Malware - file tmp[x].tmp.exe keeps getting created and antispyware can't solve it

Unknown · June 2007

Hi all,

My problem is that everytime I run IE, after a few minutes the pages start running slower and lagging on when I can click on the next link and random pop-ups start showing up. After about 10 minutes Avast starts warning me that I have a virus and want me to delete the file tmp[some #].tmp.exe i my application data dir. Avast won't let me delete it and Prevex 2.0 then comes up and says it has detected Malware (same file). I have run all the antispyware software including Adaware 2007, Spybot Search and Destory, and Prevex 2.0 and I keep getting the same problem coming back. Adaware usually only catches some cookies, nothing critical. Spybot usually catches about the same. Prevex will catch all the tmp[#].tmp.exe files, reboot, run a full scan and not cathc anything. Not until I open up IE again does this all start all over again.

Here is my logs from an online ActiveScan:

Incident Status Location
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\flanders\Cookies\flanders@casalemedia[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\flanders\Cookies\flanders@fastclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\flanders\Cookies\flanders@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\flanders\Cookies\flanders@winantivirus[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\flanders\My Documents\ComboFix.exe[nircmd.exe]
Hacktool:HackTool/EvID Not disinfected C:\Documents and Settings\flanders\My Documents\Downloads\evid4226patch223d-en\EvID4226Patch.exe
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp5.tmp.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp6F.tmp.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp8.tmp.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected

Now here is my Kaspersky scan log:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 27, 2007 12:59:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 354051

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 48165
Number of viruses found: 3
Number of infected objects: 21 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:47:14
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\flanders\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Application Data\ApplicationHistory\SyncInfoApp.exe.df6d11f9.ini.inuse Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Temp\~DF6086.tmp Object is locked skipped
C:\Documents and Settings\flanders\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\flanders\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\flanders\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\GE Security Supra\DaemonLog.txt Object is locked skipped
C:\Program Files\GE Security Supra\SyncLog.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004049.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004064.exe Infected: Trojan-Dropper.Win32.Mudrop.du skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004120.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004142.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004144.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004145.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004223.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004225.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004228.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004230.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004232.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004234.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004236.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004238.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004240.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004242.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004260.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004262.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004264.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004289.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004308.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_55c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\change.log Object is locked skipped
Scan process completed.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:40:11 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp2312.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {5638ae57-a92b-488a-b1fd-c65c29e9ff16} - C:\WINDOWS\system32\jgssrv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft PDF Professional 4-reminder] "C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PDF Professional\4\Ereg\ereg.ini"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jgssrv - C:\WINDOWS\SYSTEM32\jgssrv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DomainService - - C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 8091 bytes

Any help you could give me on this would be much appreciated! A big thank you to all of the volunteers that keep these forums running and some of this spyware/malware at bay! This is an invaluable service in my eyes.

Linkola · June 2007

Hi,

Welcome to icrontic Malware Removal Forum.

I'm checking your log, so please be patient.

As we work together to resolve your problem please read the instructions carefully. You may wish to print them off or copy them into Notepad.
If you have question please don't hesitate to ask
The instructions I give are specific to your current problem and should not be used on other systems.
Post your replies to this thread.

Linkola · June 2007

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

==========

Please download VundoFix.exe to your desktop.

Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

==========

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

=========

Download and Run ComboFix

Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Finally post fresh HijackThis log too

technotronicmn · June 2007

Linkola wrote:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

==========

Please download VundoFix.exe to your desktop.
Double-click *VundoFix.exe* to run it.

Click the *Scan for Vundo* button.

Once it's done scanning, click the *Remove Vundo* button.

You will receive a prompt asking if you want to remove the files, click *YES*

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click *OK*.

Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

==========

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

=========

Download and Run ComboFix
Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Then double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Finally post fresh HijackThis log too

Hi Again,

Thanks for reviewing my log so quickly! I installed ZoneAlarm and disbaled the Windows firewall. I downloaded VundoFix.exe and had it scan for files. It scanned thru all the files and came back and said that no files were infected. I also downloaded ATF and had it remove all the files/entries you suggested. I then ran ComboFix, it rebooted, and here is the log it left:

"flanders" - 2007-06-28 15:40:53 - ComboFix 07-06-25.3 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\flanders\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpD.tmp.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

\LEGACY_DOMAINSERVICE

\DomainService

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))

2007-06-28 15:36 59,457 --a

C:\WINDOWS\system32\tmp4.tmp.dll
2007-06-28 15:36 134,903 --a

C:\WINDOWS\wvttqo.dll
2007-06-28 15:05 <DIR> d

C:\VundoFix Backups
2007-06-28 14:58 75,932 --a

C:\WINDOWS\system32\drivers\klick.dat
2007-06-28 14:58 75,248 --a

C:\WINDOWS\zllsputility.exe
2007-06-28 14:58 74,396 --a

C:\WINDOWS\system32\drivers\klin.dat
2007-06-28 14:58 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-06-28 14:58 172,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-28 14:58 11,264 --a

C:\WINDOWS\system32\SpOrder.dll
2007-06-28 14:58 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-06-28 14:57 110,360 --a

C:\WINDOWS\system32\drivers\kl1.sys
2007-06-28 14:57 1,086,952 --a

C:\WINDOWS\system32\zpeng24.dll
2007-06-28 14:57 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2007-06-28 14:56 <DIR> d

C:\WINDOWS\Internet Logs
2007-06-27 22:20 <DIR> d

C:\Program Files\HJT
2007-06-27 20:22 59,427 --a

C:\WINDOWS\system32\tmp2312.tmp.dll
2007-06-27 20:18 134,917 --a

C:\WINDOWS\cbxvwx.dll
2007-06-27 20:14 59,427 --a

C:\WINDOWS\system32\tmp230E.tmp.dll
2007-06-27 19:51 59,427 --a

C:\WINDOWS\system32\tmp22FD.tmp.dll
2007-06-27 19:10 59,427 --a

C:\WINDOWS\system32\tmp22CE.tmp.dll
2007-06-27 18:28 59,427 --a

C:\WINDOWS\system32\tmp229E.tmp.dll
2007-06-27 17:57 59,427 --a

C:\WINDOWS\system32\tmp2279.tmp.dll
2007-06-27 17:16 59,427 --a

C:\WINDOWS\system32\tmp2249.tmp.dll
2007-06-27 16:45 59,427 --a

C:\WINDOWS\system32\tmp2224.tmp.dll
2007-06-27 15:49 59,427 --a

C:\WINDOWS\system32\tmp21E6.tmp.dll
2007-06-27 15:33 59,427 --a

C:\WINDOWS\system32\tmp21D1.tmp.dll
2007-06-27 15:14 59,427 --a

C:\WINDOWS\system32\tmp21C7.tmp.dll
2007-06-27 14:54 59,427 --a

C:\WINDOWS\system32\tmp21C3.tmp.dll
2007-06-27 03:00 <DIR> d

C:\Program Files\MSXML 4.0
2007-06-26 23:59 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2007-06-26 23:00 <DIR> d

C:\WINDOWS\system32\ActiveScan
2007-06-26 01:29 49,152 --a

C:\WINDOWS\nircmd.exe
2007-06-26 01:07 <DIR> d

C:\WINDOWS\CSC
2007-06-25 20:56 <DIR> d

C:\DOCUME~1\flanders\APPLIC~1\Prevx
2007-06-25 20:55 77,312 --a

C:\WINDOWS\ua2.dll
2007-06-25 20:55 <DIR> d

C:\Program Files\Prevx2
2007-06-25 20:55 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-06-25 20:11 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-25 19:23 <DIR> d

C:\DOCUME~1\flanders\APPLIC~1\Zeon
2007-06-25 19:22 <DIR> d--h

C:\WINDOWS\system32\GroupPolicy
2007-06-25 19:22 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-06-25 19:21 <DIR> d

