miloy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\David Miloy\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-28 18:41 794,593 ---hs---- C:\WINDOWS\SYSTEM32\gohpkejw.ini
2007-11-28 18:41 85,056 --a------ C:\WINDOWS\SYSTEM32\wjekphog.dll
2007-11-28 18:38 81,984 --a------ C:\WINDOWS\SYSTEM32\uldwslbr.dll
2007-11-28 18:35 789,496 --ahs---- C:\WINDOWS\SYSTEM32\nesjxxak.ini
2007-11-28 16:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 15:09 81,984 --a------ C:\WINDOWS\SYSTEM32\nocynnpd.dll
2007-11-28 15:03 789,496 --ahs---- C:\WINDOWS\SYSTEM32\hjjmdniq.ini
2007-11-28 14:40 789,349 --ahs---- C:\WINDOWS\SYSTEM32\kwshddov.ini
2007-11-28 14:38 81,984 --a------ C:\WINDOWS\SYSTEM32\kxdhtjpg.dll
2007-11-28 13:58 <DIR> d-------- C:\Deckard
2007-11-28 13:55 789,349 --ahs---- C:\WINDOWS\SYSTEM32\cgplsegi.ini
2007-11-28 13:09 789,418 --ahs---- C:\WINDOWS\SYSTEM32\lwwllanw.ini
2007-11-28 13:06 81,984 --a------ C:\WINDOWS\SYSTEM32\ybbqybvy.dll
2007-11-28 12:26 81,984 --a------ C:\WINDOWS\SYSTEM32\imafsmcr.dll
2007-11-28 12:23 789,349 --ahs---- C:\WINDOWS\SYSTEM32\hylndfhy.ini
2007-11-28 12:16 789,349 --ahs---- C:\WINDOWS\SYSTEM32\tdqlkflt.ini
2007-11-28 12:13 81,984 --a------ C:\WINDOWS\SYSTEM32\vgrnjghk.dll
2007-11-28 10:50 789,821 --ahs---- C:\WINDOWS\SYSTEM32\kwspuihb.ini
2007-11-28 10:47 81,984 --a------ C:\WINDOWS\SYSTEM32\wephjbxc.dll
2007-11-27 21:31 784,675 --ahs---- C:\WINDOWS\SYSTEM32\geuflfjb.ini
2007-11-27 21:26 78,912 --a------ C:\WINDOWS\SYSTEM32\haskhybj.dll
2007-11-27 08:04 784,547 --ahs---- C:\WINDOWS\SYSTEM32\jstvdbpq.ini
2007-11-27 07:58 78,912 --a------ C:\WINDOWS\SYSTEM32\cknpbgvs.dll
2007-11-26 22:58 80,960 --a------ C:\WINDOWS\SYSTEM32\otjferug.dll
2007-11-26 22:52 780,986 --ahs---- C:\WINDOWS\SYSTEM32\jktchpkd.ini
2007-11-26 18:26 80,960 --a------ C:\WINDOWS\SYSTEM32\hlbfrvds.dll
2007-11-26 18:23 780,395 --ahs---- C:\WINDOWS\SYSTEM32\xsivihfu.ini
2007-11-26 18:06 80,960 --a------ C:\WINDOWS\SYSTEM32\wlakoryg.dll
2007-11-26 17:59 780,275 --ahs---- C:\WINDOWS\SYSTEM32\enncykgj.ini
2007-11-26 17:49 80,960 --a------ C:\WINDOWS\SYSTEM32\wycusbmd.dll
2007-11-26 16:38 780,335 --ahs---- C:\WINDOWS\SYSTEM32\ioylfafn.ini
2007-11-26 15:34 780,275 --ahs---- C:\WINDOWS\SYSTEM32\ligbacvb.ini
2007-11-26 15:12 780,275 --ahs---- C:\WINDOWS\SYSTEM32\tyoeukhn.ini
2007-11-26 10:31 780,935 --ahs---- C:\WINDOWS\SYSTEM32\twhlgdmc.ini
2007-11-26 09:22 79,936 --a------ C:\WINDOWS\SYSTEM32\yccaeews.dll
2007-11-26 08:19 79,936 --a------ C:\WINDOWS\SYSTEM32\xkemiqqc.dll
2007-11-25 19:15 781,104 --ahs---- C:\WINDOWS\SYSTEM32\flskjjny.ini
2007-11-25 19:09 79,936 --a------ C:\WINDOWS\SYSTEM32\eeopusiu.dll
2007-11-23 11:51 776,210 --ahs---- C:\WINDOWS\SYSTEM32\sroisojc.ini
2007-11-23 11:26 775,952 --ahs---- C:\WINDOWS\SYSTEM32\uhfpkvhq.ini
2007-11-23 11:23 <DIR> d-------- C:\VundoFix Backups
2007-11-23 11:23 83,520 --a------ C:\WINDOWS\SYSTEM32\ywojmixc.dll
2007-11-23 10:54 750 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-23 10:53 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-11-23 10:53 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-23 10:53 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-23 10:14 769,501 --ahs---- C:\WINDOWS\SYSTEM32\wpamwber.ini
2007-11-22 09:48 79,936 --a------ C:\WINDOWS\SYSTEM32\imircynv.dll
2007-11-22 09:44 737,078 --ahs---- C:\WINDOWS\SYSTEM32\fxrbgfiw.ini
2007-11-21 19:07 1,133,982 --ahs---- C:\WINDOWS\SYSTEM32\ehorwsyb.ini
2007-11-21 19:04 80,960 --a------ C:\WINDOWS\SYSTEM32\faaixvtd.dll
2007-11-21 12:58 1,133,886 --ahs---- C:\WINDOWS\SYSTEM32\jkgbgnhw.ini
2007-11-21 12:55 80,960 --a------ C:\WINDOWS\SYSTEM32\enwfagmm.dll
2007-11-21 10:24 1,311,489 --ahs---- C:\WINDOWS\SYSTEM32\fxcdbrbr.ini
2007-11-20 19:12 689,463 --ahs---- C:\WINDOWS\SYSTEM32\bcvgyjdh.ini
2007-11-20 16:31 689,343 --ahs---- C:\WINDOWS\SYSTEM32\gmpdoaou.ini
2007-11-20 10:55 84,544 --a------ C:\WINDOWS\SYSTEM32\ftcvgwth.dll
2007-11-20 10:52 689,223 --ahs---- C:\WINDOWS\SYSTEM32\ojbdomsx.ini
2007-11-20 08:26 1,489,843 --ahs---- C:\WINDOWS\SYSTEM32\gwuoopao.ini
2007-11-19 18:38 1,435,264 --ahs---- C:\WINDOWS\SYSTEM32\cgndsdtr.ini
2007-11-19 18:34 83,008 --a------ C:\WINDOWS\SYSTEM32\jepeudhi.dll
2007-11-19 14:47 83,008 --a------ C:\WINDOWS\SYSTEM32\utiobybi.dll
2007-11-19 14:44 1,436,198 --ahs---- C:\WINDOWS\SYSTEM32\oghdsgjn.ini
2007-11-19 13:19 1,434,672 --ahs---- C:\WINDOWS\SYSTEM32\uakinxxy.ini
2007-11-19 08:16 1,363,726 --ahs---- C:\WINDOWS\SYSTEM32\gvugfade.ini
2007-11-19 08:16 83,008 --a------ C:\WINDOWS\SYSTEM32\hefacclx.dll
2007-11-17 23:32 79,424 --a------ C:\WINDOWS\SYSTEM32\ngapbbmg.dll
2007-11-17 23:29 1,368,124 --ahs---- C:\WINDOWS\SYSTEM32\mibnbeng.ini
2007-11-16 16:49 81,984 --a------ C:\WINDOWS\SYSTEM32\ffexmxqw.dll
2007-11-16 16:44 1,278,015 --ahs---- C:\WINDOWS\SYSTEM32\kgvxefxm.ini
2007-11-15 07:51 79,936 --a------ C:\WINDOWS\SYSTEM32\mhhphvlx.dll
