i dont know whats the name of my virus but it pops up where my taskbar is the place where it shows the time. Its a yello triangle with a ! in the middle D:. It pops up and says i have a virus and tells me to click on the balloon. i dont click on it and click on the triangle thing and it disappears but it comes back after a few seconds. It also pops up some other virus alert stuff i dont know how to remove it anyone help?(Tell me if i discribed it enough or tell me if i need to show you my hijack log)

oh eya i forgot everytime i open my internet to my homepage it directs me to a virus removal website =\

Hi jinlord and welcome to Icrontic Spyware & Virus Removal
Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Hi peku006 thank you for replying to my thread its been son long D:.
I did what u said and heres my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:05 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Tmljaw\command.exe
C:\WINDOWS\system32\elkjfirl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\nsbhujkm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\qaritael.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - AppInit_DLLs: hadjajr.ini
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Tmljaw\command.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\elkjfirl.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 5761 bytes

Hi jinlord

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Please post the content of that report in your next reply.
----------------------------------------------------------------------------------------------------------------
Please download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.Once in Safe Mode, please do the following:
Open the extracted folder and double-click RunThis.bat to start the script.
Type "Y" to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please download the ComboFix (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that you have to download.
Save it to your desktop.
Double-click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

After you have completed the above, please provide:
Report.txt
SmitfraudFix.report
Combofix.txt
new HijackThis log

Hi again here is my SmitFraud log:

SmitFraudFix v2.253
Scan done at 15:40:33.21, 15/11/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Tmljaw\command.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\elkjfirl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\vtr???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick\Application Data
C:\Documents and Settings\Nick\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="hadjajr.ini"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{610B1665-BD37-4571-9E01-D685CF55FD23}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

now im gonna do the next step please wait D:

here is the SDFix log:

SDFix: Version 1.114
Run by Nick on 15/11/2007 at 03:49 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Nick\Desktop\Maple\SDFix
Safe Mode:
Checking Services:
Name:
cmdService
Network Monitor
Path:
C:\WINDOWS\Tmljaw\command.exe
C:\Program Files\Network Monitor\netmon.exe service
cmdService - Deleted
Network Monitor - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\Tmljaw\asappsrv.dll - Deleted
C:\WINDOWS\Tmljaw\command.exe - Deleted
C:\WINDOWS\Tmljaw\nA53uT.vbs - Deleted
C:\WINDOWS\system32\m2\rarndrll2.exe - Deleted
C:\WINDOWS\system32\o1\wr31drs.exe - Deleted
C:\WINDOWS\system32\v4\caws83122.exe - Deleted
C:\Program Files\WinAble\winable.exe - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\Documents and Settings\Nick\Application Data\Install.dat - Deleted
C:\DOCUME~1\Nick\LOCALS~1\Temp\cmdinst.exe - Deleted
C:\DOCUME~1\Nick\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\b147.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted

Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\system32\m2 - Removed
Folder C:\WINDOWS\system32\o1 - Removed
Folder C:\WINDOWS\system32\v4 - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:08:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D1B179-60CC-24A1-F3C4-59F353586380}]
scanning hidden files ...
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Messenger\m4pl3fr33k@hotmail.com\SharingMetadata\lazydude3@hotmai l.com\DFSR\Staging\CS{A1725DA5-7CEE-146E-4793-13F553E2AB58}\01\10-{A1725DA5-7CEE-146E-4793-13F553E2AB58}-v1-{32929220-CE4F-4EFB-80DF-7101E1653E58}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fir ewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LegacyGamers\\GunZ Online\\GunZLauncher.exe"="C:\\Program Files\\LegacyGamers\\GunZ Online\\GunZLauncher.exe:*:Disabled:Gunz"
"C:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"="C:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE:*:Enabled:LiveUpdate Engine COM Module"
"C:\\Program Files\\LegacyGamers International Gaming Community\\LegacyGamers GunZ Online\\Gunz.exe"="C:\\Program Files\\LegacyGamers International Gaming Community\\LegacyGamers GunZ Online\\Gunz.exe:*:Enabled:Gunz"
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Nexon\\MapleStory\\NewPatcher.exe"="C:\\Nexon\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\Gunz.exe"="C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\LegacyGamers.exe"="C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\LegacyGamers.exe:*:Disabled:Gunz"
"C:\\Program Files\\GameFlier\\GhostOnline\\game.exe"="C:\\Program Files\\GameFlier\\GhostOnline\\game.exe:*:Enabled:game"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Nexon\\KartRider\\NMService.exe"="C:\\Nexon\\KartRider\\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\system32\\elkjfirl.exe"="C:\\WINDOWS\\system32\\elk"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fir ewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\Nick\Desktop\Maple\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 5 Nov 2007 286,899 ..SH. --- "C:\WINDOWS\system32\jlkkj.tmp"
Mon 29 Oct 2007 6,470 ..SH. --- "C:\WINDOWS\system32\jlkkj.bak1"
Thu 15 Nov 2007 291,398 ..SH. --- "C:\WINDOWS\system32\jlkkj.bak2"
Thu 15 Nov 2007 20,768 ..SH. --- "C:\WINDOWS\system32\nsbhujkm.dllbox"
Sun 10 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico1.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico3.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico4.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico8.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico9.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoA.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoB.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoC.tmp"
Finished!

