Vundo and IRCBOT -- Appreciate any help.

[Kainiaa]

Well I've gone through and scanned my computer with about 3 different virsuses scanners that cannot remove these. I tried Vundofix and rebooted and still, my Spybot keeps popping up saying somethings trying to make browser changes and etc. I can't seem to find anything for the IRCBOT though. I downloaded HijackThis and DSS, but everytime I run DSS it comes up with an error and cannot complete the scan. The backdoor.IRCBOT.APG I guess is the MSN virus >.< the other, possibly let in from that? No idea where i got it. But it's bogging my computer down (not terribly just yet). And when I play World of Warcraft, usually just in raids. My mouse and keyboard will stop working, it'll bring up my chat log as if I were trying to type something in raid, CTRL + V to turn HP bars on, then window me out. Veeeeery annoying. I'd like to try and fix this because currently my windows disks are a couple states away :/ Thank you in advance for any help! Oh and by the way the programs I have ran would be Spybot S&D, Vundofix, Clamwin, TrendMicro(Online Scan).

[Kainiaa]

Ok well I just ran Combofix, and this is the log it left...

ComboFix 08-04-04.1 - Steph 2008-04-06 15:01:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.578 [GMT -5:00]
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM83c69c14.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXQgGwX.dll
C:\WINDOWS\system32\dNXHOXyb.ini2
C:\WINDOWS\system32\hfgyqmgj.dll
C:\WINDOWS\system32\jgmqygfh.ini
C:\WINDOWS\system32\kmUwwyay.ini
C:\WINDOWS\system32\kmUwwyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opbtjhej.dll
C:\WINDOWS\system32\pijdanqh.dll
C:\WINDOWS\system32\rqRjHBrQ.dll
C:\WINDOWS\system32\sisjmcbe.dll
C:\WINDOWS\system32\yaywwUmk.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo!
2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups
2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6
2008-04-06 02:56 . 2008-04-06 02:56 <DIR> d-------- C:\Program Files\Java
2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old
2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com
2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs
2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-07 20:24 . 1998-02-13 15:30 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2008-03-07 20:24 . 1997-06-13 09:56 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-03-07 20:24 . 1997-11-06 13:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll
2008-03-07 20:24 . 2008-03-07 20:24 5,952 --a------ C:\WINDOWS\system32\CDUninst.isu
2008-03-07 20:23 . 2008-03-07 20:23 <DIR> d-------- C:\Program Files\Common Files\Intel Shared
2008-03-07 20:22 . 2008-03-07 20:24 <DIR> d-------- C:\Galleries
2008-03-07 20:21 . 2008-03-07 20:21 <DIR> d-------- C:\Program Files\Web Publish
2008-03-07 20:21 . 2008-03-07 20:21 <DIR> d-------- C:\Program Files\Intel
2008-03-07 20:21 . 1998-09-02 03:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-03-07 20:21 . 1998-08-26 23:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-03-07 20:21 . 1998-08-20 06:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-03-07 20:21 . 1998-09-02 03:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-03-07 20:21 . 1998-09-02 03:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-03-07 20:21 . 1998-08-17 04:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-03-07 20:21 . 1998-08-17 04:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-03-07 20:21 . 1998-08-17 04:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-03-07 20:21 . 2008-03-07 20:21 3,216 --a------ C:\WINDOWS\SMUninst.ins
2008-03-07 20:20 . 2008-03-07 20:20 <DIR> d-------- C:\Documents and Settings\Steph\WINDOWS
2008-03-07 20:20 . 1998-07-30 13:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-03-07 15:35 . 2008-03-07 15:35 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-07 10:26 . 2008-03-07 10:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-06 20:04 . 2008-03-06 20:04 <DIR> d-------- C:\temp\cs430_XP
2008-03-06 20:04 . 2008-03-06 20:04 <DIR> d-------- C:\temp
2008-03-06 19:53 . 2008-03-28 18:08 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\Corel
2008-03-06 19:53 . 2008-03-06 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-03-06 19:53 . 2008-03-28 18:08 1,682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-06 19:52 . 2008-03-06 19:53 <DIR> d-------- C:\Program Files\Corel
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Common Files\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live
2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft
2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2
2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative
2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 07:08 --------- d-----w C:\Program Files\Creative
2008-02-25 07:07 --------- d-----w C:\Program Files\Audible
2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft
2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336]
"Windows live Messenger"="msn.com" [2008-04-01 20:34 38912 C:\WINDOWS\msn.com]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQgGwX]
byXQgGwX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"msacm.lhacm"= lhacm.acm
"vidc.I263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 1980-04-06 15:04:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2008-04-06 15:06:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-06 20:06:42
Pre-Run: 118,186,205,184 bytes free
Post-Run: 118,278,225,920 bytes free
.
2008-03-11 21:09:33 --- E O F ---