C:\Program Files\ScanSoft
2007-06-25 19:21 <DIR> d

C:\Program Files\Common Files\ScanSoft Shared
2007-06-25 19:21 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\zeon
2007-06-25 19:21 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-06-25 17:38 1,060,864 --a

C:\WINDOWS\system32\MFC71.dll
2007-06-25 17:05 <DIR> d

C:\Program Files\Lavasoft
2007-06-25 17:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-25 17:04 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 16:57 92,554 --a

C:\WINDOWS\system32\jgssrv.dll
2007-06-25 16:57 139,422 --a

C:\WINDOWS\system32\dn129a3e20.dat
2007-06-25 16:24 <DIR> d

C:\Program Files\O Imaging Corporation
2007-06-06 00:28 <DIR> d

C:\WINDOWS\SxsCaPendDel
2007-06-04 15:18 9,344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a

C:\WINDOWS\system32\drivers\AWRTPD.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-28 20:45:38

d

w C:\Program Files\GE Security Supra
2007-06-27 15:15:43

d

w C:\Program Files\DL_cats
2007-06-27 04:20:17

d

w C:\Program Files\QuickTime
2007-06-27 04:17:11

d

w C:\Program Files\iTunes
2007-06-27 04:16:54

d

w C:\Program Files\Google
2007-06-27 04:16:44

d

w C:\Program Files\Dell Photo AIO Printer 962
2007-06-26 00:21:52

d

w C:\Program Files\Common Files\InstallShield
2007-06-06 02:22:59

d

w C:\DOCUME~1\flanders\APPLIC~1\ICAClient
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 16:23:07

d

w C:\DOCUME~1\flanders\APPLIC~1\Apple Computer
2007-05-07 19:37:45

d

w C:\DOCUME~1\flanders\APPLIC~1\Help
2007-05-02 02:04:10

d

w C:\Program Files\Virtual Earth 3D
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-13 17:43:44 159,744 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-04-13 13:46:40 0 --sha-r C:\MSDOS.SYS
2007-04-13 13:46:40 0 --sha-r C:\IO.SYS
2007-04-13 13:46:40 0 ----a-w C:\CONFIG.SYS
2007-04-13 13:46:40 0 ----a-w C:\AUTOEXEC.BAT
2007-04-13 13:43:33 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp4.tmp.dll [2007-06-28 15:36]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{5638ae57-a92b-488a-b1fd-c65c29e9ff16}=C:\WINDOWS\system32\jgssrv.dll [2007-06-25 16:57]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-02 22:28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 09:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"PDF4 Registry Controller"="C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 19:09]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07]
"ScanSoft PDF Professional 4-reminder"="C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" [2006-04-20 13:45]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [2007-06-18 17:17]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 22:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jgssrv]
jgssrv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

Contents of the 'Scheduled Tasks' folder
2007-06-23 11:28:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 15:45:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-28 15:48:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 15:48
C:\ComboFix2.txt ... 2007-06-27 20:30
C:\ComboFix3.txt ... 2007-06-26 08:42
--- E O F ---

Here is an updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:27:05 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp4.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {5638ae57-a92b-488a-b1fd-c65c29e9ff16} - C:\WINDOWS\system32\jgssrv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft PDF Professional 4-reminder] "C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PDF Professional\4\Ereg\ereg.ini"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jgssrv - C:\WINDOWS\SYSTEM32\jgssrv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8244 bytes

Any help you could give me would be much appreciated. Thanks again for all the help you provide!

Linkola · June 2007

Right click the list box (white box) in the main VundoFix window.
Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste next in the first field: C:\WINDOWS\system32\tmp4.tmp.dll
Copy and paste next in the second field: C:\WINDOWS\system32\jgssrv.dll
Click the “Add Files” button.
Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

technotronicmn · June 2007

Linkola wrote:

Right click the list box (white box) in the main VundoFix window.

Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.