Well the ComboFix think had a problem at the end while making the log it said the "SED" file is not found or something but heres my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40, on 2007-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\nsbhujkm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ppsquikg.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - AppInit_DLLs: hadjajr.ini
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4717 bytes

oh btw the wierd yellow triangle thing is not gone still D:

Hi jinlord

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.exe:
Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process. Please copy/paste the content of that report into your next reply.WARNING: Running Option #2 on a non-infected computer will remove your Desktop background.


----------------------------------------------------------------------------------------------------------------------------
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
----------------------------------------------------------------------------------------------------------------------------
Delete combofix.exe from your desktop. Download & save a new copy to your desktop

Download combofix from
Link (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

After you have completed the above, please provide:
SmitfraudFix.report
C:\vundofix.txt
C:\Combofix.txt
new HijackThis log

Hi peku006 here is my new SmitFraud log:

SmitFraudFix v2.253
Scan done at 5:13:08.48, 2007-11-16
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{610B1665-BD37-4571-9E01-D685CF55FD23}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

now please wait abit more i need to do the other steps

heres my VundoFix log:

VundoFix V6.6.1
Checking Java version...
Sun Java not detected
Scan started at 05:24:03 2007-11-16
Listing files found while scanning....
C:\windows\system32\gebbcde.dll
C:\WINDOWS\system32\nsbhujkm.dll
Beginning removal...
Attempting to delete C:\windows\system32\gebbcde.dll
C:\windows\system32\gebbcde.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\nsbhujkm.dll
C:\WINDOWS\system32\nsbhujkm.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\gebbcde.dll
C:\windows\system32\gebbcde.dll Has been deleted!
Performing Repairs to the registry.
Done!

now just the ComboFix and HJT log to go

Hello peku006 again the SED file was not found while running ComboFix but..there was a log for it here it is:

ComboFix 07-11-08.1 - Nick 2007-11-16 6:08:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\hnfqjntk.dllbox
C:\WINDOWS\system32\nsbhujkm.dllbox
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nick\Application Data.\AVSystemCare
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\avtasks.dat
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\Logs\av.log
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\PGE.dat
C:\Documents and Settings\Nick\Application Data\APPATC~1
C:\Documents and Settings\Nick\Application Data\SCURIT~1
C:\Documents and Settings\Nick\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Nick\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\UGA6P
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\elkjfirl.exe
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\joydxlxr.exe
C:\WINDOWS\system32\lmlxjqwl.dll
C:\WINDOWS\system32\nggobphm.exe
C:\WINDOWS\system32\nsbhujkm.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqkngtob.exe
C:\WINDOWS\system32\siljsuey.exe
C:\WINDOWS\system32\sxaavsmu.exe
C:\WINDOWS\system32\sysdl132.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-16 05:50 85,056 --a------ C:\WINDOWS\system32\devtyxry.dll
2007-11-16 05:46 81,984 --a------ C:\WINDOWS\system32\fmgnhrmd.dll
2007-11-16 05:42 144,480 --a------ C:\WINDOWS\system32\hnfqjntk.dll
2007-11-16 05:41 144,480 --a------ C:\WINDOWS\system32\vbjyobmb.dll
2007-11-16 05:41 71,232 --a------ C:\WINDOWS\system32\fpqrcbvx.exe
2007-11-16 05:24 <DIR> d-------- C:\VundoFix Backups
2007-11-16 05:22 81,984 --a------ C:\WINDOWS\system32\dujfyjnx.dll
2007-11-16 05:20 71,232 --a------ C:\WINDOWS\system32\tlyltfye.exe
2007-11-16 03:23 81,984 --a------ C:\WINDOWS\system32\wufvkjxs.dll
2007-11-16 03:20 85,056 --a------ C:\WINDOWS\system32\kfgtkndd.dll
2007-11-16 03:14 71,232 --a------ C:\WINDOWS\system32\wilwvlhf.exe
2007-11-15 16:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 16:04 71,232 --a------ C:\WINDOWS\system32\acpbrdmw.exe
2007-11-15 15:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-15 15:40 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-15 15:40 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 15:30 16,324 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-15 15:17 71,232 --a------ C:\WINDOWS\system32\gjbxnrti.exe
2007-11-15 04:50 79,936 --a------ C:\WINDOWS\system32\cwbeecpn.dll
2007-11-15 04:44 71,232 --a------ C:\WINDOWS\system32\vfabkhgm.exe
2007-11-14 20:31 184,320 --a------ C:\WINDOWS\system32\aH8QuNgy.dll
2007-11-14 20:13 71,232 --a------ C:\WINDOWS\system32\xtyxqcfj.exe
2007-11-14 17:16 71,232 --a------ C:\WINDOWS\system32\rwakukog.exe
2007-11-14 15:40 85,056 --a------ C:\WINDOWS\system32\eqmlgobv.dll
2007-11-14 15:38 71,232 --a------ C:\WINDOWS\system32\ccqjklym.exe
2007-11-14 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 15:18 71,232 --a------ C:\WINDOWS\system32\ecnjivgm.exe
2007-11-13 19:56 85,056 --a------ C:\WINDOWS\system32\nlmqmtky.dll
2007-11-13 19:50 71,232 --a------ C:\WINDOWS\system32\wxkxutpj.exe
2007-11-13 18:17 85,056 --a------ C:\WINDOWS\system32\ixtfpjqq.dll
2007-11-13 18:13 71,232 --a------ C:\WINDOWS\system32\mmuoxhph.exe
2007-11-13 15:17 71,232 --a------ C:\WINDOWS\system32\gotlvgdt.exe
2007-11-12 20:15 184,320 --a------ C:\WINDOWS\system32\M16Lc7vs.dll
2007-11-12 20:07 89,664 --a------ C:\WINDOWS\system32\kyxfhbpl.dll
2007-11-12 20:04 71,232 --a------ C:\WINDOWS\system32\bxlvsyjo.exe
2007-11-12 17:06 71,232 --a------ C:\WINDOWS\system32\wboqsqat.exe
2007-11-12 12:41 71,232 --a------ C:\WINDOWS\system32\xhvratle.exe
2007-11-12 12:11 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-12 12:10 <DIR> d-------- C:\Temp\abW9
2007-11-12 12:10 35,328 --a------ C:\WINDOWS\system32\mljklji.dll
2007-11-12 12:06 144,480 --a------ C:\WINDOWS\system32\ikdmoaco.dll
2007-11-12 12:00 71,232 --a------ C:\WINDOWS\system32\nrhjvoip.exe
2007-11-12 10:23 71,232 --a------ C:\WINDOWS\system32\etfprvfo.exe
2007-11-12 10:01 71,232 --a------ C:\WINDOWS\system32\pfvsnkaf.exe
2007-11-12 09:35 71,232 --a------ C:\WINDOWS\system32\bndbbhds.exe
2007-11-11 19:10 71,232 --a------ C:\WINDOWS\system32\bchdajyc.exe
2007-11-11 18:03 71,232 --a------ C:\WINDOWS\system32\ihuehoxi.exe
2007-11-11 17:30 88,128 --a------ C:\WINDOWS\system32\rvyrkbxk.dll
2007-11-11 17:25 71,232 --a------ C:\WINDOWS\system32\wiyvrawi.exe
2007-11-11 17:15 71,232 --a------ C:\WINDOWS\system32\kahfonla.exe
2007-11-11 15:16 88,128 --a------ C:\WINDOWS\system32\lbebrimt.dll
2007-11-11 15:14 71,232 --a------ C:\WINDOWS\system32\ntacqham.exe
2007-11-11 14:06 71,232 --a------ C:\WINDOWS\system32\seulsrso.exe
2007-11-11 10:46 71,232 --a------ C:\WINDOWS\system32\mhlfpyix.exe
2007-11-10 17:30 184,320 --a------ C:\WINDOWS\system32\smtPbiTI.dll
2007-11-10 17:20 71,232 --a------ C:\WINDOWS\system32\vhtrwtxd.exe
2007-11-10 14:34 71,232 --a------ C:\WINDOWS\system32\pndwxtmt.exe
2007-11-10 12:40 71,232 --a------ C:\WINDOWS\system32\bqcxefyd.exe
2007-11-10 12:22 71,232 --a------ C:\WINDOWS\system32\yhqdxfgp.exe
2007-11-10 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-10 09:31 71,232 --a------ C:\WINDOWS\system32\vqcxvvmg.exe
2007-11-09 15:18 71,232 --a------ C:\WINDOWS\system32\mcbrmyfh.exe
2007-11-08 15:15 71,232 --a------ C:\WINDOWS\system32\ysjtolre.exe
2007-11-07 20:40 35,328 --a------ C:\WINDOWS\system32\cbxwtrr.dll
2007-11-07 20:36 35,328 --a------ C:\WINDOWS\system32\iifdecc.dll
2007-11-07 20:27 71,232 --a------ C:\WINDOWS\system32\ylpgyare.exe
2007-11-07 19:49 71,232 --a------ C:\WINDOWS\system32\swojaywi.exe
2007-11-05 18:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-05 17:11 36,352 --a------ C:\WINDOWS\system32\iiiiiii.dll
2007-11-05 17:07 <DIR> d-------- C:\WINDOWS\Tmljaw
2007-11-05 17:07 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-05 17:07 <DIR> d-------- C:\Temp\mZOr
2007-11-05 17:07 <DIR> d-------- C:\Temp
2007-11-05 17:07 36,352 --a------ C:\WINDOWS\system32\yayvvvt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38 --------- d-----w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35 --------- d-----w C:\Program Files\mIRC
2007-11-09 20:28 27,200 ----a-w C:\WINDOWS\system32\65f475kH.exe
2007-10-19 12:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-12 20:03 --------- d-----w C:\Program Files\Bonjour
2007-10-12 19:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_16.36.49.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-15 21:07:10 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-16 10:46:00 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-15 21:07:10 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-16 10:46:01 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F7CA4F-0E86-4BF5-8543-980DEE13AE31}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-14 20:31 184320 --a------ C:\WINDOWS\system32\aH8QuNgy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{869a335d-ecc9-4ad8-8dd5-62d6e76d3037}]
2007-11-16 05:46 81984 --a------ C:\WINDOWS\system32\fmgnhrmd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-16 05:42 144480 --a------ C:\WINDOWS\system32\hnfqjntk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\hnfqjntk.dll [2007-11-16 05:42 144480]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hnfqjntk]
hnfqjntk.dll 2007-11-16 05:42 144480 C:\WINDOWS\system32\hnfqjntk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 CEDRIVER53;CEDRIVER53;\??\C:\Program Files\Cheat Engine\dbk32.sys
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\Nick\LOCALS~1\Temp\krdpdre.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-16 08:30:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-16 11:20:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 06:20:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 6:24:21 - machine was rebooted
.
--- E O F ---