2007-11-14 17:01 79,424 --a------ C:\WINDOWS\SYSTEM32\cnjhsbjs.dll
2007-11-13 18:44 1,247,526 --ahs---- C:\WINDOWS\SYSTEM32\umhamqna.ini
2007-11-13 09:11 669,173 --ahs---- C:\WINDOWS\SYSTEM32\bxyluqml.ini
2007-11-12 20:13 590,434 --ahs---- C:\WINDOWS\SYSTEM32\uglbmvcw.ini
2007-11-12 20:06 81,472 --a------ C:\WINDOWS\SYSTEM32\cyuracvd.dll
2007-11-12 18:09 89,664 --a------ C:\WINDOWS\SYSTEM32\oshiwajq.dll
2007-11-12 16:10 81,472 --a------ C:\WINDOWS\SYSTEM32\vepygiec.dll
2007-11-12 14:07 530,594 --ahs---- C:\WINDOWS\SYSTEM32\vrjqkuly.ini
2007-11-11 22:56 524,806 --ahs---- C:\WINDOWS\SYSTEM32\gvygqkfo.ini
2007-11-11 17:31 581,718 --ahs---- C:\WINDOWS\SYSTEM32\ftdaudne.ini
2007-11-10 17:32 563,849 --ahs---- C:\WINDOWS\SYSTEM32\jmpxlrxb.ini
2007-11-07 21:50 563,684 --ahs---- C:\WINDOWS\SYSTEM32\ohnjbwdb.ini
2007-11-06 17:59 563,624 --ahs---- C:\WINDOWS\SYSTEM32\sxmjaqsc.ini
2007-11-05 17:55 569,755 --ahs---- C:\WINDOWS\SYSTEM32\xlvkkxyd.ini
2007-11-04 18:08 577,085 --ahs---- C:\WINDOWS\SYSTEM32\elgdqthr.ini
2007-11-03 15:04 576,923 --ahs---- C:\WINDOWS\SYSTEM32\ddvwgmtt.ini
2007-11-02 10:36 576,172 --ahs---- C:\WINDOWS\SYSTEM32\xvtclwkv.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 19:09 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-23 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 18:51 --------- d-----w C:\Program Files\Dell
2007-11-23 14:09 --------- d-----w C:\Program Files\XoftSpySE
2007-11-23 12:59 83,520 ----a-w C:\WINDOWS\SYSTEM32\qrydeiuy.dll
2007-11-18 18:23 --------- d-----w C:\Documents and Settings\David Miloy\Application Data\dvdcss
2007-11-13 23:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-12 21:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 16:06 --------- d-----w C:\Program Files\RegCure
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-25 13:54 --------- d-----w C:\Program Files\TOPO!
2007-10-23 15:02 --------- d-----w C:\Program Files\QuickTime
2007-10-17 03:47 79,424 ----a-w C:\WINDOWS\SYSTEM32\byrqfqct.dll
2007-10-16 21:53 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-16 19:45 --------- d-----w C:\Program Files\Dell TrueMobile 5100
2007-10-16 19:45 --------- d-----w C:\Program Files\Common Files\Paltalk
2007-10-16 03:42 79,424 ----a-w C:\WINDOWS\SYSTEM32\uvbyhcfr.dll
2007-10-09 20:36 --------- d-----w C:\Program Files\CCleaner
2007-10-09 02:04 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-04 22:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 22:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 22:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 22:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AVASTSS.scr
2006-12-09 17:48 107,257,856 -c--a-w C:\Program Files\GNC400_Trainer_5.01.exe
2006-12-05 03:34 8,282,187 -c--a-w C:\Program Files\vlc-0.8.5-win32.exe
2006-11-29 02:38 12,343,168 -c--a-w C:\Program Files\setupengpro.exe
2006-11-08 00:58 10,435,793 -c--a-w C:\Program Files\MP10Setup.exe
2006-10-10 17:30 1,439,644 -c--a-w C:\Program Files\TarasconPalm_41_125.zip
2006-10-10 17:17 5,523,284 -c--a-w C:\Program Files\TarasconPalm_OE_v02_02_09.exe
2006-10-06 17:39 16,141,867 -c--a-w C:\Program Files\PalmDesktopWin414EN.zip
2006-09-23 23:17 1,248,544 -c--a-w C:\Program Files\abasetup162.exe
2006-09-12 01:12 22,083,376 -c--a-w C:\Program Files\QuickTimeInstaller.exe
2006-09-02 14:49 13,951,112 -c--a-w C:\Program Files\MPSetup.exe
2006-09-02 14:42 1,416,944 -c--a-w C:\Program Files\WM9Codecs.exe
2006-09-02 04:43 15,030,904 -c--a-w C:\Program Files\DivXInstaller.exe
2006-06-29 03:19 26,904 -c--a-w C:\Documents and Settings\David Miloy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 03:07 22 -c--a-w C:\Program Files\EMPG2_Dec_Strm_Pack_3_0.zip
2006-06-20 02:17 166,144 -c--a-w C:\Program Files\DECCHECKSetup.EXE
2006-04-05 22:46 369,228 --sha-w C:\WINDOWS\SYSTEM32\jkllm.bak1
2006-04-08 22:46 505,558 --sha-w C:\WINDOWS\SYSTEM32\jkllm.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_18.57.12.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-29 00:37:44 54,010 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-30 23:25:28 54,010 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-11-29 00:37:44 383,822 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-30 23:25:28 383,822 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-30 23:20:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_300.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 75,392 2007-04-18 16:13:25 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 327,680 2003-05-22 22:15:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 180,269 2006-07-19 01:17:13 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2004-01-07 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 282,624 2006-09-12 01:14:30 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe

----a-w 28,672 2003-08-13 16:27:40 C:\WINDOWS\SYSTEM32\bak\DSentry.exe

----a-w 122,939 2004-08-13 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01171248-d66d-432f-b8dd-d1aa9b915d71}]
2007-11-28 18:38 81984 --a------ C:\WINDOWS\system32\uldwslbr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{899ADFAA-6451-435D-AF41-7FD5E65DA81F}]
C:\Program Files\Windows NT\nixyjeqoC:\WINDOWS\SYSTEM32\q21\ade83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]
"GPRSManager"="C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" [2003-08-15 10:10]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 17:17 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"RegistryMechanic"="" []
"108a7acf"="C:\WINDOWS\system32\wjekphog.dll" [2007-11-28 18:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Togd"="C:\WINDOWS\System32\l?######.exe" [2004-08-04 01:56]

C:\Documents and Settings\David Miloy\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2004-04-13 16:03:10]
SonicWALL Global VPN Client.lnk - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe [2005-10-31 07:14:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
PowerReg Scheduler.exe [2004-03-09 17:52:37]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bjzfezxx]
bjzfezxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywvs]
gebywvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllkj]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 afrhkwl;afrhkwl;\??\C:\WINDOWS\system32\fhyhsubc\afrhkwl
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 kyushgc;kyushgc;\??\C:\WINDOWS\system32\tckt\kyushgc
S3 niuqajh;niuqajh;\??\C:\WINDOWS\system32\tnirvsta\niuqajh.sys
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;C:\WINDOWS\system32\DRIVERS\WPC300Nv1.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 23:21:43 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-30 16:02:08 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-30 23:21:43 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-10-30 15:52:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 19:21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-30 19:22:41
C:\ComboFix2.txt ... 2007-11-28 19:00
.
--- E O F ---

-----
---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:18 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {17d519b9-aa1d-dd8b-f234-d66d84217110} - {01171248-d66d-432f-b8dd-d1aa9b915d71} - C:\WINDOWS\system32\uldwslbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {899ADFAA-6451-435D-AF41-7FD5E65DA81F} - C:\Program Files\Windows NT\nixyjeqoC:\WINDOWS\SYSTEM32\q21\ade83122.exe.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPRSManager] "C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [108a7acf] rundll32.exe "C:\WINDOWS\system32\wjekphog.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SonicWALL Global VPN Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.meditech.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192567340986
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: bjzfezxx - bjzfezxx.dll (file missing)
O20 - Winlogon Notify: gebywvs - gebywvs.dll (file missing)
O20 - Winlogon Notify: mllkj - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5118 bytes

i just turned avast antivirus back on while i sit idle. please let me know if you want me to turn it off again before my next task. i also haven't rebooted until you tell me too. thanks

Hi.jennifer234

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

==========================

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quote box below into it (but don't include the word: quote). Make sure to use NotePad and nothing else.




Save this as CFScript.txt, in the same location as ComboFix.exe

Click to view attachment

Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it will produce a log for you at "C:\ComboFix.txt"


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Then come back here with both the HijackThis log and ComboFix.txt


Gogo

Wow, that was some list that you had me dump into Combofix. As bad as it looked?

I think i did those tasks correctly.

Avast flashed me twice that i had win32 virtumonde virus when combofix was doing its thing. i applied "no action" at avast's find.

here are my new lists. many thanks.