[Kainiaa]

And here's a HijackThis Log also... (after running Combofix) The MSN.com thing is still there >.<

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:14 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\msn.com
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steph\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

--
End of file - 3351 bytes

[AnnMarie]

Hi Kainiaa. Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.

O4 - HKLM\..\Run: [Windows live Messenger] msn.com

O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing)


Open notepad and copy and paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\msn.com
C:\WINDOWS\system32\yaywwUmk.dll_old

DirLook::
C:\Documents and Settings\Steph\WINDOWS

Go to File > Save As and save the file as CFScript.txt and set the location to your Desktop. Drag CFScript.txt and drop it into ComboFix.exe. See below:



ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply. Also post a new Hijack This log.

[Kainiaa]

Here's before I did the Hijack "fix checked"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:55 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steph\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

--
End of file - 4056 bytes

[Kainiaa]

And here's after... although I tried doing the Combofix thing... it brought up the loading bar, loaded, a blue window blinked on screen, but it left no .txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:30 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steph\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

--
End of file - 3944 bytes

[Kainiaa]

I also ran Kaspersky Online scan and... not too happy with what it found >.< But here's the log for that...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 08, 2008 3:20:19 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/04/2008
Kaspersky Anti-Virus database records: 689148
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 54519
Number of viruses found: 12
Number of infected objects: 76
Number of suspicious objects: 0
Duration of the scan process: 03:36:50

Infected Object Name / Virus Name / Last Action
C:\ddc78b431874b1366d7e349a663a\$shtdwn$.req Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Application Data\HouseCall 6.6\Backup\yaywwUmk.dll_old.bac_a07784 Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\Documents and Settings\Steph\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\cer t8.db Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\for mhistory.dat Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\his tory.dat Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\key 3.db Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\par ent.lock Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\sea rch.sqlite Object is locked skipped
C:\Documents and Settings\Steph\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\url classifier2.sqlite Object is locked skipped
C:\Documents and Settings\Steph\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Mozilla\Firefox\Profiles\24zqgpun.default\Cac he\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temp\hsperfdata_Steph\3692 Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temp\TMP000000014CF7C38B962B5F08 Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temp\~DF8D92.tmp Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\ntuser.dat Object is locked skipped
C:\Documents and Settings\Steph\NTUSER.DAT.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hfgyqmgj.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opbtjhej.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pijdanqh.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRjHBrQ.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sisjmcbe.d ll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip/byXQgGwX.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip/yaywwUmk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip/Documents and Settings/Steph/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\QooBox\Quarantine\catchme2008-04-06_150447.34.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP162\A0011214.com Infected: Backdoor.Win32.IRCBot.cgj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP163\A0011226.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011363.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011367.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011373.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011375.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP170\A0011376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011497.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011498.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011501.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011502.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011745.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011746.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011754.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011755.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011756.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011757.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011758.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011759.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011760.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011761.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011767.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011768.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011770.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011771.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011773.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011774.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011776.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011777.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011778.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011779.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011780.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP171\A0011853.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011908.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011909.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011910.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011911.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP173\A0011912.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{A38C56F4-9075-4776-80A1-DBD83A07B009}\RP176\change.log Object is locked skipped
C:\VundoFix Backups\cbXPiHwX.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\VundoFix Backups\ddcYPGya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\VundoFix Backups\efcAQJCv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\efcYsTLF.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\hgGyabXP.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\iiffDWMG.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\khfCtuVp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\nnnmkJde.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\nnnoOiIy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\opnkkiGy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\VundoFix Backups\pmnnmlKe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\rqRLdAqO.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\rqRLeDus.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mde skipped
C:\VundoFix Backups\rqRLfgee.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\VundoFix Backups\ssqRhefC.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mct skipped
C:\WINDOWS\Debug\mrt.log Object is locked skipped
C:\WINDOWS\Debug\mrteng.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\msn.com Infected: Backdoor.Win32.IRCBot.cgj skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\yaywwUmk.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[AnnMarie]

