Unknown infection, popups and various virus alerts.. Please help.

wasco22

I'm unsure whats happening was just surfing when popups and virus alerts start happening. Here is a fresh scan please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:20 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\snapsnet.tmp
c:\windows\system32\dwwnw64r.exe
C:\WINDOWS\system32\prunnet.exe
C:\Documents and Settings\scott\Application Data\NI.GSCNS\IUpd721.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\stf159.tmp
C:\WINDOWS\system32\ocntksdl.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\c2NvdHQ\command.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\arscnwxeom.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\scott\Local Settings\Temp\VIES61X.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\swxreomcan.tmp
C:\DOCUME~1\scott\LOCALS~1\Temp\csrssc.exe
c:\gaku.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\wceosmrnxa.tmp
C:\Documents and Settings\scott\Local Settings\Temp\winsinstall.exe
C:\Documents and Settings\scott\Desktop\sypware and virus programs\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Mirar - {90E305DE-4FDC-4BCC-962C-512F486A5940} - C:\WINDOWS\system32\winqa77.dll
O3 - Toolbar: Mirar - {854073CC-E446-4E2A-8C15-33217CEA4919} - C:\WINDOWS\system32\winbh77.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [c0d74f37] rundll32.exe "C:\WINDOWS\system32\gyvgmqxd.dll",b
O4 - HKLM\..\Run: [{74-4F-F9-98-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [IUpd721] C:\Documents and Settings\scott\Application Data\NI.GSCNS\IUpd721.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ocntksdl.exe DWmmm01FF
O4 - HKLM\..\Run: [hhdxrgqwlz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vuyuptfuystuqlw.dll"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [Bar] C:\DOCUME~1\scott\LOCALS~1\Temp\swxreomcan.tmp
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\scott\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\scott\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ocntksdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zptoeh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2NvdHQ\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinIP - Unknown owner - C:\Program Files\Algenta\WinIP 4\WinIPservice.exe (file missing)

--
End of file - 12708 bytes

wasco22

Even more stuff now happening.. A new logfile..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:40 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\c2NvdHQ\command.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\DOCUME~1\scott\LOCALS~1\Temp\csrssc.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\scott\Desktop\sypware and virus programs\scott.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: mysidesearch search enhancer - {40DC855E-B5C6-876E-F5BD-2B6748A10CEB} - C:\WINDOWS\system32\bqranyeyphxfv.dll
O2 - BHO: (no name) - {57564A8D-B469-4433-88BC-040CCF806B50} - C:\WINDOWS\system32\byXOiJAs.dll
O2 - BHO: banners4u browser enhancer - {6CFC8F2A-4926-0DC3-346E-6468735CD558} - C:\WINDOWS\system32\vuyuptfuystuqlw.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBqRhFw.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Mirar - {854073CD-E446-4E2A-8C15-33217CEA4919} - C:\WINDOWS\system32\winbh77.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {b37cb1df-e25e-a599-d3e4-193f2abb359a} - {a953bba2-f391-4e3d-995a-e52efd1bc73b} - C:\WINDOWS\system32\zptoeh.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Mirar - {90E305DE-4FDC-4BCC-962C-512F486A5940} - C:\WINDOWS\system32\winqa77.dll
O3 - Toolbar: Mirar - {854073CC-E446-4E2A-8C15-33217CEA4919} - C:\WINDOWS\system32\winbh77.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [c0d74f37] rundll32.exe "C:\WINDOWS\system32\gyvgmqxd.dll",b
O4 - HKLM\..\Run: [{74-4F-F9-98-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ocntksdl.exe DWmmm01FF
O4 - HKLM\..\Run: [hhdxrgqwlz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vuyuptfuystuqlw.dll"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\scott\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ocntksdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zptoeh.dll
O20 - Winlogon Notify: geBqRhFw - C:\WINDOWS\SYSTEM32\geBqRhFw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2NvdHQ\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinIP - Unknown owner - C:\Program Files\Algenta\WinIP 4\WinIPservice.exe (file missing)