ComboFix 07-11-19.4C - David Miloy 2007-11-30 20:46:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.275 [GMT -6:00]
Running from: C:\Documents and Settings\David Miloy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Miloy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\frexup2.exe
C:\WINDOWS\SYSTEM32\bcvgyjdh.ini
C:\WINDOWS\SYSTEM32\bxyluqml.ini
C:\WINDOWS\SYSTEM32\byrqfqct.dll
C:\WINDOWS\SYSTEM32\cgndsdtr.ini
C:\WINDOWS\SYSTEM32\cgplsegi.ini
C:\WINDOWS\SYSTEM32\cknpbgvs.dll
C:\WINDOWS\SYSTEM32\cnjhsbjs.dll
C:\WINDOWS\SYSTEM32\cyuracvd.dll
C:\WINDOWS\SYSTEM32\ddvwgmtt.ini
C:\WINDOWS\SYSTEM32\eeopusiu.dll
C:\WINDOWS\SYSTEM32\ehorwsyb.ini
C:\WINDOWS\SYSTEM32\elgdqthr.ini
C:\WINDOWS\SYSTEM32\enncykgj.ini
C:\WINDOWS\SYSTEM32\enwfagmm.dll
C:\WINDOWS\SYSTEM32\faaixvtd.dll
C:\WINDOWS\SYSTEM32\ffexmxqw.dll
C:\WINDOWS\SYSTEM32\flskjjny.ini
C:\WINDOWS\SYSTEM32\ftcvgwth.dll
C:\WINDOWS\SYSTEM32\ftdaudne.ini
C:\WINDOWS\SYSTEM32\fxcdbrbr.ini
C:\WINDOWS\SYSTEM32\fxrbgfiw.ini
C:\WINDOWS\SYSTEM32\geuflfjb.ini
C:\WINDOWS\SYSTEM32\gmpdoaou.ini
C:\WINDOWS\SYSTEM32\gohpkejw.ini
C:\WINDOWS\SYSTEM32\gvugfade.ini
C:\WINDOWS\SYSTEM32\gvygqkfo.ini
C:\WINDOWS\SYSTEM32\gwuoopao.ini
C:\WINDOWS\SYSTEM32\haskhybj.dll
C:\WINDOWS\SYSTEM32\hefacclx.dll
C:\WINDOWS\SYSTEM32\hjjmdniq.ini
C:\WINDOWS\SYSTEM32\hlbfrvds.dll
C:\WINDOWS\SYSTEM32\hylndfhy.ini
C:\WINDOWS\SYSTEM32\imafsmcr.dll
C:\WINDOWS\SYSTEM32\imircynv.dll
C:\WINDOWS\SYSTEM32\ioylfafn.ini
C:\WINDOWS\SYSTEM32\jepeudhi.dll
C:\WINDOWS\SYSTEM32\jkgbgnhw.ini
C:\WINDOWS\SYSTEM32\jkllm.bak1
C:\WINDOWS\SYSTEM32\jkllm.bak2
C:\WINDOWS\SYSTEM32\jktchpkd.ini
C:\WINDOWS\SYSTEM32\jmpxlrxb.ini
C:\WINDOWS\SYSTEM32\jstvdbpq.ini
C:\WINDOWS\SYSTEM32\kgvxefxm.ini
C:\WINDOWS\SYSTEM32\kwshddov.ini
C:\WINDOWS\SYSTEM32\kwspuihb.ini
C:\WINDOWS\SYSTEM32\kxdhtjpg.dll
C:\WINDOWS\SYSTEM32\ligbacvb.ini
C:\WINDOWS\SYSTEM32\lwwllanw.ini
C:\WINDOWS\SYSTEM32\mhhphvlx.dll
C:\WINDOWS\SYSTEM32\mibnbeng.ini
C:\WINDOWS\SYSTEM32\nesjxxak.ini
C:\WINDOWS\SYSTEM32\ngapbbmg.dll
C:\WINDOWS\SYSTEM32\nocynnpd.dll
C:\WINDOWS\SYSTEM32\oghdsgjn.ini
C:\WINDOWS\SYSTEM32\ohnjbwdb.ini
C:\WINDOWS\SYSTEM32\ojbdomsx.ini
C:\WINDOWS\SYSTEM32\oshiwajq.dll
C:\WINDOWS\SYSTEM32\otjferug.dll
C:\WINDOWS\SYSTEM32\qrydeiuy.dll
C:\WINDOWS\SYSTEM32\sroisojc.ini
C:\WINDOWS\SYSTEM32\sxmjaqsc.ini
C:\WINDOWS\SYSTEM32\tdqlkflt.ini
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\twhlgdmc.ini
C:\WINDOWS\SYSTEM32\tyoeukhn.ini
C:\WINDOWS\SYSTEM32\uakinxxy.ini
C:\WINDOWS\SYSTEM32\uglbmvcw.ini
C:\WINDOWS\SYSTEM32\uhfpkvhq.ini
C:\WINDOWS\SYSTEM32\uldwslbr.dll
C:\WINDOWS\SYSTEM32\umhamqna.ini
C:\WINDOWS\SYSTEM32\utiobybi.dll
C:\WINDOWS\SYSTEM32\uvbyhcfr.dll
C:\WINDOWS\SYSTEM32\vepygiec.dll
C:\WINDOWS\SYSTEM32\vgrnjghk.dll
C:\WINDOWS\SYSTEM32\vrjqkuly.ini
C:\WINDOWS\SYSTEM32\wephjbxc.dll
C:\WINDOWS\SYSTEM32\wjekphog.dll
C:\WINDOWS\SYSTEM32\wlakoryg.dll
C:\WINDOWS\SYSTEM32\wpamwber.ini
C:\WINDOWS\SYSTEM32\wycusbmd.dll
C:\WINDOWS\SYSTEM32\xkemiqqc.dll
C:\WINDOWS\SYSTEM32\xlvkkxyd.ini
C:\WINDOWS\SYSTEM32\xsivihfu.ini
C:\WINDOWS\SYSTEM32\xvtclwkv.ini
C:\WINDOWS\SYSTEM32\ybbqybvy.dll
C:\WINDOWS\SYSTEM32\yccaeews.dll
C:\WINDOWS\SYSTEM32\ywojmixc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\frexup2.exe
C:\WINDOWS\SYSTEM32\bcvgyjdh.ini
C:\WINDOWS\SYSTEM32\bxyluqml.ini
C:\WINDOWS\SYSTEM32\byrqfqct.dll
C:\WINDOWS\SYSTEM32\cgndsdtr.ini
C:\WINDOWS\SYSTEM32\cgplsegi.ini
C:\WINDOWS\SYSTEM32\cknpbgvs.dll
C:\WINDOWS\SYSTEM32\cnjhsbjs.dll
C:\WINDOWS\SYSTEM32\cyuracvd.dll
C:\WINDOWS\SYSTEM32\ddvwgmtt.ini
C:\WINDOWS\SYSTEM32\eeopusiu.dll
C:\WINDOWS\SYSTEM32\ehorwsyb.ini
C:\WINDOWS\SYSTEM32\elgdqthr.ini
C:\WINDOWS\SYSTEM32\enncykgj.ini
C:\WINDOWS\SYSTEM32\enwfagmm.dll
C:\WINDOWS\SYSTEM32\faaixvtd.dll
C:\WINDOWS\SYSTEM32\ffexmxqw.dll
C:\WINDOWS\SYSTEM32\flskjjny.ini
C:\WINDOWS\SYSTEM32\ftcvgwth.dll
C:\WINDOWS\SYSTEM32\ftdaudne.ini
C:\WINDOWS\SYSTEM32\fxcdbrbr.ini
C:\WINDOWS\SYSTEM32\fxrbgfiw.ini
C:\WINDOWS\SYSTEM32\geuflfjb.ini
C:\WINDOWS\SYSTEM32\gmpdoaou.ini
C:\WINDOWS\SYSTEM32\gohpkejw.ini
C:\WINDOWS\SYSTEM32\gvugfade.ini
C:\WINDOWS\SYSTEM32\gvygqkfo.ini
C:\WINDOWS\SYSTEM32\gwuoopao.ini
C:\WINDOWS\SYSTEM32\haskhybj.dll
C:\WINDOWS\SYSTEM32\hefacclx.dll
C:\WINDOWS\SYSTEM32\hjjmdniq.ini
C:\WINDOWS\SYSTEM32\hlbfrvds.dll
C:\WINDOWS\SYSTEM32\hylndfhy.ini
C:\WINDOWS\SYSTEM32\imafsmcr.dll
C:\WINDOWS\SYSTEM32\imircynv.dll
C:\WINDOWS\SYSTEM32\ioylfafn.ini
C:\WINDOWS\SYSTEM32\jepeudhi.dll
C:\WINDOWS\SYSTEM32\jkgbgnhw.ini
C:\WINDOWS\SYSTEM32\jkllm.bak1
C:\WINDOWS\SYSTEM32\jkllm.bak2
C:\WINDOWS\SYSTEM32\jktchpkd.ini
C:\WINDOWS\SYSTEM32\jmpxlrxb.ini
C:\WINDOWS\SYSTEM32\jstvdbpq.ini
C:\WINDOWS\SYSTEM32\kgvxefxm.ini
C:\WINDOWS\SYSTEM32\kwshddov.ini
C:\WINDOWS\SYSTEM32\kwspuihb.ini
C:\WINDOWS\SYSTEM32\kxdhtjpg.dll
C:\WINDOWS\SYSTEM32\ligbacvb.ini
C:\WINDOWS\SYSTEM32\lwwllanw.ini