There is a bug in the version of ComboFix that you are using Kainiaa. Please uninstall it. To do this, go to Start > Run and type:

ComboFix /u

and click ok. Now download a fresh copy from the link I posted and and run it as per my earlier instructions and post the log.

[Kainiaa]

The comboFix needs to be split up into 2 posts (sry)

ComboFix 08-04-08.5 - Steph 2008-04-08 16:27:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.614 [GMT -5:00]
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steph\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: Windir.dat

((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 23:31 . 2008-04-07 23:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-04-07 23:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 23:21 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\Java
2008-04-07 13:18 . 2008-04-07 13:18 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-07 13:18 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-07 13:18 . 2008-04-07 13:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-07 13:17 . 2008-04-07 13:18 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-07 13:17 . 2008-04-07 13:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-07 13:15 . 2008-04-07 13:15 <DIR> dr-h----- C:\MSOCache
2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo!
2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups
2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6
2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old
2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com
2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs
2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live
2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft
2008-03-28 23:08 --------- d-----w C:\Documents and Settings\Steph\Application Data\Corel
2008-03-08 01:23 --------- d-----w C:\Program Files\Common Files\Intel Shared
2008-03-08 01:21 --------- d-----w C:\Program Files\Web Publish
2008-03-08 01:21 --------- d-----w C:\Program Files\Intel
2008-03-07 15:26 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-07 00:53 --------- d-----w C:\Program Files\Corel
2008-03-07 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-03-07 00:52 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2
2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative
2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 07:08 --------- d-----w C:\Program Files\Creative
2008-02-25 07:07 --------- d-----w C:\Program Files\Audible
2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft
2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