--
End of file - 12833 bytes

DeFe

Hello and welcome to the forums

My name is DeFe and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don''t understand something, stop and ask! Don''t keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Please continue to respond until I give you the \"All Clear\"
(Just because you can''t see a problem doesn''t mean it isn''t there)

If you can do those few things, everything should go smoothly

DeFe

Hi

Go to Install and remove software and uninstall these programs.

webHancer Agent
WebHancer

Start Hijackthis press Do system scan only and mark these lines.

O2 - BHO: mysidesearch search enhancer - {40DC855E-B5C6-876E-F5BD-2B6748A10CEB} - C:\WINDOWS\system32\bqranyeyphxfv.dll
O2 - BHO: (no name) - {57564A8D-B469-4433-88BC-040CCF806B50} - C:\WINDOWS\system32\byXOiJAs.dll
O2 - BHO: banners4u browser enhancer - {6CFC8F2A-4926-0DC3-346E-6468735CD558} - C:\WINDOWS\system32\vuyuptfuystuqlw.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBqRhFw.dll
O2 - BHO: Mirar - {854073CD-E446-4E2A-8C15-33217CEA4919} - C:\WINDOWS\system32\winbh77.dll
O2 - BHO: {b37cb1df-e25e-a599-d3e4-193f2abb359a} - {a953bba2-f391-4e3d-995a-e52efd1bc73b} - C:\WINDOWS\system32\zptoeh.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Mirar - {90E305DE-4FDC-4BCC-962C-512F486A5940} - C:\WINDOWS\system32\winqa77.dll
O3 - Toolbar: Mirar - {854073CC-E446-4E2A-8C15-33217CEA4919} - C:\WINDOWS\system32\winbh77.dll
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [c0d74f37] rundll32.exe "C:\WINDOWS\system32\gyvgmqxd.dll",b
O4 - HKLM\..\Run: [{74-4F-F9-98-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ocntksdl.exe DWmmm01FF
O4 - HKLM\..\Run: [hhdxrgqwlz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vuyuptfuystuqlw.dll"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\scott\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\scott\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ocntksdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Polic ies\System, DisableRegedit=1
O20 - AppInit_DLLs: zptoeh.dll
O20 - Winlogon Notify: geBqRhFw - C:\WINDOWS\SYSTEM32\geBqRhFw.dll



After marked lines click Fix checked.

Download SDFix
and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Copy/paste this guideline into a notepad saved in your desktop,
otherwise you won't be able to read it in Safe Mode:

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before
the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu
should appear:
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
Close open windows.

• While in Safe Mode:
• Open the SDFix folder and double click RunThis.cmd to start
  the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it
  finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the
  removal process then display Finished, press any key to end the
  script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen
  and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on
  the forum).
• Finally paste the contents of the Report.txt back on the forum
  with a new HijackThis log

Please download Malwarebytes'' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes'' Anti-Malware
  • Launch Malwarebytes'' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\mbam-log-date (time).txt

Reboot your computer after the scan!

Please send these log files in your next post.

• SDFix log
• Malwarebytes log
• New Hijackthis log

wasco22

First of all, thank you for the quick response:

Go to Install and remove software and uninstall these programs.

webHancer Agent
WebHancer
Only 1 of these was present, so I removed program .

I ran SDfix twice: So here are the 2 logs...