and finally the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:39 AM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {55F7CA4F-0E86-4BF5-8543-980DEE13AE31} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\aH8QuNgy.dll
O2 - BHO: {7303d67e-6d26-5dd8-8da4-9cced533a968} - {869a335d-ecc9-4ad8-8dd5-62d6e76d3037} - C:\WINDOWS\system32\fmgnhrmd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hnfqjntk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hnfqjntk.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - Winlogon Notify: hnfqjntk - C:\WINDOWS\SYSTEM32\hnfqjntk.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 5489 bytes

and still again the yello sign didnt remove D: zomg getting mad

Hi jinlord
Did you run combofix from user account which has administrator rights?

IMPORTANT You must be logged onto an account with administrator privileges

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {55F7CA4F-0E86-4BF5-8543-980DEE13AE31} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\aH8QuNgy.dll
O2 - BHO: {7303d67e-6d26-5dd8-8da4-9cced533a968} - {869a335d-ecc9-4ad8-8dd5-62d6e76d3037} - C:\WINDOWS\system32\fmgnhrmd.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hnfqjntk.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hnfqjntk.dll
O20 - Winlogon Notify: hnfqjntk - C:\WINDOWS\SYSTEM32\hnfqjntk.dll

Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
-----------------------------------------------------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\devtyxry.dll
C:\WINDOWS\system32\fmgnhrmd.dll
C:\WINDOWS\system32\hnfqjntk.dll
C:\WINDOWS\system32\vbjyobmb.dll
C:\WINDOWS\system32\fpqrcbvx.exe
C:\WINDOWS\system32\dujfyjnx.dll
C:\WINDOWS\system32\tlyltfye.exe
C:\WINDOWS\system32\wufvkjxs.dll
C:\WINDOWS\system32\kfgtkndd.dll
C:\WINDOWS\system32\wilwvlhf.exe
C:\WINDOWS\system32\acpbrdmw.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\gjbxnrti.exe
C:\WINDOWS\system32\cwbeecpn.dll
C:\WINDOWS\system32\vfabkhgm.exe
C:\WINDOWS\system32\aH8QuNgy.dll
C:\WINDOWS\system32\xtyxqcfj.exe
C:\WINDOWS\system32\rwakukog.exe
C:\WINDOWS\system32\eqmlgobv.dll
C:\WINDOWS\system32\ccqjklym.exe
C:\WINDOWS\system32\ecnjivgm.exe
C:\WINDOWS\system32\nlmqmtky.dll
C:\WINDOWS\system32\wxkxutpj.exe
C:\WINDOWS\system32\ixtfpjqq.dll
C:\WINDOWS\system32\mmuoxhph.exe
C:\WINDOWS\system32\gotlvgdt.exe
C:\WINDOWS\system32\M16Lc7vs.dll
C:\WINDOWS\system32\kyxfhbpl.dll
C:\WINDOWS\system32\bxlvsyjo.exe
C:\WINDOWS\system32\wboqsqat.exe
C:\WINDOWS\system32\xhvratle.exe
C:\WINDOWS\system32\mljklji.dll
C:\WINDOWS\system32\ikdmoaco.dll
C:\WINDOWS\system32\nrhjvoip.exe
C:\WINDOWS\system32\etfprvfo.exe
C:\WINDOWS\system32\pfvsnkaf.exe
C:\WINDOWS\system32\bndbbhds.exe
C:\WINDOWS\system32\bchdajyc.exe
C:\WINDOWS\system32\ihuehoxi.exe
C:\WINDOWS\system32\rvyrkbxk.dll
C:\WINDOWS\system32\wiyvrawi.exe
C:\WINDOWS\system32\kahfonla.exe
C:\WINDOWS\system32\lbebrimt.dll
C:\WINDOWS\system32\ntacqham.exe
C:\WINDOWS\system32\seulsrso.exe
C:\WINDOWS\system32\mhlfpyix.exe
C:\WINDOWS\system32\smtPbiTI.dll
C:\WINDOWS\system32\vhtrwtxd.exe
C:\WINDOWS\system32\pndwxtmt.exe
C:\WINDOWS\system32\bqcxefyd.exe
C:\WINDOWS\system32\yhqdxfgp.exe
C:\WINDOWS\system32\vqcxvvmg.exe
C:\WINDOWS\system32\mcbrmyfh.exe
C:\WINDOWS\system32\ysjtolre.exe
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\iifdecc.dll
C:\WINDOWS\system32\ylpgyare.exe
C:\WINDOWS\system32\swojaywi.exe
C:\WINDOWS\system32\iiiiiii.dll
C:\WINDOWS\system32\yayvvvt.dll
C:\WINDOWS\system32\65f475kH.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp \krdpdre.sys