---- Directory of C:\Documents and Settings\Steph\WINDOWS ----



((((((((((((((((((((((((((((( snapshot@2008-04-06_15.06.33.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-07 18:18:02 110,592 ----a-w C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f 11d50a3a\adodb.dll
+ 2008-04-07 18:24:26 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0 .0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-04-07 18:18:02 229,376 ----a-w C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf 3856ad364e35\MSCOMCTL.DLL
+ 2008-04-07 18:18:02 4,096 ----a-w C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f 5f7f11d50a3a\msdatasrc.dll
+ 2008-04-07 18:24:20 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce11 1e9429c\OFFICE.DLL
+ 2008-04-07 18:18:02 16,384 ----a-w C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7 f11d50a3a\stdole.dll
+ 2003-07-15 03:43:20 87,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\ADDRPARS.DLL
+ 2003-07-15 03:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-15 03:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-15 08:14:28 350,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL
+ 2003-07-15 08:18:12 47,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE
+ 2003-07-25 23:57:20 75,832 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DLGSETP.DLL
+ 2003-07-15 03:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-15 03:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-07-31 20:19:52 131,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\ENVELOPE.DLL
+ 2003-08-13 07:34:38 10,073,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\EXCEL.EXE
+ 2003-07-15 03:41:44 13,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FINDER.EXE
+ 2003-08-03 15:56:16 1,146,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FM20.DLL
+ 2003-07-24 04:01:40 1,949,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL
+ 2003-07-15 04:36:14 186,424 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPDTC.DLL
+ 2003-07-15 03:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-15 03:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-07-26 00:00:16 1,157,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL
+ 2003-07-26 00:14:50 799,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\FPWEC.DLL
+ 2003-07-15 04:11:42 2,139,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\GRAPH.EXE
+ 2003-07-15 03:57:44 87,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL
+ 2003-07-15 03:53:50 161,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IETAG.DLL
+ 2003-07-24 03:32:32 121,400 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\IMPMAIL.DLL
+ 2003-06-18 22:31:44 758,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL
+ 2003-06-18 22:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-06-18 22:31:48 17,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIMON.DLL
+ 2003-06-18 22:31:48 18,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL
+ 2003-06-18 22:31:46 35,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIUI.DLL
+ 2003-06-18 22:31:34 443,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-07-15 03:46:08 176,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MIMEDIR.DLL
+ 2003-07-15 03:58:04 230,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSCDM.DLL
+ 2003-07-15 03:51:50 116,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSCONV97.DLL
+ 2002-12-18 00:08:50 359,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL
+ 2002-12-18 00:08:54 1,383,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL
+ 2003-07-15 03:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2002-04-10 01:14:36 187,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL
+ 2003-07-15 03:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-08-08 05:23:16 12,172,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSO.DLL
+ 2003-07-15 03:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-15 08:14:18 106,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOCF.DLL
+ 2003-07-24 03:35:26 127,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL
+ 2003-07-15 03:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-15 03:44:06 25,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL
+ 2003-07-15 03:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2002-12-18 00:09:24 2,071,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL
+ 2003-07-11 07:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 08:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-15 03:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-15 03:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-15 03:53:20 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL
+ 2003-07-15 03:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-15 03:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-15 03:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 22:31:24 1,033,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2003-06-18 22:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-06-19 21:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-15 03:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-15 04:02:14 627,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE
+ 2003-07-15 03:56:24 124,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORE.EXE
+ 2003-07-24 03:40:00 482,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSTORES.DLL
+ 2003-07-15 04:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-15 03:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-15 03:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2008-04-07 18:18:01 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 08:14:26 283,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OIS.EXE
+ 2003-07-15 08:14:26 828,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISAPP.DLL
+ 2003-07-15 08:14:26 27,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL
+ 2003-07-15 08:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-15 04:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-07-15 03:41:56 24,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLACCT.DLL
+ 2003-07-15 03:44:34 102,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL
+ 2003-07-07 18:36:00 2,058,343 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-07-08 16:48:00 115,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2003-08-10 04:06:42 7,522,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLLIB.DLL
+ 2003-07-15 03:44:32 88,128 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLMIME.DLL
+ 2003-07-15 03:45:18 196,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLOOK.EXE
+ 2003-07-15 03:43:48 139,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLPH.DLL
+ 2003-07-15 03:43:18 64,056 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLRPC.DLL
+ 2003-07-15 03:43:16 49,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL
+ 2003-08-01 20:09:04 8,086,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\OWC11.DLL
+ 2003-07-30 17:40:40 6,133,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE
+ 2003-07-15 08:18:54 430,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PP4X322.DLL
+ 2003-07-15 08:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2003-07-31 20:21:08 1,782,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE
+ 2003-07-15 03:42:26 37,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RECALL.DLL
+ 2003-05-09 02:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-15 03:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-07-15 03:43:30 74,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RM.DLL
+ 2003-07-21 16:46:38 390,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL
+ 2003-07-15 03:44:16 66,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SENDTO.DLL
+ 2003-07-15 03:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-15 03:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL .EXE
+ 2003-08-03 15:52:32 2,808,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\STSLIST.DLL
+ 2003-07-15 04:00:22 99,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\TRANSMGR.DLL
+ 2003-07-03 20:19:36 2,502,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2008-04-07 18:18:02 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2003-08-06 18:24:20 12,037,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.5614\WINWORD.EXE
+ 2007-03-23 00:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-03-23 00:07:54 80,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL
+ 2007-04-19 18:53:52 137,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL
+ 2007-05-31 18:41:06 10,352,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\EXCEL.EXE