1:
SDFix: Version 1.240
Run by scott on Wed 12/03/2008 at 06:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
cmdService
Network Monitor
TDSSserv.sys

Path :
C:\WINDOWS\c2NvdHQ\command.exe
C:\Program Files\Network Monitor\netmon.exe service
\\?\globalroot\systemroot\system32\drivers\TDSSgddoikli.sys

cmdService - Deleted
Network Monitor - Deleted
TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\geBqRhFw.dll - Deleted
C:\WINDOWS\c2NvdHQ\command.exe - Deleted
C:\WINDOWS\c2NvdHQ\wZhSxJk.vbs - Deleted
C:\-10596~1 - Deleted
C:\Documents and Settings\scott\Application Data\Adobe\crc.dat - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\winpfz33.sys - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\DOCUME~1\scott\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\pskt.ini - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\system32.sys - Deleted
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSGD~1.sys - Deleted
C:\WINDOWS\system32\TDSSjuvjejnt.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSOO~1.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSFX~1.dll - Deleted
C:\WINDOWS\SYSTEM32\TDSSXM~1.dat - Deleted
C:\WINDOWS\system32\TDSSyjtlwwpx.log - Deleted
C:\WINDOWS\SYSTEM32\TDSSYJ~1.log - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Documents and Settings\scott\Application Data\gadcom - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 18:19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:bf,42,c1,d9,69,15,cc,95,99,0c,43,50,07,21,36,71,0e,fb,a0,46,49,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:20,02,20,5d,6f,4a,1a,3d,1c,a8,d9,62,50,3d,4c,00,67,47,5a,05,b2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="198EE17008936BE3DE49A302BB72BFE6C8C6A1A08EEA73229EA796CB88E4CDB2A798EAFB8950D60222F542170570E618C3C90CA6CB7EC7BBC7922DE7E71ADE6F1A58B4A68989EFAB019925687849667B6603C6EE2A6DBA5E26758FFA54D45AFB73629F7399A22A2747ED3CC844171338E770713692A7A22AF83630508CF836949B9F8BDA73953D6FA502FA7B39068423E16631B00DAD97F1608E04A673FB2D2DDD4F62C972ECA432B0395A394B5917C7D00D2F044797F7BFE40A04B08FEB3CE769040C1F954A1E526049D33014E4EBE795DE9848150EE3D0EF0AAE950CE526A1D121F7AE02E0AD6691FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794C038D530D6EB3452C038D530D6EB3452D552378E7A1748D6D8D9530037FDC726CB7DA6373099BF560C6FB654F2F07DD9BE5F1F0A68D206C426F1A7C6CFD59D494C49B9739162182E78979A36E05601EDFB46EE5829300E4D463326A5534F6317D2E919EDCF422B595B8A8F0B7D23753BE49F097DD409EF5A17215B1A6E066845E2F79B3DCBB325F4FC8F5D1E7FD303E72801BF9E967C71BCC9C9C7C1E059AFEA518E0E9BFA7865827AF4BDE230A9887EC58B58882D6B8DA763B95F61006B6E06CB4CB46466140068BF8BDDEF6FA9146D93DE10A8ECFCF0B0BE030AE133A410764ED641182A4EBB6D94A6E1FDAD9DEB0739A09491BA9B7CD50B3EA3CC76AEB3FE2D535EDC79B395418F20DDEA72138682B37B0A7B1474C5F4C7857C55DAF9AA4A0FEEA9FA98143AF41BD35CB9D6599278531C86C0877997D14A76D8CB84397B636E5A325FE08410FC7823DB100B8770693D3615E038E1EE14BEB4EF2B2B63E0BB99477E1B405BAD333B724E364FF432B5EA7C357D5EA77DC62166EE0E1CB4CAA6B4ED86E2B7B65DD5CAA9199C7C4023A5A8AAD85EC308285945B67434B6AAD9DC358A398F5B76A006E2B617D3F9C93F61167D69ED4886881F4E5395806F8966FBE5DCF41ED53DAA4713889491C737B5F9AA383FBB5F686CCF36EF59FCCDD77982E6A7902FE3F36106BF95D6AFF6F16C602C1D2BF91138D5874D433DD4EF61D155293355885748E10EA05590ACAF26FAEAB9796F017744F8C3B387305784B4E13D75CA7F1314A7FA904145ED2A2AC52F54C298C249C19D40E8DE7B97F8D12551E7E43E405A95C8B02302E48BEDB585083B0CCD5173359A4A3F19E0C952ADCA7963E661BB1067A23A3F963A7CE135DEBA21AFEC39C226D666F08000139D847FE8A5BE8B8C892B7003C205CDC6141E0EAF6D19508D9C02AF1B0E0622B33B59E1E2078118BEBE96342A6EAA2BE3B7F91604698957568D46C6238A6F96E0AF3DD7DD429CE7D34EF131846737E3C29F69B908C416618D438883E9"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\RealFlightG3\\RealFlight.exe"="C:\\Program Files\\RealFlightG3\\RealFlight.exe:*:Enabled:Radio Control Simulator"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"="C:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe:*:Enabled:Links 2003"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"F:\\archives\\Misc\\utorrent.exe"="F:\\archives\\Misc\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"="C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe:*:Enabled:Guitar Hero III"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 29 Nov 2008 1,880,064 A..H. --- "C:\Program Files\Accu-Chek Compass\Backup\Compass.bak"
Thu 15 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"