Folder::
C:\WINDOWS\system32\rMa01yy
C:\Temp
C:\WINDOWS\Tmljaw
C:\WINDOWS\system32\Mz02r

Driver::
krdpdre

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F7CA4F-0E86-4BF5-8543-980DEE13AE31}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{869a335d-ecc9-4ad8-8dd5-62d6e76d3037}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hnfqjntk]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot),
-----------------------------------------------------------------------------------------------------------------------------------------

Download F-Secure Blacklight (fsbl.exe) to the desktop from here (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe)

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.

So in your next reply, please include the following:
Combofix.txt
fsbl.log
new HijackThis log
Please let me know how your pc is now.

Hi peku006 here is the new ComboFis log:

ComboFix 07-11-08.1 - Nick 2007-11-16 21:55:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\DOCUME~1\Nick\LOCALS~1\Temp \krdpdre.sys
C:\WINDOWS\system32\65f475kH.exe
C:\WINDOWS\system32\acpbrdmw.exe
C:\WINDOWS\system32\aH8QuNgy.dll
C:\WINDOWS\system32\bchdajyc.exe
C:\WINDOWS\system32\bndbbhds.exe
C:\WINDOWS\system32\bqcxefyd.exe
C:\WINDOWS\system32\bxlvsyjo.exe
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\ccqjklym.exe
C:\WINDOWS\system32\cwbeecpn.dll
C:\WINDOWS\system32\devtyxry.dll
C:\WINDOWS\system32\dujfyjnx.dll
C:\WINDOWS\system32\ecnjivgm.exe
C:\WINDOWS\system32\eqmlgobv.dll
C:\WINDOWS\system32\etfprvfo.exe
C:\WINDOWS\system32\fmgnhrmd.dll
C:\WINDOWS\system32\fpqrcbvx.exe
C:\WINDOWS\system32\gjbxnrti.exe
C:\WINDOWS\system32\gotlvgdt.exe
C:\WINDOWS\system32\hnfqjntk.dll
C:\WINDOWS\system32\ihuehoxi.exe
C:\WINDOWS\system32\iifdecc.dll
C:\WINDOWS\system32\iiiiiii.dll
C:\WINDOWS\system32\ikdmoaco.dll
C:\WINDOWS\system32\ixtfpjqq.dll
C:\WINDOWS\system32\kahfonla.exe
C:\WINDOWS\system32\kfgtkndd.dll
C:\WINDOWS\system32\kyxfhbpl.dll
C:\WINDOWS\system32\lbebrimt.dll
C:\WINDOWS\system32\M16Lc7vs.dll
C:\WINDOWS\system32\mcbrmyfh.exe
C:\WINDOWS\system32\mhlfpyix.exe
C:\WINDOWS\system32\mljklji.dll
C:\WINDOWS\system32\mmuoxhph.exe
C:\WINDOWS\system32\nlmqmtky.dll
C:\WINDOWS\system32\nrhjvoip.exe
C:\WINDOWS\system32\ntacqham.exe
C:\WINDOWS\system32\pfvsnkaf.exe
C:\WINDOWS\system32\pndwxtmt.exe
C:\WINDOWS\system32\rvyrkbxk.dll
C:\WINDOWS\system32\rwakukog.exe
C:\WINDOWS\system32\seulsrso.exe
C:\WINDOWS\system32\smtPbiTI.dll
C:\WINDOWS\system32\swojaywi.exe
C:\WINDOWS\system32\tlyltfye.exe
C:\WINDOWS\system32\vbjyobmb.dll
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vfabkhgm.exe
C:\WINDOWS\system32\vhtrwtxd.exe
C:\WINDOWS\system32\vqcxvvmg.exe
C:\WINDOWS\system32\wboqsqat.exe
C:\WINDOWS\system32\wilwvlhf.exe
C:\WINDOWS\system32\wiyvrawi.exe
C:\WINDOWS\system32\wufvkjxs.dll
C:\WINDOWS\system32\wxkxutpj.exe
C:\WINDOWS\system32\xhvratle.exe
C:\WINDOWS\system32\xtyxqcfj.exe
C:\WINDOWS\system32\yayvvvt.dll
C:\WINDOWS\system32\yhqdxfgp.exe
C:\WINDOWS\system32\ylpgyare.exe
C:\WINDOWS\system32\ysjtolre.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nick\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Nick\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\Program Files\ttx.exe
C:\Temp
C:\Temp\abW9\tOasF.log
C:\Temp\abW9\tPho.log
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\system32\65f475kH.exe
C:\WINDOWS\system32\acpbrdmw.exe
C:\WINDOWS\system32\aH8QuNgy.dll
C:\WINDOWS\system32\bchdajyc.exe
C:\WINDOWS\system32\bndbbhds.exe
C:\WINDOWS\system32\bqcxefyd.exe
C:\WINDOWS\system32\bxlvsyjo.exe
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\ccqjklym.exe
C:\WINDOWS\system32\cwbeecpn.dll
C:\WINDOWS\system32\ddcawxy.dll
C:\WINDOWS\system32\devtyxry.dll
C:\WINDOWS\system32\dujfyjnx.dll
C:\WINDOWS\system32\ecnjivgm.exe
C:\WINDOWS\system32\eqmlgobv.dll
C:\WINDOWS\system32\etfprvfo.exe
C:\WINDOWS\system32\fmgnhrmd.dll
C:\WINDOWS\system32\fpqrcbvx.exe
C:\WINDOWS\system32\gjbxnrti.exe
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gotlvgdt.exe
C:\WINDOWS\system32\hnfqjntk.dll
C:\WINDOWS\system32\hnfqjntk.dllbox
C:\WINDOWS\system32\ihuehoxi.exe
C:\WINDOWS\system32\iifdecc.dll
C:\WINDOWS\system32\iiiiiii.dll
C:\WINDOWS\system32\ikdmoaco.dll