[Kainiaa]

+ 2007-04-19 19:09:30 167,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2007-04-19 18:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 18:54:04 183,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL
+ 2007-06-18 22:16:32 12,259,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-31 18:43:46 7,613,280 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL
+ 2007-04-19 18:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-05-31 18:42:14 200,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE
+ 2007-04-19 18:53:56 149,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL
+ 2007-04-19 18:53:24 69,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL
+ 2007-03-23 00:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-23 00:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-23 00:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
+ 2007-05-09 22:19:48 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-05-31 18:37:40 12,310,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90402119 00063D11C8EF10054038389C\11.0.8173\WINWORD.EXE
+ 2008-04-08 19:48:06 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-08 19:48:06 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-08 19:48:06 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-08 19:48:06 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-08 19:48:06 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-08 19:48:07 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-08 19:48:06 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-08 19:48:07 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-08 19:48:06 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-08 19:48:06 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-06-06 15:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-03-23 00:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2002-08-21 10:10:16 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 1998-06-18 00:08:32 53,248 ----a-w C:\WINDOWS\system32\MFC42ENU.DLL
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 13:30:56 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2000-05-11 18:06:20 397,312 ----a-w C:\WINDOWS\system32\MSRDO20.DLL
+ 2000-05-24 03:45:58 118,784 ----a-w C:\WINDOWS\system32\MSSTDFMT.DLL
+ 1998-08-09 16:07:34 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL
+ 2000-04-03 22:52:54 151,552 ----a-w C:\WINDOWS\system32\RDOCURS.DLL
+ 1998-03-25 02:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigrap h.dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.d ll
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph. dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 18:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.d ll
+ 1999-11-24 23:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
+ 2002-08-21 10:13:12 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


*Newly Created Service* - OSE
.

[Kainiaa]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steph\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

--
End of file - 3928 bytes

[AnnMarie]

Did you create a script and run it? The files that I identified are still present and there is no indication that a script has run. See below:

Quote:

Hi Kainiaa. Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.

O4 - HKLM\..\Run: [Windows live Messenger] msn.com

O20 - Winlogon Notify: byXQgGwX - byXQgGwX.dll (file missing)


Open notepad and copy and paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\msn.com
C:\WINDOWS\system32\yaywwUmk.dll_old

DirLook::
C:\Documents and Settings\Steph\WINDOWS

Go to File > Save As and save the file as CFScript.txt and set the location to your Desktop. Drag CFScript.txt and drop it into ComboFix.exe. See below:



ComboFix will run again. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply. Also post a new Hijack This log.

[Kainiaa]

Ok, I did do the script the first time, but I did it again so here's the 2nd attempt...

ComboFix 08-04-08.5 - Steph 2008-04-08 23:09:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.751 [GMT -5:00]
Running from: C:\Documents and Settings\Steph\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steph\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-07 23:32 . 2008-04-07 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 23:31 . 2008-04-07 23:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-07 23:22 . 2008-04-07 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-04-07 23:22 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 23:21 . 2008-04-07 23:22 <DIR> d-------- C:\Program Files\Java
2008-04-07 13:18 . 2008-04-07 13:18 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-07 13:18 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-07 13:18 . 2008-04-07 13:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-07 13:17 . 2008-04-07 13:18 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-07 13:17 . 2008-04-07 13:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-07 13:15 . 2008-04-07 13:15 <DIR> dr-h----- C:\MSOCache
2008-04-06 14:59 . 2008-04-06 14:59 <DIR> dr-h----- C:\Documents and Settings\Steph\Application Data\yahoo!
2008-04-06 13:51 . 2008-04-06 13:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 13:02 . 2008-04-06 13:29 <DIR> d-------- C:\VundoFix Backups
2008-04-06 03:01 . 2008-04-06 14:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-06 02:58 . 2008-04-06 14:51 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\HouseCall 6.6
2008-04-06 02:55 . 2008-04-06 02:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 02:22 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 02:16 . 2008-04-06 13:30 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\ClamWin
2008-04-02 02:13 . 2008-04-06 14:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-01 20:42 . 2008-04-01 20:42 268,288 --a------ C:\WINDOWS\system32\yaywwUmk.dll_old
2008-04-01 20:34 . 2008-04-01 20:34 38,912 -r-hs---- C:\WINDOWS\msn.com
2008-03-27 20:18 . 2008-04-06 14:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-27 20:18 . 2008-04-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-25 10:26 . 2008-03-25 10:26 <DIR> d-------- C:\Logs
2008-03-19 00:16 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-06 18:30 --------- d-----w C:\Documents and Settings\Steph\Application Data\.clamwin
2008-04-06 07:55 --------- d-----w C:\Program Files\Windows Live
2008-04-01 17:32 --------- d-----w C:\Program Files\World of Warcraft
2008-03-28 23:08 --------- d-----w C:\Documents and Settings\Steph\Application Data\Corel
2008-03-08 01:23 --------- d-----w C:\Program Files\Common Files\Intel Shared
2008-03-08 01:21 --------- d-----w C:\Program Files\Web Publish
2008-03-08 01:21 --------- d-----w C:\Program Files\Intel
2008-03-07 15:26 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-07 00:53 --------- d-----w C:\Program Files\Corel
2008-03-07 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-03-07 00:52 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-05 19:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-05 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 04:34 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-02 04:34 --------- d-----w C:\Documents and Settings\Steph\Application Data\teamspeak2
2008-02-29 19:59 --------- d-----w C:\Documents and Settings\Steph\Application Data\Creative
2008-02-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 07:08 --------- d-----w C:\Program Files\Creative
2008-02-25 07:07 --------- d-----w C:\Program Files\Audible
2008-02-25 07:05 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-25 07:04 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-25 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-02-24 00:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-16 00:42 --------- d-----w C:\Program Files\Starcraft
2008-02-16 00:23 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-02-14 07:22 --------- d-----w C:\Documents and Settings\Steph\Application Data\Ventrilo
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

---- Directory of C:\Documents and Settings\Steph\WINDOWS ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 11:06 700416]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 12:00 462336]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


*Newly Created Service* - OSE
.
************************************************** ************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:10:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-04-08 23:11:24
ComboFix-quarantined-files.txt 2008-04-09 04:11:10
Pre-Run: 116,958,945,280 bytes free
Post-Run: 116,948,271,104 bytes free
.
2008-04-08 19:48:08 --- E O F ---

[Kainiaa]

And here's HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:41 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steph\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

--
End of file - 3899 bytes

[AnnMarie]

The scripts dont appear to be running. We have had nothing but problems with this utility so we will try another.

Download The Avenger from here to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Code:

Files to delete:
C:\WINDOWS\msn.com
C:\WINDOWS\system32\yaywwUmk.dll_old

Folders to delete:
C:\Documents and Settings\Steph\WINDOWS

Start The Avenger by opening the Avenger folder and doubleclicking on Avenger.exe. Position your cursor in the blank space under "Input Script Here", rightclick and choose Paste. Your script should appear in the dialogue box.

Next, put a checkmark next to "Scan for Rootkits" but make sure that "Automatically Disable Any Rootkit Found" is unchecked for now. We may use this option later on if a malicious file is found.

Click on the Execute button and click Yes when you are asked if you are sure you want to execute this script. Click Yes when you are asked if you want to reboot now. The Avenger will restart your computer (on some occasions, The Avenger may restart your computer twice)

When you have rebooted, a logfile will open that has recorded all the actions that The Avenger performed (this log file is saved to C:\avenger.txt). The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt and a new Hijack This log.