Finished!

2.
SDFix: Version 1.240
Run by scott on Wed 12/03/2008 at 08:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted



Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 20:15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:bf,42,c1,d9,69,15,cc,95,99,0c,43,50,07,21,36,71,0e,fb,a0,46,49,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:20,02,20,5d,6f,4a,1a,3d,1c,a8,d9,62,50,3d,4c,00,67,47,5a,05,b2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:40,89,9c,66,c0,f1,bf,0d,f6,27,75,8d,f3,ab,d9,8d,78,66,c1,8f,90,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="198EE17008936BE3DE49A302BB72BFE6C8C6A1A08EEA73229EA796CB88E4CDB2A798EAFB8950D60222F542170570E618C3C90CA6CB7EC7BBC7922DE7E71ADE6F1A58B4A68989EFAB019925687849667B6603C6EE2A6DBA5E26758FFA54D45AFB73629F7399A22A2747ED3CC844171338E770713692A7A22AF83630508CF836949B9F8BDA73953D6FA502FA7B39068423E16631B00DAD97F1608E04A673FB2D2DDD4F62C972ECA432B0395A394B5917C7D00D2F044797F7BFE40A04B08FEB3CE769040C1F954A1E526049D33014E4EBE795DE9848150EE3D0EF0AAE950CE526A1D121F7AE02E0AD6691FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794C038D530D6EB3452C038D530D6EB3452D552378E7A1748D6D8D9530037FDC726CB7DA6373099BF560C6FB654F2F07DD9BE5F1F0A68D206C426F1A7C6CFD59D494C49B9739162182E78979A36E05601EDFB46EE5829300E4D463326A5534F6317D2E919EDCF422B595B8A8F0B7D23753BE49F097DD409EF5A17215B1A6E066845E2F79B3DCBB325F4FC8F5D1E7FD303E72801BF9E967C71BCC9C9C7C1E059AFEA518E0E9BFA7865827AF4BDE230A9887EC58B58882D6B8DA763B95F61006B6E06CB4CB46466140068BF8BDDEF6FA9146D93DE10A8ECFCF0B0BE030AE133A410764ED641182A4EBB6D94A6E1FDAD9DEB0739A09491BA9B7CD50B3EA3CC76AEB3FE2D535EDC79B395418F20DDEA72138682B37B0A7B1474C5F4C7857C55DAF9AA4A0FEEA9FA98143AF41BD35CB9D6599278531C86C0877997D14A76D8CB84397B636E5A325FE08410FC7823DB100B8770693D3615E038E1EE14BEB4EF2B2B63E0BB99477E1B405BAD333B724E364FF432B5EA7C357D5EA77DC62166EE0E1CB4CAA6B4ED86E2B7B65DD5CAA9199C7C4023A5A8AAD85EC308285945B67434B6AAD9DC358A398F5B76A006E2B617D3F9C93F61167D69ED4886881F4E5395806F8966FBE5DCF41ED53DAA4713889491C737B5F9AA383FBB5F686CCF36EF59FCCDD77982E6A7902FE3F36106BF95D6AFF6F16C602C1D2BF91138D5874D433DD4EF61D155293355885748E10EA05590ACAF26FAEAB9796F017744F8C3B387305784B4E13D75CA7F1314A7FA904145ED2A2AC52F54C298C249C19D40E8DE7B97F8D12551E7E43E405A95C8B02302E48BEDB585083B0CCD5173359A4A3F19E0C952ADCA7963E661BB1067A23A3F963A7CE135DEBA21AFEC39C226D666F08000139D847FE8A5BE8B8C892B7003C205CDC6141E0EAF6D19508D9C02AF1B0E0622B33B59E1E2078118BEBE96342A6EAA2BE3B7F91604698957568D46C6238A6F96E0AF3DD7DD429CE7D34EF131846737E3C29F69B908C416618D438883E9"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\RealFlightG3\\RealFlight.exe"="C:\\Program Files\\RealFlightG3\\RealFlight.exe:*:Enabled:Radio Control Simulator"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"="C:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe:*:Enabled:Links 2003"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"F:\\archives\\Misc\\utorrent.exe"="F:\\archives\\Misc\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"="C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe:*:Enabled:Guitar Hero III"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 29 Nov 2008 1,880,064 A..H. --- "C:\Program Files\Accu-Chek Compass\Backup\Compass.bak"
Thu 15 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"