C:\WINDOWS\system32\ixtfpjqq.dll
C:\WINDOWS\system32\kahfonla.exe
C:\WINDOWS\system32\kfgtkndd.dll
C:\WINDOWS\system32\kyxfhbpl.dll
C:\WINDOWS\system32\lbebrimt.dll
C:\WINDOWS\system32\M16Lc7vs.dll
C:\WINDOWS\system32\mcbrmyfh.exe
C:\WINDOWS\system32\mhlfpyix.exe
C:\WINDOWS\system32\mljklji.dll
C:\WINDOWS\system32\mmuoxhph.exe
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\nlmqmtky.dll
C:\WINDOWS\system32\nrhjvoip.exe
C:\WINDOWS\system32\ntacqham.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfvsnkaf.exe
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pndwxtmt.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\rvyrkbxk.dll
C:\WINDOWS\system32\rwakukog.exe
C:\WINDOWS\system32\seulsrso.exe
C:\WINDOWS\system32\smtPbiTI.dll
C:\WINDOWS\system32\swojaywi.exe
C:\WINDOWS\system32\tlyltfye.exe
C:\WINDOWS\system32\vbjyobmb.dll
C:\WINDOWS\system32\vfabkhgm.exe
C:\WINDOWS\system32\vhtrwtxd.exe
C:\WINDOWS\system32\vqcxvvmg.exe
C:\WINDOWS\system32\wboqsqat.exe
C:\WINDOWS\system32\wilwvlhf.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wiyvrawi.exe
C:\WINDOWS\system32\wufvkjxs.dll
C:\WINDOWS\system32\wxkxutpj.exe
C:\WINDOWS\system32\xhvratle.exe
C:\WINDOWS\system32\xtyxqcfj.exe
C:\WINDOWS\system32\yayvvvt.dll
C:\WINDOWS\system32\yhqdxfgp.exe
C:\WINDOWS\system32\ylpgyare.exe
C:\WINDOWS\system32\ysjtolre.exe
C:\WINDOWS\Tmljaw
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_KRDPDRE
-------\DomainService
-------\krdpdre

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.
2007-11-16 21:51 184,320 --a------ C:\WINDOWS\system32\wQv3B07G.dll
2007-11-16 21:47 82,496 --a------ C:\WINDOWS\system32\jlicfnth.dll
2007-11-16 21:41 85,056 --a------ C:\WINDOWS\system32\ucvvpnqc.dll
2007-11-16 21:39 71,232 --a------ C:\WINDOWS\system32\bmjdseop.exe
2007-11-16 07:27 <DIR> d--h----- C:\Program Files\InstallJammer Registry
2007-11-16 07:26 <DIR> d-------- C:\Program Files\Brittle Bullet - Private Gunz Server
2007-11-16 06:49 <DIR> d-------- C:\WINDOWS\system32\uu2
2007-11-16 06:49 <DIR> d-------- C:\WINDOWS\system32\rr2
2007-11-16 06:49 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-16 05:24 <DIR> d-------- C:\VundoFix Backups
2007-11-15 16:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38 --------- d-----w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35 --------- d-----w C:\Program Files\mIRC
2007-10-19 12:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-12 20:03 --------- d-----w C:\Program Files\Bonjour
2007-10-12 19:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_16.36.49.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-15 20:48:29 3,207,168 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-11-16 12:04:45 3,235,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-11-15 20:48:29 81,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-16 12:04:45 81,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-08-14 22:22:50 25,105 ----a-w C:\WINDOWS\system32\cc1\dnslook11.exe
- 2007-11-15 21:07:10 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-17 02:42:42 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-15 21:07:10 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-17 02:42:42 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-15 11:32:34 9,814 ----a-w C:\WINDOWS\system32\rr2\bemwdll3.exe
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:34 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\uu2\mper83122.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9432f445-c71d-4573-95e8-deb6b26fe756}]
2007-11-16 21:47 82496 --a------ C:\WINDOWS\system32\jlicfnth.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]
[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
"50da98e0"="C:\WINDOWS\system32\ucvvpnqc.dll" [2007-11-16 21:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjg.dll
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 CEDRIVER53;CEDRIVER53;\??\C:\Program Files\Cheat Engine\dbk32.sys
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-16 08:30:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-17 03:12:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 22:12:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 22:13:58
C:\ComboFix2.txt ... 2007-11-16 06:24
.
--- E O F ---