C:\WINDOWS\SYSTEM32\mhhphvlx.dll
C:\WINDOWS\SYSTEM32\mibnbeng.ini
C:\WINDOWS\SYSTEM32\nesjxxak.ini
C:\WINDOWS\SYSTEM32\ngapbbmg.dll
C:\WINDOWS\SYSTEM32\nocynnpd.dll
C:\WINDOWS\SYSTEM32\oghdsgjn.ini
C:\WINDOWS\SYSTEM32\ohnjbwdb.ini
C:\WINDOWS\SYSTEM32\ojbdomsx.ini
C:\WINDOWS\SYSTEM32\oshiwajq.dll
C:\WINDOWS\SYSTEM32\otjferug.dll
C:\WINDOWS\SYSTEM32\qrydeiuy.dll
C:\WINDOWS\SYSTEM32\sroisojc.ini
C:\WINDOWS\SYSTEM32\sxmjaqsc.ini
C:\WINDOWS\SYSTEM32\tdqlkflt.ini
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\twhlgdmc.ini
C:\WINDOWS\SYSTEM32\tyoeukhn.ini
C:\WINDOWS\SYSTEM32\uakinxxy.ini
C:\WINDOWS\SYSTEM32\uglbmvcw.ini
C:\WINDOWS\SYSTEM32\uhfpkvhq.ini
C:\WINDOWS\SYSTEM32\uldwslbr.dll
C:\WINDOWS\SYSTEM32\umhamqna.ini
C:\WINDOWS\SYSTEM32\utiobybi.dll
C:\WINDOWS\SYSTEM32\uvbyhcfr.dll
C:\WINDOWS\SYSTEM32\vepygiec.dll
C:\WINDOWS\SYSTEM32\vgrnjghk.dll
C:\WINDOWS\SYSTEM32\vrjqkuly.ini
C:\WINDOWS\SYSTEM32\wephjbxc.dll
C:\WINDOWS\SYSTEM32\wjekphog.dll
C:\WINDOWS\SYSTEM32\wlakoryg.dll
C:\WINDOWS\SYSTEM32\wpamwber.ini
C:\WINDOWS\SYSTEM32\wycusbmd.dll
C:\WINDOWS\SYSTEM32\xkemiqqc.dll
C:\WINDOWS\SYSTEM32\xlvkkxyd.ini
C:\WINDOWS\SYSTEM32\xsivihfu.ini
C:\WINDOWS\SYSTEM32\xvtclwkv.ini
C:\WINDOWS\SYSTEM32\ybbqybvy.dll
C:\WINDOWS\SYSTEM32\yccaeews.dll
C:\WINDOWS\SYSTEM32\ywojmixc.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-30 20:40 63,732,942 --a------ C:\registrybackup.reg
2007-11-28 16:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 13:58 <DIR> d-------- C:\Deckard
2007-11-23 11:23 <DIR> d-------- C:\VundoFix Backups
2007-11-23 10:53 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 19:09 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-23 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 18:51 --------- d-----w C:\Program Files\Dell
2007-11-23 14:09 --------- d-----w C:\Program Files\XoftSpySE
2007-11-18 18:23 --------- d-----w C:\Documents and Settings\David Miloy\Application Data\dvdcss
2007-11-13 23:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-12 21:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 16:06 --------- d-----w C:\Program Files\RegCure
2007-10-25 13:54 --------- d-----w C:\Program Files\TOPO!
2007-10-23 15:02 --------- d-----w C:\Program Files\QuickTime
2007-10-16 21:53 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-16 19:45 --------- d-----w C:\Program Files\Dell TrueMobile 5100
2007-10-16 19:45 --------- d-----w C:\Program Files\Common Files\Paltalk
2007-10-09 20:36 --------- d-----w C:\Program Files\CCleaner
2007-10-04 22:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 22:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 22:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 22:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2006-12-09 17:48 107,257,856 -c--a-w C:\Program Files\GNC400_Trainer_5.01.exe
2006-12-05 03:34 8,282,187 -c--a-w C:\Program Files\vlc-0.8.5-win32.exe
2006-11-29 02:38 12,343,168 -c--a-w C:\Program Files\setupengpro.exe
2006-11-08 00:58 10,435,793 -c--a-w C:\Program Files\MP10Setup.exe
2006-10-10 17:30 1,439,644 -c--a-w C:\Program Files\TarasconPalm_41_125.zip
2006-10-10 17:17 5,523,284 -c--a-w C:\Program Files\TarasconPalm_OE_v02_02_09.exe
2006-10-06 17:39 16,141,867 -c--a-w C:\Program Files\PalmDesktopWin414EN.zip
2006-09-23 23:17 1,248,544 -c--a-w C:\Program Files\abasetup162.exe
2006-09-12 01:12 22,083,376 -c--a-w C:\Program Files\QuickTimeInstaller.exe
2006-09-02 14:49 13,951,112 -c--a-w C:\Program Files\MPSetup.exe
2006-09-02 14:42 1,416,944 -c--a-w C:\Program Files\WM9Codecs.exe
2006-09-02 04:43 15,030,904 -c--a-w C:\Program Files\DivXInstaller.exe
2006-06-29 03:19 26,904 -c--a-w C:\Documents and Settings\David Miloy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 03:07 22 -c--a-w C:\Program Files\EMPG2_Dec_Strm_Pack_3_0.zip
2006-06-20 02:17 166,144 -c--a-w C:\Program Files\DECCHECKSetup.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_18.57.12.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-29 00:37:44 54,010 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-30 23:25:28 54,010 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-11-29 00:37:44 383,822 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-30 23:25:28 383,822 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-12-01 02:49:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_340.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 75,392 2007-04-18 16:13:25 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 327,680 2003-05-22 22:15:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 180,269 2006-07-19 01:17:13 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2004-01-07 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 282,624 2006-09-12 01:14:30 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe

----a-w 28,672 2003-08-13 16:27:40 C:\WINDOWS\SYSTEM32\bak\DSentry.exe

----a-w 122,939 2004-08-13 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06]
"GPRSManager"="C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" [2003-08-15 10:10]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 17:17 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Togd"="C:\WINDOWS\System32\l?######.exe" [2004-08-04 01:56]

C:\Documents and Settings\David Miloy\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2004-04-13 16:03:10]
SonicWALL Global VPN Client.lnk - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe [2005-10-31 07:14:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
PowerReg Scheduler.exe [2004-03-09 17:52:37]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 afrhkwl;afrhkwl;\??\C:\WINDOWS\system32\fhyhsubc\afrhkwl
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 kyushgc;kyushgc;\??\C:\WINDOWS\system32\tckt\kyushgc
S3 niuqajh;niuqajh;\??\C:\WINDOWS\system32\tnirvsta\niuqajh.sys
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;C:\WINDOWS\system32\DRIVERS\WPC300Nv1.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 02:51:38 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-30 16:02:08 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-01 02:51:39 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-10-30 15:52:03 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 20:50:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 20:53:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-30 19:22
C:\ComboFix3.txt ... 2007-11-28 19:00
.
--- E O F ---


---------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:33 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPRSManager] "C:\Program Files\Dell TrueMobile 5100\GPRS Manager.exe" -startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Togd] C:\WINDOWS\System32\l?######.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SonicWALL Global VPN Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.meditech.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192567340986
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4688 bytes

Hi.jennifer234

First make sure that you have your Virus scanner, Up and running now. There are some files here I would like to be looked at.

Please submit the following files for analysis.

Jotti File Submission:

[*]Please go to Jotti's malware scan
[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
[*]C:\WINDOWS\system32\tnirvsta\niuqajh.sys
[*]C:\WINDOWS\System32\l?######.exe
[*]
[*]Click on the submit button
[*]Please post the results in your next reply.

Please note that if you are submitting more than one file they will have to be entered one at a time.


======================

And what if anything can you till me about these folders here--->
C:\WINDOWS\system32\fhyhsubc\afrhkwl
C:\WINDOWS\system32\tckt\kyushgc

Gogo

'The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file'

i didn't get far with those two links.

i don't know what those files are. i couldn't find them, but not anything that i know about.

Hey.jennifer234

Hmm ok let's go after these here using this tool. As for that last file let it be for now. After running this next tool till how the PC, is doing.

Now download The Avenger
by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and paste it in the box that opens:



Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt

===================

Again till me how PC, is doing now.

Gogo

hi,

thanks. the computer is running much better and NO pop ups!

here is the avenger.txt log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gifmltap

*******************

Script file located at: \??\C:\Program Files\akdkptga.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Folder C:\WINDOWS\system32\tnirvsta not found!
Deletion of folder C:\WINDOWS\system32\tnirvsta failed!

Could not process line:
C:\WINDOWS\system32\tnirvsta
Status: 0xc0000034



Folder C:\WINDOWS\system32\fhyhsubc not found!
Deletion of folder C:\WINDOWS\system32\fhyhsubc failed!