Finished!

Then I ran Malwarebytes :

Malwarebytes' Anti-Malware 1.30
Database version: 1455
Windows 5.1.2600 Service Pack 3

12/3/2008 7:53:00 PM
mbam-log-2008-12-03 (19-52-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 104396
Time elapsed: 49 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\byXOiJAs.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\zptoeh.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9abf1bef-be67-4462-be97-b5610b298683} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9abf1bef-be67-4462-be97-b5610b298683} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a953bba2-f391-4e3d-995a-e52efd1bc73b} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a953bba2-f391-4e3d-995a-e52efd1bc73b} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9abf1bef-be67-4462-be97-b5610b298683} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a953bba2-f391-4e3d-995a-e52efd1bc73b} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\byxoijas -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxoijas -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\byXOiJAs.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sAJiOXyb.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sAJiOXyb.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\zptoeh.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gyvgmqxd.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dxqmgvyg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\drivers\fipss.sys (Rootkit.Agent.H) -> No action taken.
C:\opdwrpjm.exe (Trojan.Spambot) -> No action taken.
C:\Documents and Settings\scott\Desktop\sypware and virus programs\backups\backup-20081203-182930-994.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\scott\Desktop\sypware and virus programs\backups\backup-20081203-182948-600.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\scott\Desktop\sypware and virus programs\backups\backup-20081203-183026-870.dll (Trojan.Vundo) -> No action taken.

Here is a new Hijackthis log..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:40 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\scott\Desktop\sypware and virus programs\scott.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinIP - Unknown owner - C:\Program Files\Algenta\WinIP 4\WinIPservice.exe (file missing)

--
End of file - 9400 bytes

wasco22

Hi again:
I should also tell you that my system restore will only allow me to restore back to Dec 2nd, which is the day of the infection. My virus scanner (pc-cillin) is intercepting numerous attemps to access exe and dll files in my system volume information folder, they are either being quarantined or message reads access denied. This is still happening now, even after these couple of fixes .

Is there any way to repair the system restore function ? or should I just turn off the system restore function on all drives and turn it back on to reset it ?

My scanner is catching these attempts, and nothing is happening as a result, other than the warning message.

DeFe

Hi, wasco22

We will clean system restore after pc fully clean.
Viruses cannot install or work from system restore.