here is the fsbl log:

11/16/07 22:17:36 [Info]: BlackLight Engine 1.0.67 initialized
11/16/07 22:17:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/16/07 22:17:37 [Note]: 7019 4
11/16/07 22:17:37 [Note]: 7005 0
11/16/07 22:17:41 [Note]: 7006 0
11/16/07 22:17:41 [Note]: 7011 3548
11/16/07 22:17:42 [Note]: 7026 0
11/16/07 22:17:42 [Note]: 7026 0
11/16/07 22:17:49 [Note]: FSRAW library version 1.7.1024
11/16/07 22:19:55 [Note]: 7007 0

My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:53 PM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {657ef62b-6bed-8e59-3754-d17c544f2349} - {9432f445-c71d-4573-95e8-deb6b26fe756} - C:\WINDOWS\system32\jlicfnth.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ucvvpnqc.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4899 bytes

and yea thank you soo much peku006 the wierd pop ups and the triangle thing are all gone and my computer is faster again! Once again thank you peku006 your the greatest :D

Hi jinlord
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O2 - BHO: {657ef62b-6bed-8e59-3754-d17c544f2349} - {9432f445-c71d-4573-95e8-deb6b26fe756} - C:\WINDOWS\system32\jlicfnth.dll
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ucvvpnqc.dll",b
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.----------------------------------------------------------------------------------------------------------------------------------------------------
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\wQv3B07G.dll
C:\WINDOWS\system32\jlicfnth.dll
C:\WINDOWS\system32\ucvvpnqc.dll
C:\WINDOWS\system32\bmjdseop.exe
C:\WINDOWS\system32\pmkjg.dll
C:\Program Files\Cheat Engine\dbk32.sys
C:\Nexon\MapleStory\Ga meGuard\dump_wmimmc.sys
C:\WINDOWS\system32\XDva031.sys

Folder::
C:\WINDOWS\system32\uu2
C:\WINDOWS\system32\rr2
C:\WINDOWS\system32\cc1

Driver::
CEDRIVER53
dump_wmimmc
XDva031

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9432f445-c71d-4573-95e8-deb6b26fe756}]
[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"50da98e0"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot)
----------------------------------------------------------------------------------------------------------------------------------------------------
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.
----------------------------------------------------------------------------------------------------------------------------------------------------
Download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)and save that file to your desktop. Note for AVG Free anti-virus users only: this is not the same program that you already have, this is an anti-spyware program.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
If you have any infections you will be prompted. Then select "Apply all actions."
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.So in your next reply, please include the following:
Combofix.txt
AVG Anti-Spyware report
new HijackThis log

Hi peku006!

Heres my CF log:

ComboFix 07-11-08.1 - Nick 2007-11-17 7:43:59.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Nexon\MapleStory\Ga meGuard\dump_wmimmc.sys
C:\Program Files\Cheat Engine\dbk32.sys
C:\WINDOWS\system32\bmjdseop.exe
C:\WINDOWS\system32\jlicfnth.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\ucvvpnqc.dll
C:\WINDOWS\system32\wQv3B07G.dll
C:\WINDOWS\system32\XDva031.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bmjdseop.exe
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\cc1\dnslook11.exe
C:\WINDOWS\system32\rr2
C:\WINDOWS\system32\rr2\bemwdll3.exe
C:\WINDOWS\system32\ucvvpnqc.dll
C:\WINDOWS\system32\uu2
C:\WINDOWS\system32\uu2\mper83122.exe
C:\WINDOWS\system32\wQv3B07G.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CEDRIVER53
-------\LEGACY_DUMP_WMIMMC
-------\LEGACY_XDVA031
-------\CEDRIVER53
-------\XDva031

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.
2007-11-16 07:27 <DIR> d--h----- C:\Program Files\InstallJammer Registry
2007-11-15 16:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38 --------- d-----w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35 --------- d-----w C:\Program Files\mIRC
2007-10-19 12:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-12 20:03 --------- d-----w C:\Program Files\Bonjour
2007-10-12 19:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-17 08:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-17 12:48:28 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 07:48:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-17 7:49:49 - machine was rebooted
.
--- E O F ---

Hi jinlord

I need a new HijackThis log and AVG Anti-Spyware report too

Sorry peku006 the AVG took quite long so i had to do it tomorow and now here it is:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:25:55 AM 18/11/2007
+ Scan result:

C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374389.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374390.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376565.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376573.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376574.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382398.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382399.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383572.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383575.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383576.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP30\A0195850.exe -> Backdoor.Agent.ark : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0327395.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356719.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374395.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376583.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP26\A0175747.exe -> Downloader.Agent.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374400.exe -> Downloader.Agent.cbx : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376570.exe -> Downloader.Agent.cbx : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0328068.EXE -> Downloader.Agent.ebm : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0318328.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0325105.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0327208.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347462.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374402.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376575.EXE -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0342109.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356718.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374398.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376568.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347470.exe -> Downloader.Agent.fak : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0367460.exe -> Downloader.Agent.fak : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375430.exe -> Downloader.BHO.bo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0328067.EXE -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374392.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374397.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376567.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376579.EXE -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387418.exe -> Downloader.Small.buy : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\cc1\dnslook11.exe.vir -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0325104.exe -> Downloader.VB.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384428.exe -> Downloader.VB.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP23\A0165588.exe -> Not-A-Virus.HackTool.Win32.Delf.bw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374396.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376578.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382401.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383580.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320113.exe -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347464.EXE -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356876.EXE -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0381561.dll -> Trojan.Magania.aqw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320109.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0321151.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329010.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374391.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374406.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376577.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376581.VBS -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382400.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382406.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383579.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383582.VBS -> Trojan.Small : Cleaned.

::Report end

And finally the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:33 AM, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4819 bytes

Thank you peku006 for helping me :D

Hi jinlord

Looks much better


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\TTC.dll

Folder::
C:\qoobox

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot,

-----------------------------------------------------------------------------------------------------------------

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

So in your next reply, please include the following:
Combofix.txt
Kaspersky Online report

Hi peku006 :D

Heres the CF log:

ComboFix 07-11-08.1 - Nick 2007-11-18 5:04:50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\TTC.dll
C:\qoobox
C:\qoobox\BackEnv\appdata.folder.dat
C:\qoobox\BackEnv\cache.folder.dat
C:\qoobox\BackEnv\desktop.folder.dat
C:\qoobox\BackEnv\favorites.folder.dat
C:\qoobox\BackEnv\local appdata.folder.dat
C:\qoobox\BackEnv\local settings.folder.dat
C:\qoobox\BackEnv\my pictures.folder.dat
C:\qoobox\BackEnv\personal.folder.dat
C:\qoobox\BackEnv\profiles.folder.dat
C:\qoobox\BackEnv\programs.folder.dat
C:\qoobox\BackEnv\setpath.bat
C:\qoobox\BackEnv\setpath.dat
C:\qoobox\BackEnv\start menu.folder.dat
C:\qoobox\BackEnv\startup.folder.dat
C:\qoobox\BackEnv\templates.folder.dat
C:\qoobox\CFScript_used_2007-11-17@7.43.txt
C:\qoobox\CFScript_used_2007-11-18@5.04.txt
C:\qoobox\ComboFix-quarantined-files.txt
C:\qoobox\Hiv-backup\default
C:\qoobox\Hiv-backup\ERDNT.CON
C:\qoobox\Hiv-backup\ERDNT.EXE
C:\qoobox\Hiv-backup\ERDNT.INF
C:\qoobox\Hiv-backup\ERDNTDOS.LOC
C:\qoobox\Hiv-backup\ERDNTWIN.LOC
C:\qoobox\Hiv-backup\SAM
C:\qoobox\Hiv-backup\SECURITY
C:\qoobox\Hiv-backup\software
C:\qoobox\Hiv-backup\system
C:\qoobox\Hiv-backup\Users\00000001\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000002\UsrClass.dat
C:\qoobox\Hiv-backup\Users\00000003\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000004\UsrClass.dat
C:\qoobox\Hiv-backup\Users\00000005\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000006\UsrClass.dat
C:\qoobox\snapshot@2007-11-17_ 7.49.03.34.dat
C:\qoobox\snapshot@2007-11-17_ 7.49.03.34_B.dat
.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.
2007-11-17 07:55 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Grisoft
2007-11-17 07:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-17 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 07:27 <DIR> d--h----- C:\Program Files\InstallJammer Registry
2007-11-15 16:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 16:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-17 14:39 --------- d-----w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-17 14:38 --------- d-----w C:\Program Files\mIRC
2007-10-19 12:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 19:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-18 08:30:01 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-18 10:11:43 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 05:11:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-18 5:14:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 07:49
.
--- E O F ---

And finally my Kaspersky log:(this took long...)
<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
****** http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>
<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>
<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Sunday, November 18, 2007 7:36:20 AM<br>
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 19/11/2007<br>
Kaspersky Anti-Virus database records: 461377<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>71525</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>29</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>112</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>6</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>01:50:37</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height