Could not process line:
C:\WINDOWS\system32\fhyhsubc
Status: 0xc0000034



Folder C:\WINDOWS\system32\tckt not found!
Deletion of folder C:\WINDOWS\system32\tckt failed!

Could not process line:
C:\WINDOWS\system32\tckt
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Hey.jennifer234

Ok it's cool for now! just one or two files, I will have looked at but how is PC, You feel things are better now or the same.

Gogo

The computer is running much better and faster. Thank you.

I have this desire to run some software to see if they still pick up any leftover files. I probably just feel that way becuase i've been trying to clean the computer for about 6 weeks.

I will post again if i have more problems.

If you feel comfortable, please email me your mailing address to and i'll send you a little thank you gift. My guess is that you are volunteering your time. Thanks!

Sorry I removed your E-Mail not a good thing to do out in the open.

i just ran ad-aware se and still have windownloader. here's the file....URG!

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, November 30, 2007 11:02:24 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R206 28.11.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):9 total references
Tracking Cookie(TAC index:3):34 total references
Win32.Trojandownloader.Zlob(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-30-2007 11:02:24 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 752
ThreadCreationTime : 12-1-2007 4:35:59 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 800
ThreadCreationTime : 12-1-2007 4:36:04 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1428
ThreadCreationTime : 12-1-2007 4:36:07 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1472
ThreadCreationTime : 12-1-2007 4:36:11 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1488
ThreadCreationTime : 12-1-2007 4:36:11 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1660
ThreadCreationTime : 12-1-2007 4:36:15 AM
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1684
ThreadCreationTime : 12-1-2007 4:36:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1768
ThreadCreationTime : 12-1-2007 4:36:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1908
ThreadCreationTime : 12-1-2007 4:36:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 192
ThreadCreationTime : 12-1-2007 4:36:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 324
ThreadCreationTime : 12-1-2007 4:36:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [aswupdsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 660
ThreadCreationTime : 12-1-2007 4:36:24 AM
BasePriority : Normal
FileVersion : 4, 7, 1043, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
CompanyName : ALWIL Software
FileDescription : avast! Antivirus updating service
InternalName : aswUpdSv.exe
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswUpdSv.exe

#:13 [ashserv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 912
ThreadCreationTime : 12-1-2007 4:36:27 AM
BasePriority : High
FileVersion : 4, 7, 1043, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
CompanyName : ALWIL Software
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswServ.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1296
ThreadCreationTime : 12-1-2007 4:36:31 AM
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2000
ThreadCreationTime : 12-1-2007 4:36:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [ashdisp.exe]
FilePath : C:\PROGRA~1\ALWILS~1\Avast4\
ProcessID : 444
ThreadCreationTime : 12-1-2007 4:36:56 AM
BasePriority : Normal
FileVersion : 4, 7, 1043, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
CompanyName : ALWIL Software
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright © 2007 ALWIL Software
OriginalFilename : aswDisp.exe

#:17 [gprs manager.exe]
FilePath : C:\Program Files\Dell TrueMobile 5100\
ProcessID : 496
ThreadCreationTime : 12-1-2007 4:36:58 AM
BasePriority : Normal
FileVersion : 2, 1, 0, 815
ProductVersion : 2, 1, 0, 815
ProductName : GPRS Manager
CompanyName : Dell Corporation
FileDescription : GPRS Manager
InternalName : GPRS Manager
LegalCopyright : Copyright © 2003
OriginalFilename : GC75 Manager.exe
Comments : Developed by Broadcom Corporation

#:18 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 612
ThreadCreationTime : 12-1-2007 4:37:03 AM
BasePriority : Normal
FileVersion : 7, 5, 1, 22
ProductVersion : 7, 5, 1, 22
ProductName : AVG Anti-Spyware
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2007 GRISOFT s.r.o.
OriginalFilename : guard.exe

#:19 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 792
ThreadCreationTime : 12-1-2007 4:37:06 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 952
ThreadCreationTime : 12-1-2007 4:37:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1252
ThreadCreationTime : 12-1-2007 4:37:13 AM
BasePriority : Normal


#:22 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1268
ThreadCreationTime : 12-1-2007 4:37:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:23 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1152
ThreadCreationTime : 12-1-2007 4:37:16 AM
BasePriority : Normal
FileVersion : 3.20.23.0
ProductVersion : 3.20.23.0
ProductName : Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2002, Broadcom Corporation All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:24 [ashmaisv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 1080
ThreadCreationTime : 12-1-2007 4:38:04 AM
BasePriority : Normal


#:25 [ashwebsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 944
ThreadCreationTime : 12-1-2007 4:38:05 AM
BasePriority : Normal


#:26 [rampartsvc.exe]
FilePath : C:\Program Files\SonicWALL\SonicWALL Global VPN Client\
ProcessID : 2700
ThreadCreationTime : 12-1-2007 4:38:08 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : RampartSvc Module
CompanyName : SonicWALL, Inc.
FileDescription : RampartSvc Module
InternalName : RampartSvc
LegalCopyright : Copyright © 2002-2003 SonicWALL, Inc.
OriginalFilename : RampartSvc.EXE

#:27 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3540
ThreadCreationTime : 12-1-2007 4:38:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:28 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2176
ThreadCreationTime : 12-1-2007 4:38:40 AM
BasePriority : Normal


#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2864
ThreadCreationTime : 12-1-2007 5:01:59 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\ext\stats\{11a69ae4-fbed-4832-a2bf-45af82825583}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@advertising[5].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:34
Value : Cookie:david miloy@advertising.com/
Expires : 11-28-2012 10:29:46 AM
LastSync : Hits:34
UseCount : 0
Hits : 34