In the Window: copy and paste next in the first field: C:\WINDOWS\system32\tmp4.tmp.dll

Copy and paste next in the second field: C:\WINDOWS\system32\jgssrv.dll

Click the “Add Files” button.

Click the "Close Window" button.

Click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Hi again,

I followed the instructions above, but Vundofix still came back with out finding any infected files. Avast is still coming back occasionally saying it's found an infected file, tmp[#].tmp.exe,and ZoneAlarm caught one file tmp3.tmp.exe trying to access the internet. Here is the Vundofix log:

VundoFix V6.5.1
Checking Java version...
Sun Java not detected
Scan started at 9:14:49 PM 6/29/2007
Listing files found while scanning....
No infected files were found.

Here is an updated HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:23:19 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
C:\Program Files\HJT\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp4.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5638ae57-a92b-488a-b1fd-c65c29e9ff16} - C:\WINDOWS\system32\jgssrv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft PDF Professional 4-reminder] "C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PDF Professional\4\Ereg\ereg.ini"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\iiijkh.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jgssrv - C:\WINDOWS\SYSTEM32\jgssrv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DomainService - - C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8154 bytes

Once again, thanks for all your help!

Linkola · June 2007

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\jgssrv.dll
C:\WINDOWS\wvttqo.dll
C:\WINDOWS\system32\tmp2312.tmp.dll
C:\WINDOWS\system32\tmp230E.tmp.dll
C:\WINDOWS\system32\tmp22FD.tmp.dll
C:\WINDOWS\system32\tmp22CE.tmp.dll
C:\WINDOWS\system32\tmp229E.tmp.dll
C:\WINDOWS\system32\tmp2279.tmp.dll
C:\WINDOWS\system32\tmp2249.tmp.dll
C:\WINDOWS\system32\tmp2224.tmp.dll
C:\WINDOWS\system32\tmp21E6.tmp.dll
C:\WINDOWS\system32\tmp21D1.tmp.dll
C:\WINDOWS\system32\tmp21C7.tmp.dll
C:\WINDOWS\system32\tmp21C3.tmp.dll
C:\WINDOWS\cbxvwx.dll

Driver::
DomainService

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

And fresh HijackThis log too :bigggrin:

technotronicmn · July 2007

Linkola wrote:

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\flanders\Application Data\tmp2.tmp.exe
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\jgssrv.dll
C:\WINDOWS\wvttqo.dll
C:\WINDOWS\system32\tmp2312.tmp.dll
C:\WINDOWS\system32\tmp230E.tmp.dll
C:\WINDOWS\system32\tmp22FD.tmp.dll
C:\WINDOWS\system32\tmp22CE.tmp.dll
C:\WINDOWS\system32\tmp229E.tmp.dll
C:\WINDOWS\system32\tmp2279.tmp.dll
C:\WINDOWS\system32\tmp2249.tmp.dll
C:\WINDOWS\system32\tmp2224.tmp.dll
C:\WINDOWS\system32\tmp21E6.tmp.dll
C:\WINDOWS\system32\tmp21D1.tmp.dll
C:\WINDOWS\system32\tmp21C7.tmp.dll
C:\WINDOWS\system32\tmp21C3.tmp.dll
C:\WINDOWS\cbxvwx.dll
 
Driver::
DomainService

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

And fresh HijackThis log too :bigggrin:

Hi again,

Here is the Comfix log:

"flanders" - 2007-07-01 23:11:29 - ComboFix 07-06-25.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\flanders\My Documents\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\flanders\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp100.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp25.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp26.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp27.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp3D.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp3E.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp3F.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp6A.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp6D.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp71.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp72.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp73.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp74.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp95.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp96.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp97.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmp98.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpBA.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpD0.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpD2.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpD4.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpF.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpFD.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpFE.tmp.exe
C:\DOCUME~1\flanders\APPLIC~1\tmpFF.tmp.exe
C:\WINDOWS\cbxvwx.dll
C:\WINDOWS\system32\jgssrv.dll
C:\WINDOWS\system32\tmp21C3.tmp.dll
C:\WINDOWS\system32\tmp21C7.tmp.dll
C:\WINDOWS\system32\tmp21D1.tmp.dll
C:\WINDOWS\system32\tmp21E6.tmp.dll
C:\WINDOWS\system32\tmp2224.tmp.dll
C:\WINDOWS\system32\tmp2249.tmp.dll
C:\WINDOWS\system32\tmp2279.tmp.dll
C:\WINDOWS\system32\tmp229E.tmp.dll
C:\WINDOWS\system32\tmp22CE.tmp.dll
C:\WINDOWS\system32\tmp22FD.tmp.dll
C:\WINDOWS\system32\tmp230E.tmp.dll
C:\WINDOWS\system32\tmp2312.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\wvttqo.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

\LEGACY_DOMAINSERVICE

\DomainService

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-06-30 13:45 59,362 --a

C:\WINDOWS\system32\tmpFF.tmp.dll
2007-06-30 13:45 135,001 --a

C:\WINDOWS\ljkjgd.dll
2007-06-30 12:46 59,362 --a

C:\WINDOWS\system32\tmpD2.tmp.dll
2007-06-30 11:35 59,362 --a

C:\WINDOWS\system32\tmp97.tmp.dll
2007-06-30 10:54 59,362 --a

C:\WINDOWS\system32\tmp73.tmp.dll
2007-06-30 09:52 59,362 --a

C:\WINDOWS\system32\tmp3F.tmp.dll
2007-06-30 09:25 59,362 --a

C:\WINDOWS\system32\tmpD.tmp.dll
2007-06-30 09:10 59,362 --a

C:\WINDOWS\system32\tmp2.tmp.dll
2007-06-30 09:10 122,880 --a

C:\tmp2.tmp.exe
2007-06-29 22:33 59,368 --a

C:\WINDOWS\system32\tmp72.tmp.dll
2007-06-29 20:52 59,368 --a

C:\WINDOWS\system32\tmpB.tmp.dll
2007-06-29 12:37 <DIR> d

C:\DOCUME~1\flanders\APPLIC~1\ScanSoft
2007-06-28 15:05 <DIR> d

C:\VundoFix Backups
2007-06-28 14:58 75,932 --a

C:\WINDOWS\system32\drivers\klick.dat
2007-06-28 14:58 75,248 --a

C:\WINDOWS\zllsputility.exe
2007-06-28 14:58 74,396 --a

C:\WINDOWS\system32\drivers\klin.dat
2007-06-28 14:58 645,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-28 14:58 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-06-28 14:58 11,264 --a

C:\WINDOWS\system32\SpOrder.dll
2007-06-28 14:58 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-06-28 14:57 110,360 --a

C:\WINDOWS\system32\drivers\kl1.sys
2007-06-28 14:57 1,086,952 --a

C:\WINDOWS\system32\zpeng24.dll
2007-06-28 14:57 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2007-06-28 14:56 <DIR> d

C:\WINDOWS\Internet Logs
2007-06-27 22:20 <DIR> d

C:\Program Files\HJT
2007-06-27 03:00 <DIR> d

C:\Program Files\MSXML 4.0
2007-06-26 23:59 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2007-06-26 23:00 <DIR> d

C:\WINDOWS\system32\ActiveScan
2007-06-26 01:29 49,152 --a

C:\WINDOWS\nircmd.exe
2007-06-26 01:07 <DIR> d

C:\WINDOWS\CSC
2007-06-25 20:55 77,312 --a

C:\WINDOWS\ua2.dll
2007-06-25 20:11 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-25 19:23 <DIR> d

C:\DOCUME~1\flanders\APPLIC~1\Zeon
2007-06-25 19:22 <DIR> d--h

C:\WINDOWS\system32\GroupPolicy
2007-06-25 19:22 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-06-25 19:21 <DIR> d