CCleaner
Please download CCleaner ... © Piriform Ltd. (slim version) and save it to your desktop. CCleaner guide can be found here...if needed.


To Install CCleaner:

1. Click the ccsetup???_slim.exe...icon on your desktop. (??? = version #'s)
2. Press the "Run"...(Security prompt). Select a language...Press "OK" ...button.
3. Click "Next"...(Welcome screen). Click "I Agree"...(License Agreement).
4. Click "Next" for default install location.
   The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
5. Check the "Install Options", you want.
6. Click "Install". Click "Finish" when prompted.

To Run CCleaner:

1. Click CCleaner desktop icon or Start Menu item...(depending on install options)
2. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
3. A pop up box will appear advising this process will permanently delete files from your system.
4. Select the items to clean up.
   In the
   Windows Tab:
5. Clean all entries in the "Internet Explorer".
   Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
6. Clean all the entries in the "Windows Explorer" section.
7. Clean all entries in the "System" section...except "Start Menu Shortcuts" and "Desktop Shortcuts" uncheck these 2 items.
8. *Uncheck* the "Advanced" section.

In the

Applications Tab:
[*]Clean all in the "Firefox/Mozilla" section. (if you use it)
Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
[*]Clean all in the "Opera" section. (if you use it)
[*]Clean all in the "Applications" section.
[*]Clean all in the "Internet" Section.
[*]Clean all in the "Multimedia" section. (if you use them)
[*]Clean all in the "Utilities" section. (if you use them)
[*]Clean all in the "Windows" section.


[*]Then click the "Run Cleaner" button and it will scan and clean your system.
[*]Close CCleaner when finished.


FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart.
CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!


Please download Malwarebytes'' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes'' Anti-Malware
  • Launch Malwarebytes'' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\mbam-log-date (time).txt

Reboot your computer after the scan!

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please send these log files in your next post.

• Kasperskys log
• Malwarebytes log
• New Hijackthis log

wasco22

Quick question, The Mirar toolbar is still showing in the add/remove programs. When you try and uninstall it takes you to a website to download a uninstall program which is an exe file. I downloaded it but haven't used it as of yet. I'm a little leary of using an exe file to uninstall spyware . Please advise ..


Followed to the letter and here are the 3 reports:


KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 09:20:51
Records in database: 1441946

---

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 241406
Threat name: 18
Infected objects: 18
Suspicious objects: 1
Duration of the scan: 03:44:20


File name / Threat name / Threats count
C:\Download\power cd g burner-key.exe Infected: Trojan-Downloader.Win32.Agent.asyh 1
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\10.tmp Infected: Trojan.Win32.Pakes.mag 1
C:\SDFix\backups_old\backups.zip Infected: Trojan.Win32.Pakes.mag 1
C:\SDFix\backups_old\backups.zip Infected: not-a-virus:Monitor.Win32.NetMon.a 1
C:\SDFix\backups_old\catchme.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\SDFix\backups_old\catchme.zip Infected: Backdoor.Win32.TDSS.asz 1
C:\SDFix\backups_old\catchme.zip Infected: Backdoor.Win32.TDSS.atb 1
C:\Utorrent Downloads\Convert_X_To_DVD_3.1.3.40_FULLbying.rar Infected: Trojan.PHP.Turame.f 1
C:\WINDOWS\system32\asck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ab 1
C:\WINDOWS\system32\gs73gfidgf.dll Infected: Trojan.Win32.Agent.artu 1
C:\WINDOWS\system32\Pe\peco85IV.exe Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\WINDOWS\system32\vos\MTK63G.exe Infected: Trojan-Downloader.Win32.Small.buy 1
F:\archives\Alcohol 120\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\Alcohol120_retail_1.9.7.6221.EXE Infected: Trojan-Downloader.Win32.VB.ceh 1
F:\archives\DSS Dish2\Sat files downloaded recent\hu-nitro 1.4a.zip Suspicious: Packed.Win32.PePatch.dk 1
F:\archives\Links 2000-2003\Links 2003\linksmod106_final.zip Infected: not-a-virus:AdWare.Win32.Rabio.jg 1
F:\archives\Mirc\6.16, invision\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
F:\archives\Mirc\6.21\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
F:\archives\Mirc\Mirc6.1-Invision 2.0\mirc61.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.61 1
F:\archives\Windows XP Professional Essential Edition ISO\Microsoft_Windows_XP_Pro_Essential_1.1.iso Infected: not-a-virus:RiskTool.Win32.HideWindows 1