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@ehg-esignal.hitbox[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@ehg-esignal.hitbox.com/
Expires : 11-29-2008 1:31:06 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@bs.serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:david miloy@bs.serving-sys.com/
Expires : 12-31-2037 4:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:david miloy@doubleclick.net/
Expires : 11-27-2009 7:13:04 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:david miloy@zedo.com/
Expires : 11-26-2017 8:28:18 AM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@nasdaq.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@nasdaq.122.2o7.net/
Expires : 11-28-2012 1:16:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@perf.overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:david miloy@perf.overture.com/
Expires : 11-28-2011 11:34:54 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:david miloy@mediaplex.com/
Expires : 6-21-2009 6:00:00 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@bluestreak.com/
Expires : 11-27-2017 5:13:14 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@media.adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@media.adrevolver.com/
Expires : 8-29-2012 10:22:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@rotator.adjuggler[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:david miloy@rotator.adjuggler.com/
Expires : 11-25-2017 7:17:54 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:david miloy@overture.com/
Expires : 11-27-2017 1:41:40 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@revsci[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:david miloy@revsci.net/
Expires : 11-25-2027 1:43:26 AM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:david miloy@serving-sys.com/
Expires : 12-31-2037 4:00:00 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:david miloy@hitbox.com/
Expires : 11-29-2008 1:31:06 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@ad.yieldmanager[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:21
Value : Cookie:david miloy@ad.yieldmanager.com/
Expires : 11-29-2009 12:04:16 AM
LastSync : Hits:21
UseCount : 0
Hits : 21

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@specificclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:david miloy@specificclick.net/
Expires : 11-27-2017 10:13:24 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@bidzcom.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@bidzcom.112.2o7.net/
Expires : 11-27-2012 11:59:20 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@tacoda[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:67
Value : Cookie:david miloy@tacoda.net/
Expires : 11-29-2008 7:23:10 PM
LastSync : Hits:67
UseCount : 0
Hits : 67

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:david miloy@atdmt.com/
Expires : 11-26-2012 6:00:00 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@ads.pointroll[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:137
Value : Cookie:david miloy@ads.pointroll.com/
Expires : 12-31-2009 6:00:00 PM
LastSync : Hits:137
UseCount : 0
Hits : 137

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:36
Value : Cookie:david miloy@questionmarket.com/
Expires : 1-20-2009 2:14:06 AM
LastSync : Hits:36
UseCount : 0
Hits : 36

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@statse.webtrendslive[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:david miloy@statse.webtrendslive.com/
Expires : 11-27-2017 1:42:24 AM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@insightexpressai[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:105
Value : Cookie:david miloy@insightexpressai.com/
Expires : 11-30-2012 6:00:00 AM
LastSync : Hits:105
UseCount : 0
Hits : 105

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:20
Value : Cookie:david miloy@tribalfusion.com/
Expires : 11-29-2008 1:45:54 AM
LastSync : Hits:20
UseCount : 0
Hits : 20

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@adinterax[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:david miloy@adinterax.com/
Expires : 12-30-2015 6:00:00 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@adserver[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:david miloy@ads.revsci.net/adserver
Expires : 11-22-2039 12:11:16 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:david miloy@2o7.net/
Expires : 11-27-2012 8:26:10 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@ad.yieldmanager[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@ad.yieldmanager[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@adserver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@adserver[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@adserver[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@advertising[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david miloy@advertising[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\David Miloy\Cookies\david miloy@advertising[3].txt

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 34
Objects found so far: 35



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35

Disk Scan Result for C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 35



MRU List Object Recognized!
Location: : C:\Documents and Settings\David Miloy\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-4201666385-3808933256-4059771499-1008\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojandownloader.Zlob Object Recognized!
Type : File
Data : tracking.log
TAC Rating : 10
Category : Malware
Comment :
Object : c:\system volume information\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 45

11:04:26 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:02.426
Objects scanned:109445
Objects identified:36
Objects ignored:0
New critical objects:36

Hi.jennifer234

Yes please make sure to restart any programs I had you disable. But please before you go running anything update them all first then run full system scans. Till me how it all goes or if you had any problems.

Gogo

P.S.

100% Right I'm volunteering and love it.

Hi,

please see the post above your last. We were writing at the same time.

Ad-aware SE found win32 downloader.... so frustrating, but it is running better. i guess it is still on the computer???

I just did a quick scan on Spyware Doctor found Trojan PWS.Tanspy. Let's hope it cleans it. After my experience with Virtumonde, i don't have much faith that it will actually be removed!

Hi.jennifer234

Let's run this tool.

* Download avz4en.zip from here
* Save it to your desktop and unzip it to a folder on your desktop
* Double click on AVZ.exe to run it.
* Choose from the menu "File" => "System Investigation"
* Close all windows except for AVZ
* Click on "Start" and save the report to your desktop.
* Let the scan run and click "No" on the right when it asks you if you want to view it.
* Upload the report you saved on your desktop onto this site in your next reply.

NOTE: Make sure to Attach this file.

Gogo

Avast just found Win32:SecBar-B
C:\System volume information\ restore {B38680B-2BA0A-4E5D-BF30-83 the rest is off the screen.

i got four notices of these that i deleted.

Then it found C:\\VundoFix Backups\oizlxds.dllbad

shoot - found this in a deep scan with ad-aware se

Using definitions file:SE1R206 28.11.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):1 total references
Win32.Trojan.BHO(TAC index:10):2 total references
Win32.TrojanDownloader.Obfuscated(TAC index:10):3 total references
Win32.Trojandownloader.Zlob(TAC index:10):4 total references
Virtumonde(TAC index:10):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

i'm going to bed now and will check back tomorrow evening. thank you again

Hi.jennifer234

Them there are safe one is your System Restore that we will clean after you do what I asked in my last post. And the other is the VundoFix back-ups zip. Again they will not do anything to the PC, So just let them be for now.

Gogo

hi,


Upload failed. You are not permitted to upload this type of file

i ran AVZ, but unable to attach the file. i'm doing something wrong.

Hi.jennifer234

Oh-boy it's not you I can't seem to upload myself. Check your PM box. Not sure if what I'm about to do will work. Ok check your PM box

Gogo

Hey.jennifer234

Hold on just place it in a zip-file then you should be able to upload it here.

Gogo