C:\Program Files\ScanSoft
2007-06-25 19:21 <DIR> d

C:\Program Files\Common Files\ScanSoft Shared
2007-06-25 19:21 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\zeon
2007-06-25 19:21 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-06-25 17:38 1,060,864 --a

C:\WINDOWS\system32\MFC71.dll
2007-06-25 17:05 <DIR> d

C:\Program Files\Lavasoft
2007-06-25 17:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-25 17:04 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 16:57 139,567 --a

C:\WINDOWS\system32\dn129a3e20.dat
2007-06-25 16:24 <DIR> d

C:\Program Files\O Imaging Corporation
2007-06-06 00:28 <DIR> d

C:\WINDOWS\SxsCaPendDel
2007-06-04 15:18 9,344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a

C:\WINDOWS\system32\drivers\AWRTPD.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 04:16:06

d

w C:\Program Files\GE Security Supra
2007-06-30 14:35:52

d

w C:\Program Files\DL_cats
2007-06-27 04:20:17

d

w C:\Program Files\QuickTime
2007-06-27 04:17:11

d

w C:\Program Files\iTunes
2007-06-27 04:16:54

d

w C:\Program Files\Google
2007-06-27 04:16:44

d

w C:\Program Files\Dell Photo AIO Printer 962
2007-06-26 00:21:52

d

w C:\Program Files\Common Files\InstallShield
2007-06-06 02:22:59

d

w C:\DOCUME~1\flanders\APPLIC~1\ICAClient
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 16:23:07

d

w C:\DOCUME~1\flanders\APPLIC~1\Apple Computer
2007-05-07 19:37:45

d

w C:\DOCUME~1\flanders\APPLIC~1\Help
2007-05-02 02:04:10

d

w C:\Program Files\Virtual Earth 3D
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-04-13 17:43:44 159,744 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-04-13 13:46:40 0 --sha-r C:\MSDOS.SYS
2007-04-13 13:46:40 0 --sha-r C:\IO.SYS
2007-04-13 13:46:40 0 ----a-w C:\CONFIG.SYS
2007-04-13 13:46:40 0 ----a-w C:\AUTOEXEC.BAT
2007-04-13 13:43:33 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmpFF.tmp.dll [2007-06-30 13:45]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5638ae57-a92b-488a-b1fd-c65c29e9ff16}=C:\WINDOWS\system32\jgssrv.dll []
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-02 22:28]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 09:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"PDF4 Registry Controller"="C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 19:09]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07]
"ScanSoft PDF Professional 4-reminder"="C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" [2006-04-20 13:45]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 22:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jgssrv]
jgssrv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

Contents of the 'Scheduled Tasks' folder
2007-06-30 14:00:40 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 23:15:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-01 23:17:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 23:17
C:\ComboFix2.txt ... 2007-06-28 15:48
C:\ComboFix3.txt ... 2007-06-27 20:30
--- E O F ---

And here is an updated HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:20:24 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\ge security supra\syncservice.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmpFF.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5638ae57-a92b-488a-b1fd-c65c29e9ff16} - C:\WINDOWS\system32\jgssrv.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft PDF Professional 4-reminder] "C:\Program Files\ScanSoft\PDF Professional 4.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PDF Professional\4\Ereg\ereg.ini"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jgssrv - jgssrv.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7864 bytes

Thanks again!

Linkola · July 2007

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmpFF.tmp.dll
O2 - BHO: (no name) - {5638ae57-a92b-488a-b1fd-c65c29e9ff16} - C:\WINDOWS\system32\jgssrv.dll (file missing)
O20 - Winlogon Notify: jgssrv - jgssrv.dll (file missing)

Close ALL open windows
Click Fix Checked
Close HijackThis

======

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\tmpFF.tmp.dll
C:\WINDOWS\ljkjgd.dll
C:\WINDOWS\system32\tmpD2.tmp.dll
C:\WINDOWS\system32\tmp97.tmp.dll
C:\WINDOWS\system32\tmp73.tmp.dll
C:\WINDOWS\system32\tmp3F.tmp.dll
C:\WINDOWS\system32\tmpD.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\tmp2.tmp.exe
C:\WINDOWS\system32\tmp72.tmp.dll
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\system32\jgssrv.dll 
C:\WINDOWS\system32\dn129a3e20.dat

Folder::
C:\VundoFix Backups

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log

========0

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

========

REMOVE TRENDMICRO HIJACKTHIS

Please delete any HijackThis Folders and Files you have now. Use Add/Remove Programs and remove HijackThis. What you have now is a Beta Version and isn't ready to use.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from
here

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here please.

technotronicmn · July 2007

Hi again,

Sorry for the delay in my response - I was on holiday and not near a computer for awhile. Here is the AVG Scan log:

AVG Anti-Spyware - Scan Report

+ Created at: 11:22:10 AM 7/3/2007
+ Scan result:

C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004064.exe -> Dropper.Mudrop.du : Cleaned.
C:\Documents and Settings\flanders\My Documents\Downloads\evid4226patch223d-en\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@educationmanagementllc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@livenation.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@upi.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@pan.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ehg-netquote.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ehg-playboy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\flanders\Cookies\flanders@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp100.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp11.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21D2.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21E7.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp74.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp98.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmpD4.tmp.exe.vir -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004230.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004234.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004238.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004242.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004262.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0004649.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0005643.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007761.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007762.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007778.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007784.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007792.exe -> Trojan.Agent.anr : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp1.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21C1.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21C6.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21CA.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21D9.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21F4.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp223D.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2263.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp229C.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp22CD.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp22F2.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp230D.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2311.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp25.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp3D.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp6.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp6A.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp6D.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp8.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp9.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp95.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmpBA.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmpFD.tmp.exe.vir -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004049.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004120.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004142.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004144.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004145.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004223.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004225.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004228.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004232.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004236.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004240.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004260.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004264.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004289.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP93\A0004308.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004543.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004548.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004549.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004552.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0004650.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0005752.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0005754.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0006745.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007759.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007763.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007764.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007767.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007771.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007772.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007773.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007779.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007780.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007781.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007787.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007794.exe -> Trojan.Agent.aoy : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007880.exe -> Trojan.Agent.aoy : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21C3.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21C7.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21D1.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp21E6.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2224.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2249.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp2279.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp229E.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp22CE.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp22FD.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp230E.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp27.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmpB.tmp.exe.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp21C3.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp21C7.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp21D1.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp21E6.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2224.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2249.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2279.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp229E.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp22CE.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp22FD.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp230E.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2312.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp4.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp72.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmpB.tmp.dll.vir -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP100\A0007992.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP100\A0007993.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP95\A0004384.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004544.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP96\A0004550.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0005642.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0006741.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP98\A0006751.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007766.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007786.exe -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007797.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007799.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007800.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007801.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007802.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007803.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007804.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007805.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007806.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007807.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007808.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007809.dll -> Trojan.BHO.bd : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007810.dll -> Trojan.BHO.bd : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp26.tmp.exe.vir -> Trojan.Pakes : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp7.tmp.exe.vir -> Trojan.Pakes : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\flanders\APPLIC~1\tmp71.tmp.exe.vir -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0005641.exe -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP97\A0006740.exe -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007765.exe -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007774.exe -> Trojan.Pakes : Cleaned.
C:\System Volume Information\_restore{35FBD4A9-B0F5-4C5D-9DF8-B859D4321294}\RP99\A0007775.exe -> Trojan.Pakes : Cleaned.

::Report end

Here is the updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:13 AM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\ScanSoft\PDF Professional 4.0\PdfPro4Hook.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I think all of this has fixed it. I'm not getting any random pop-ups and it seems to be running the same as it was before I was infected. Thanks again for all your help!

Linkola · July 2007

Log looks clean...great job!

==========

So that you will be clean do this:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Malware - file tmp[x].tmp.exe keeps getting created and antispyware can't solve it

Comments