The selected area was scanned.




Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 3

12/7/2008 4:35:36 PM
mbam-log-2008-12-07 (16-35-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 277153
Time elapsed: 48 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{90e305de-4fdc-4bcc-962c-512f486a5940} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90e305de-4fdc-4bcc-962c-512f486a5940} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90e305de-4fdc-4bcc-962c-512f486a5940} (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90e305de-4fdc-4bcc-962c-512f486a5940} (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137895.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137910.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137912.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137936.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137909.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0137966.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP537\A0138045.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP538\A0138160.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8949209C-2C82-4505-9F30-F3A6C2898591}\RP538\A0138161.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winqa77.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vos\MTK63G.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Pe\peco85IV.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:04 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\scott\Desktop\sypware and virus programs\scott.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\PROGRAM FILES\MARVELL\61XX\APACHE2\BIN\APACHE.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinIP - Unknown owner - C:\Program Files\Algenta\WinIP 4\WinIPservice.exe (file missing)

--
End of file - 9577 bytes

DeFe

wasco22 wrote:

Quick question, The Mirar toolbar is still showing in the add/remove programs. When you try and uninstall it takes you to a website to download a uninstall program which is an exe file. I downloaded it but haven't used it as of yet. I'm a little leary of using an exe file to uninstall spyware . Please advise ..

Just delete this downloaded .exe file it might install more spyware.

DeFe

Hi, Wasco22

• Dowloand Otmoveit3 by OldTimer.
• Save it your desktop.
• Run OTMoveIt3.exe.
• Copy (CTRL+C) code box's content.

:files 
C:\Download\power cd g burner-key.exe 
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\10.tmp 
C:\SDFix\backups_old\backups.zip 
C:\SDFix\backups_old\backups.zip 
C:\SDFix\backups_old\catchme.zip 
C:\SDFix\backups_old\catchme.zip 
C:\SDFix\backups_old\catchme.zip 
C:\Utorrent Downloads\Convert_X_To_DVD_3.1.3.40_FULLbying.rar 
C:\WINDOWS\system32\asck.exe 
C:\WINDOWS\system32\gs73gfidgf.dll 
C:\WINDOWS\system32\Pe\peco85IV.exe 
C:\WINDOWS\system32\vos\MTK63G.exe 
F:\archives\Alcohol 120\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\Alcohol120_retail_1.9.7.6221.EXE 
F:\archives\DSS Dish2\Sat files downloaded recent\hu-nitro 1.4a.zip 
F:\archives\Links 2000-2003\Links 2003\linksmod106_final.zip
F:\archives\Windows XP Professional Essential Edition ISO\Microsoft_Windows_XP_Pro_Essential_1.1.iso 
 
:commands 
[emptytemp]  

• Go back to OtmoveIt3, click right mouse button in Paste List Of Files/Folders to Move-windows (under yellow bar) and click paste.
• Click red MoveIt! -button.
• Copy (CTRL+C) and paste (CTRL+V) Results-windows (under green bar) text in your next post.
• close OTMoveIt3.

If some file / folder could not be moved immediately, the program proposes a machine rebooting. Respond to the proposal Yes, when OtMoveIt reboots computer.

Scan again whit Malwarebytes and Kaspersky online scanner and send log files.

Veka

This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead