flashing shield, alternates with blue question mark and red x, balloon pops up

[dhult]

Hello,
I have this flashing shield that alternates between a blue questin mark and a red x, it has a balloon pop up that sends me to a virus protect website. I also cannot locate my control panel when signed on under owner. When i try to open the file that i saved the panda scan in, it says that word has not been installed for the current user. please run setup to install. but i know that i do have the word program installed.
Thanks for the help in advance! Here are my other logs....

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-08 01:48:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-08 01:48:51
Platform: Windows XP (5.01.2600)
MSIE: Internet Explorer (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\NMSSvc.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5AA6D3DC-5327-4122-A52E-D06114743764} - C:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {D6AA9327-8DAD-4559-7AB3-20BAEA823D74} - C:\Program Files\Outlook Express\quzajebi.dll (file missing)
O2 - BHO: (no name) - {F44D8E66-7BB6-49BD-A924-5E0368C00FD1} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IUgK6U] C:\docume~1\owner~1.pri\locals~1\temp\IUgK6U.exe
O4 - HKLM\..\Run: [rasfont] C:\WINDOWS\security\Database\rasfont.exe
O4 - HKLM\..\Run: [uvuditwh] C:\WINDOWS\uvuditwh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fol] C:\WINDOWS\fol.exe
O4 - HKLM\..\Run: [Etwawx] C:\Program Files\Qtbwnj\Amoly.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{77-7C-C8-8D-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ulib] C:\WINDOWS\System32\ulib.exe
O4 - HKCU\..\Run: [197_150_ni_1] C:\WINDOWS\System32\197_150_ni_1.exe
O4 - HKCU\..\Run: [dbnetlib] "C:\WINDOWS\System32\dbnetlib.exe"
O4 - HKCU\..\Run: [wiavusd] "C:\WINDOWS\System32\wiavusd.exe"
O4 - HKCU\..\Run: [rsvpsp] "C:\WINDOWS\System32\rsvpsp.exe"
O4 - HKCU\..\Run: [adsmsext] "C:\WINDOWS\System32\adsmsext.exe"
O4 - HKCU\..\Run: [schannel] "C:\WINDOWS\System32\schannel.exe"
O4 - HKCU\..\Run: [sisbkup] "C:\WINDOWS\System32\sisbkup.exe"
O4 - HKCU\..\Run: [mll_hp] "C:\WINDOWS\System32\mll_hp.exe"
O4 - HKCU\..\Run: [tdi-sonyomg] "C:\WINDOWS\System32\tdi-sonyomg.exe"
O4 - HKCU\..\Run: [mchgrcoi] "C:\WINDOWS\System32\mchgrcoi.exe"
O4 - HKCU\..\Run: [powrprof] "C:\WINDOWS\System32\powrprof.exe"
O4 - HKCU\..\Run: [usp10] "C:\WINDOWS\System32\usp10.exe"
O4 - HKCU\..\Run: [pngfilt] "C:\WINDOWS\System32\pngfilt.exe"
O4 - HKCU\..\Run: [winhttp] "C:\WINDOWS\System32\winhttp.exe"
O4 - HKCU\..\Run: [ipmontr] "C:\WINDOWS\System32\ipmontr.exe"
O4 - HKCU\..\Run: [iuctl] "C:\WINDOWS\System32\iuctl.exe"
O4 - HKCU\..\Run: [schedsvc] "C:\WINDOWS\System32\schedsvc.exe"
O4 - HKCU\..\Run: [msisip] "C:\WINDOWS\System32\msisip.exe"
O4 - HKCU\..\Run: [eglivecam_1028] "C:\WINDOWS\System32\eglivecam_1028.exe"
O4 - HKCU\..\Run: [qedit] "C:\WINDOWS\System32\qedit.exe"
O4 - HKCU\..\Run: [mspatcha] "C:\WINDOWS\System32\mspatcha.exe"
O4 - HKCU\..\Run: [javacypt] "C:\WINDOWS\System32\javacypt.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\System32\msr2cenu.exe"
O4 - HKCU\..\Run: [igmpagnt] "C:\WINDOWS\System32\igmpagnt.exe"
O4 - HKCU\..\Run: [comctl32] "C:\WINDOWS\System32\comctl32.exe"
O4 - HKCU\..\Run: [ftsrch] "C:\WINDOWS\System32\ftsrch.exe"
O4 - HKCU\..\Run: [browsewm] "C:\WINDOWS\System32\browsewm.exe"
O4 - HKCU\..\Run: [digest] "C:\WINDOWS\System32\digest.exe"
O4 - HKCU\..\Run: [dpwsockx] "C:\WINDOWS\System32\dpwsockx.exe"
O4 - HKCU\..\Run: [neth] "C:\WINDOWS\System32\neth.exe"
O4 - HKCU\..\Run: [dmintf] "C:\WINDOWS\System32\dmintf.exe"
O4 - HKCU\..\Run: [kbdlt1] "C:\WINDOWS\System32\kbdlt1.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\System32\ir41_qcx.exe"
O4 - HKCU\..\Run: [modemui] "C:\WINDOWS\System32\modemui.exe"
O4 - HKCU\..\Run: [umpnpmgr] "C:\WINDOWS\System32\umpnpmgr.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\System32\netapi.exe"
O4 - HKCU\..\Run: [sccbase] "C:\WINDOWS\System32\sccbase.exe"
O4 - HKCU\..\Run: [tapisrv] "C:\WINDOWS\System32\tapisrv.exe"
O4 - HKCU\..\Run: [kbdla] "C:\WINDOWS\System32\kbdla.exe"
O4 - HKCU\..\Run: [rasppp] "C:\WINDOWS\System32\rasppp.exe"
O4 - HKCU\..\Run: [rdocurs] "C:\WINDOWS\System32\rdocurs.exe"
O4 - HKCU\..\Run: [inetcomm] "C:\WINDOWS\System32\inetcomm.exe"
O4 - HKCU\..\Run: [ntdsapi] "C:\WINDOWS\System32\ntdsapi.exe"
O4 - HKCU\..\Run: [dbmsvinn] "C:\WINDOWS\System32\dbmsvinn.exe"
O4 - HKCU\..\Run: [icmui] "C:\WINDOWS\System32\icmui.exe"
O4 - HKCU\..\Run: [wiaservc] "C:\WINDOWS\System32\wiaservc.exe"
O4 - HKCU\..\Run: [cnmlm38] "C:\WINDOWS\System32\cnmlm38.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [wupdinfo] "C:\WINDOWS\System32\wupdinfo.exe"
O4 - HKCU\..\Run: [ezstub3] "C:\WINDOWS\System32\ezstub3.exe"
O4 - HKCU\..\Run: [rtipxmib] "C:\WINDOWS\System32\rtipxmib.exe"
O4 - HKCU\..\Run: [kbdazel] "C:\WINDOWS\System32\kbdazel.exe"
O4 - HKCU\..\Run: [rdpcfgex] "C:\WINDOWS\System32\rdpcfgex.exe"
O4 - HKCU\..\Run: [ntlsapi] "C:\WINDOWS\System32\ntlsapi.exe"
O4 - HKCU\..\Run: [kbdnec] "C:\WINDOWS\System32\kbdnec.exe"
O4 - HKCU\..\Run: [dmdlgs] "C:\WINDOWS\System32\dmdlgs.exe"
O4 - HKCU\..\Run: [mswsock] "C:\WINDOWS\System32\mswsock.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\System32\dispex.exe"
O4 - HKCU\..\Run: [wifeman] "C:\WINDOWS\System32\wifeman.exe"
O4 - HKCU\..\Run: [wiashext] "C:\WINDOWS\System32\wiashext.exe"
O4 - HKCU\..\Run: [ds32gt] "C:\WINDOWS\System32\ds32gt.exe"
O4 - HKCU\..\Run: [wtsapi32] "C:\WINDOWS\System32\wtsapi32.exe"
O4 - HKCU\..\Run: [ialmgicd] "C:\WINDOWS\System32\ialmgicd.exe"
O4 - HKCU\..\Run: [bszip] "C:\WINDOWS\System32\bszip.exe"
O4 - HKCU\..\Run: [nmsapi] "C:\WINDOWS\System32\nmsapi.exe"
O4 - HKCU\..\Run: [rtm] "C:\WINDOWS\System32\rtm.exe"
O4 - HKCU\..\Run: [sfmapi] "C:\WINDOWS\System32\sfmapi.exe"
O4 - HKCU\..\Run: [wmpcd] "C:\WINDOWS\System32\wmpcd.exe"
O4 - HKCU\..\Run: [bidispl] "C:\WINDOWS\System32\bidispl.exe"
O4 - HKCU\..\Run: [riched32] "C:\WINDOWS\System32\riched32.exe"
O4 - HKCU\..\Run: [unimdmat] "C:\WINDOWS\System32\unimdmat.exe"
O4 - HKCU\..\Run: [msencode] "C:\WINDOWS\System32\msencode.exe"
O4 - HKCU\..\Run: [csh] "C:\WINDOWS\System32\csh.exe"
O4 - HKCU\..\Run: [racpldlg] "C:\WINDOWS\System32\racpldlg.exe"
O4 - HKCU\..\Run: [jgaw400] "C:\WINDOWS\System32\jgaw400.exe"
O4 - HKCU\..\Run: [txflog] "C:\WINDOWS\System32\txflog.exe"
O4 - HKCU\..\Run: [cabinet] "C:\WINDOWS\System32\cabinet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [kbdbu] "C:\WINDOWS\System32\kbdbu.exe"
O4 - HKCU\..\Run: [shlwapi] "C:\WINDOWS\System32\shlwapi.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\System32\wlnotify.exe"
O4 - HKCU\..\Run: [ntmssvc] "C:\WINDOWS\System32\ntmssvc.exe"
O4 - HKCU\..\Run: [mswebdvd] "C:\WINDOWS\System32\mswebdvd.exe"
O4 - HKCU\..\Run: [kbdal] "C:\WINDOWS\System32\kbdal.exe"
O4 - HKCU\..\Run: [ialmgdev] "C:\WINDOWS\System32\ialmgdev.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\System32\uniplat.exe"
O4 - HKCU\..\Run: [mindex] "C:\WINDOWS\System32\mindex.exe"
O4 - HKCU\..\Run: [pdh] "C:\WINDOWS\System32\pdh.exe"
O4 - HKCU\..\Run: [mfc42u] "C:\WINDOWS\System32\mfc42u.exe"
O4 - HKCU\..\Run: [certmgr] "C:\WINDOWS\System32\certmgr.exe"
O4 - HKCU\..\Run: [faultrep] "C:\WINDOWS\System32\faultrep.exe"
O4 - HKCU\..\Run: [odbc16gt] "C:\WINDOWS\System32\odbc16gt.exe"
O4 - HKCU\..\Run: [eventlog] "C:\WINDOWS\System32\eventlog.exe"
O4 - HKCU\..\Run: [wshext] "C:\WINDOWS\System32\wshext.exe"
O4 - HKCU\..\Run: [qedwipes] "C:\WINDOWS\System32\qedwipes.exe"
O4 - HKCU\..\Run: [feclient] "C:\WINDOWS\System32\feclient.exe"
O4 - HKCU\..\Run: [wmpui] "C:\WINDOWS\System32\wmpui.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\System32\comuid.exe"
O4 - HKCU\..\Run: [qmgr] "C:\WINDOWS\System32\qmgr.exe"
O4 - HKCU\..\Run: [dsound] "C:\WINDOWS\System32\dsound.exe"
O4 - HKCU\..\Run: [smlogcfg] "C:\WINDOWS\System32\smlogcfg.exe"
O4 - HKCU\..\Run: [srvsvc] "C:\WINDOWS\System32\srvsvc.exe"
O4 - HKCU\..\Run: [deskadp] "C:\WINDOWS\System32\deskadp.exe"
O4 - HKCU\..\Run: [autodisc] "C:\WINDOWS\System32\autodisc.exe"
O4 - HKCU\..\Run: [rtutils] "C:\WINDOWS\System32\rtutils.exe"
O4 - HKCU\..\Run: [fsusd] "C:\WINDOWS\System32\fsusd.exe"
O4 - HKCU\..\Run: [wowfax] "C:\WINDOWS\System32\wowfax.exe"
O4 - HKCU\..\Run: [dbmsrpcn] "C:\WINDOWS\System32\dbmsrpcn.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = ?
O4 - Global Startup: Desktop Application Director 9.LNK = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199756174781
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - (no file)
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: qkihlbti - C:\WINDOWS\System32\qkihlbti.dll
O20 - Winlogon Notify: tnjfcfka - C:\WINDOWS\System32\tnjfcfka.dll
O20 - Winlogon Notify: winsqr32 - C:\WINDOWS\System32\winsqr32.dll (file missing)
O22 - SharedTaskScheduler: ineffulgent - {b585105c-0e84-4ef0-9c6a-fbe134a72945} - C:\WINDOWS\system32\ivrllc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\jmmmttmk.exe /service
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe -A
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.Exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: svcpack - Unknown owner - C:\WINDOWS\System32\svcpack.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 16900 bytes

-- Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-07 22:40:33 44928 --a------ C:\WINDOWS\System32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-07 22:10:35 0 d-------- C:\WINDOWS\System32\ActiveScan
2008-01-07 22:10:32 0 d-------- C:\WINDOWS\LastGood
2008-01-07 19:47:22 0 d-------- C:\ie-spyad_zo
2008-01-07 19:36:21 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-01-07 19:21:21 0 d-------- C:\Program Files\SpywareBlaster
2008-01-07 18:29:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-07 18:15:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-06 14:54:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\InfeStop.com
2008-01-06 14:54:30 0 d-------- C:\Program Files\InfeStop
2008-01-05 21:45:31 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-05 21:44:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-01-04 23:33:49 0 d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\spy-rid.com
2008-01-04 23:33:44 0 d-------- C:\Program Files\Spy-Rid
2008-01-02 02:10:30 0 d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\EasySpywareCleaner.com
2008-01-02 02:10:25 0 d-------- C:\Program Files\EasySpywareCleaner
2007-12-28 18:27:20 0 d-------- C:\WINDOWS\Favorites
2007-12-28 17:02:13 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2007-12-28 17:01:52 0 d-------- C:\Program Files\Webroot
2007-12-28 17:01:52 0 d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\Webroot
2007-12-28 17:01:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-12-28 17:00:35 164 --a------ C:\install.dat
2007-12-23 11:22:18 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-23 11:22:18 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-23 11:22:18 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-23 11:22:18 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-12-23 11:22:18 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-23 11:22:18 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-23 11:22:18 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-12-23 11:22:18 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-23 11:22:18 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-12-23 11:22:18 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-23 11:22:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-23 11:22:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-23 11:22:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-23 11:22:17 5242880 --a------ C:\Documents and Settings\Administrator\NTUser.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-08 01:04:19 0 d-------- C:\Program Files\QuickTime
2008-01-08 00:58:05 0 d-------- C:\Program Files\iTunes
2008-01-08 00:23:47 0 d-------- C:\Program Files\Google
2008-01-07 18:40:53 0 d-------- C:\Program Files\Viewpoint
2008-01-07 17:50:25 0 d-------- C:\Program Files\Common Files
2007-12-28 20:28:58 0 d-------- C:\Program Files\Online Services
2007-12-28 20:28:56 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-28 20:28:06 0 d-------- C:\Program Files\6cqqsf0r
2007-12-28 20:18:30 0 d-------- C:\Program Files\Windows NT
2007-12-06 14:17:49 36928 --a------ C:\WINDOWS\System32\tnjfcfka.dll
2007-12-06 14:14:39 36928 --a------ C:\WINDOWS\System32\edqwnqru.dll
2007-12-06 14:08:10 36928 --a------ C:\WINDOWS\System32\qkihlbti.dll
2007-12-03 01:01:17 73280 --a------ C:\WINDOWS\System32\pybmrayq.dll
2007-11-27 13:43:35 34545 --a------ C:\sysvqna.exe
2007-11-27 13:11:10 0 d-------- C:\Program Files\iConcepts Music Express
2007-11-27 13:10:36 0 d-------- C:\Program Files\NStorm
2007-11-27 01:03:12 0 d-------- C:\Program Files\EmpirePokerMaster
2007-11-26 13:21:52 0 d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\AVG7
2007-11-23 22:55:08 12800 --a-s---- C:\WINDOWS\System32\ivrllc.dll
2007-11-20 12:13:27 0 d-------- C:\Program Files\Qtbwnj
2007-11-16 20:35:38 0 d-------- C:\Program Files\Cool
2007-11-12 02:13:58 0 d-------- C:\Program Files\Gateway
2007-11-12 01:15:15 0 d-------- C:\Program Files\MySpace
2007-11-12 01:04:49 0 d-------- C:\Program Files\FastStone Photo Resizer
2007-10-29 23:24:09 221696 --a------ C:\WINDOWS\systeldd32.dll
2007-10-26 21:20:37 218 --a------ C:\WINDOWS\nitsys33.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA6D3DC-5327-4122-A52E-D06114743764}]
C:\WINDOWS\System32\mlljj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6AA9327-8DAD-4559-7AB3-20BAEA823D74}]
C:\Program Files\Outlook Express\quzajebi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F44D8E66-7BB6-49BD-A924-5E0368C00FD1}]
C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [07/10/2003 03:25 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [07/10/2003 03:13 AM]
"GWMDMMSG"="GWMDMMSG.exe" [05/06/2002 06:12 PM C:\WINDOWS\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [09/02/2003 08:25 PM]
"IUgK6U"="C:\docume~1\owner~1.pri\locals~1\temp\IUgK6U.exe" []
"rasfont"="C:\WINDOWS\security\Database\rasfont.exe" []
"uvuditwh"="C:\WINDOWS\uvuditwh.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/17/2004 11:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/07/2005 12:02 PM]
"fol"="C:\WINDOWS\fol.exe" []
"Etwawx"="C:\Program Files\Qtbwnj\Amoly.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [03/04/2005 03:36 AM]
"{77-7C-C8-8D-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ulib"="C:\WINDOWS\System32\ulib.exe" []
"197_150_ni_1"="C:\WINDOWS\System32\197_150_ni_1.exe" []
"dbnetlib"="C:\WINDOWS\System32\dbnetlib.exe" []
"wiavusd"="C:\WINDOWS\System32\wiavusd.exe" []
"rsvpsp"="C:\WINDOWS\System32\rsvpsp.exe" []
"adsmsext"="C:\WINDOWS\System32\adsmsext.exe" []
"schannel"="C:\WINDOWS\System32\schannel.exe" []
"sisbkup"="C:\WINDOWS\System32\sisbkup.exe" []
"mll_hp"="C:\WINDOWS\System32\mll_hp.exe" []
"tdi-sonyomg"="C:\WINDOWS\System32\tdi-sonyomg.exe" []
"mchgrcoi"="C:\WINDOWS\System32\mchgrcoi.exe" []
"powrprof"="C:\WINDOWS\System32\powrprof.exe" []
"usp10"="C:\WINDOWS\System32\usp10.exe" []
"pngfilt"="C:\WINDOWS\System32\pngfilt.exe" []
"winhttp"="C:\WINDOWS\System32\winhttp.exe" []
"ipmontr"="C:\WINDOWS\System32\ipmontr.exe" []
"iuctl"="C:\WINDOWS\System32\iuctl.exe" []
"schedsvc"="C:\WINDOWS\System32\schedsvc.exe" []
"msisip"="C:\WINDOWS\System32\msisip.exe" []
"eglivecam_1028"="C:\WINDOWS\System32\eglivecam_1028.exe" []
"qedit"="C:\WINDOWS\System32\qedit.exe" []
"mspatcha"="C:\WINDOWS\System32\mspatcha.exe" []
"javacypt"="C:\WINDOWS\System32\javacypt.exe" []
"msr2cenu"="C:\WINDOWS\System32\msr2cenu.exe" []
"igmpagnt"="C:\WINDOWS\System32\igmpagnt.exe" []
"comctl32"="C:\WINDOWS\System32\comctl32.exe" []
"ftsrch"="C:\WINDOWS\System32\ftsrch.exe" []
"browsewm"="C:\WINDOWS\System32\browsewm.exe" []
"digest"="C:\WINDOWS\System32\digest.exe" []
"dpwsockx"="C:\WINDOWS\System32\dpwsockx.exe" []
"neth"="C:\WINDOWS\System32\neth.exe" []
"dmintf"="C:\WINDOWS\System32\dmintf.exe" []
"kbdlt1"="C:\WINDOWS\System32\kbdlt1.exe" []
"ir41_qcx"="C:\WINDOWS\System32\ir41_qcx.exe" []
"modemui"="C:\WINDOWS\System32\modemui.exe" []
"umpnpmgr"="C:\WINDOWS\System32\umpnpmgr.exe" []
"netapi"="C:\WINDOWS\System32\netapi.exe" []
"sccbase"="C:\WINDOWS\System32\sccbase.exe" []
"tapisrv"="C:\WINDOWS\System32\tapisrv.exe" []
"kbdla"="C:\WINDOWS\System32\kbdla.exe" []
"rasppp"="C:\WINDOWS\System32\rasppp.exe" []
"rdocurs"="C:\WINDOWS\System32\rdocurs.exe" []
"inetcomm"="C:\WINDOWS\System32\inetcomm.exe" []
"ntdsapi"="C:\WINDOWS\System32\ntdsapi.exe" []
"dbmsvinn"="C:\WINDOWS\System32\dbmsvinn.exe" []
"icmui"="C:\WINDOWS\System32\icmui.exe" []
"wiaservc"="C:\WINDOWS\System32\wiaservc.exe" []
"cnmlm38"="C:\WINDOWS\System32\cnmlm38.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/22/2007 02:00 PM]
"wupdinfo"="C:\WINDOWS\System32\wupdinfo.exe" []
"ezstub3"="C:\WINDOWS\System32\ezstub3.exe" []
"rtipxmib"="C:\WINDOWS\System32\rtipxmib.exe" []
"kbdazel"="C:\WINDOWS\System32\kbdazel.exe" []
"rdpcfgex"="C:\WINDOWS\System32\rdpcfgex.exe" []
"ntlsapi"="C:\WINDOWS\System32\ntlsapi.exe" []
"kbdnec"="C:\WINDOWS\System32\kbdnec.exe" []
"dmdlgs"="C:\WINDOWS\System32\dmdlgs.exe" []
"mswsock"="C:\WINDOWS\System32\mswsock.exe" []
"dispex"="C:\WINDOWS\System32\dispex.exe" []
"wifeman"="C:\WINDOWS\System32\wifeman.exe" []
"wiashext"="C:\WINDOWS\System32\wiashext.exe" []
"ds32gt"="C:\WINDOWS\System32\ds32gt.exe" []
"wtsapi32"="C:\WINDOWS\System32\wtsapi32.exe" []
"ialmgicd"="C:\WINDOWS\System32\ialmgicd.exe" []
"bszip"="C:\WINDOWS\System32\bszip.exe" []
"nmsapi"="C:\WINDOWS\System32\nmsapi.exe" []
"rtm"="C:\WINDOWS\System32\rtm.exe" []
"sfmapi"="C:\WINDOWS\System32\sfmapi.exe" []
"wmpcd"="C:\WINDOWS\System32\wmpcd.exe" []
"bidispl"="C:\WINDOWS\System32\bidispl.exe" []
"riched32"="C:\WINDOWS\System32\riched32.exe" []
"unimdmat"="C:\WINDOWS\System32\unimdmat.exe" []
"msencode"="C:\WINDOWS\System32\msencode.exe" []
"csh"="C:\WINDOWS\System32\csh.exe" []
"racpldlg"="C:\WINDOWS\System32\racpldlg.exe" []
"jgaw400"="C:\WINDOWS\System32\jgaw400.exe" []
"txflog"="C:\WINDOWS\System32\txflog.exe" []
"cabinet"="C:\WINDOWS\System32\cabinet.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
"kbdbu"="C:\WINDOWS\System32\kbdbu.exe" []
"shlwapi"="C:\WINDOWS\System32\shlwapi.exe" []
"wlnotify"="C:\WINDOWS\System32\wlnotify.exe" []
"ntmssvc"="C:\WINDOWS\System32\ntmssvc.exe" []
"mswebdvd"="C:\WINDOWS\System32\mswebdvd.exe" []
"kbdal"="C:\WINDOWS\System32\kbdal.exe" []
"ialmgdev"="C:\WINDOWS\System32\ialmgdev.exe" []
"uniplat"="C:\WINDOWS\System32\uniplat.exe" []
"mindex"="C:\WINDOWS\System32\mindex.exe" []
"pdh"="C:\WINDOWS\System32\pdh.exe" []
"mfc42u"="C:\WINDOWS\System32\mfc42u.exe" []
"certmgr"="C:\WINDOWS\System32\certmgr.exe" []
"faultrep"="C:\WINDOWS\System32\faultrep.exe" []
"odbc16gt"="C:\WINDOWS\System32\odbc16gt.exe" []
"eventlog"="C:\WINDOWS\System32\eventlog.exe" []
"wshext"="C:\WINDOWS\System32\wshext.exe" []
"qedwipes"="C:\WINDOWS\System32\qedwipes.exe" []
"feclient"="C:\WINDOWS\System32\feclient.exe" []
"wmpui"="C:\WINDOWS\System32\wmpui.exe" []
"comuid"="C:\WINDOWS\System32\comuid.exe" []
"qmgr"="C:\WINDOWS\System32\qmgr.exe" []
"dsound"="C:\WINDOWS\System32\dsound.exe" []
"smlogcfg"="C:\WINDOWS\System32\smlogcfg.exe" []
"srvsvc"="C:\WINDOWS\System32\srvsvc.exe" []
"deskadp"="C:\WINDOWS\System32\deskadp.exe" []
"autodisc"="C:\WINDOWS\System32\autodisc.exe" []
"rtutils"="C:\WINDOWS\System32\rtutils.exe" []
"fsusd"="C:\WINDOWS\System32\fsusd.exe" []
"wowfax"="C:\WINDOWS\System32\wowfax.exe" []
"dbmsrpcn"="C:\WINDOWS\System32\dbmsrpcn.exe" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/30/2001 04:30 AM]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b585105c-0e84-4ef0-9c6a-fbe134a72945}"= C:\WINDOWS\System32\ivrllc.dll [11/23/2007 10:55 PM 12800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkihlbti]
qkihlbti.dll 12/06/2007 02:08 PM 36928 C:\WINDOWS\system32\qkihlbti.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tnjfcfka]
tnjfcfka.dll 12/06/2007 02:17 PM 36928 C:\WINDOWS\system32\tnjfcfka.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsqr32]
winsqr32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlljj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

*Newly Created Service* - NMSCFG
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - SSFS0BB9
*Newly Created Service* - SSHRMD
*Newly Created Service* - SSIDRV
*Newly Created Service* - VTBAOWGRBOKW



-- End of Deckard's System Scanner: finished at 2008-01-08 01:49:40 ------------

Logfile of HijackThis v1.99.1
Scan saved at 1:50:37 AM, on 1/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5AA6D3DC-5327-4122-A52E-D06114743764} - C:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {D6AA9327-8DAD-4559-7AB3-20BAEA823D74} - C:\Program Files\Outlook Express\quzajebi.dll (file missing)
O2 - BHO: (no name) - {F44D8E66-7BB6-49BD-A924-5E0368C00FD1} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IUgK6U] C:\docume~1\owner~1.pri\locals~1\temp\IUgK6U.exe
O4 - HKLM\..\Run: [rasfont] C:\WINDOWS\security\Database\rasfont.exe
O4 - HKLM\..\Run: [uvuditwh] C:\WINDOWS\uvuditwh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fol] C:\WINDOWS\fol.exe
O4 - HKLM\..\Run: [Etwawx] C:\Program Files\Qtbwnj\Amoly.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{77-7C-C8-8D-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ulib] C:\WINDOWS\System32\ulib.exe
O4 - HKCU\..\Run: [197_150_ni_1] C:\WINDOWS\System32\197_150_ni_1.exe
O4 - HKCU\..\Run: [dbnetlib] "C:\WINDOWS\System32\dbnetlib.exe"
O4 - HKCU\..\Run: [wiavusd] "C:\WINDOWS\System32\wiavusd.exe"
O4 - HKCU\..\Run: [rsvpsp] "C:\WINDOWS\System32\rsvpsp.exe"
O4 - HKCU\..\Run: [adsmsext] "C:\WINDOWS\System32\adsmsext.exe"
O4 - HKCU\..\Run: [schannel] "C:\WINDOWS\System32\schannel.exe"
O4 - HKCU\..\Run: [sisbkup] "C:\WINDOWS\System32\sisbkup.exe"
O4 - HKCU\..\Run: [mll_hp] "C:\WINDOWS\System32\mll_hp.exe"
O4 - HKCU\..\Run: [tdi-sonyomg] "C:\WINDOWS\System32\tdi-sonyomg.exe"
O4 - HKCU\..\Run: [mchgrcoi] "C:\WINDOWS\System32\mchgrcoi.exe"
O4 - HKCU\..\Run: [powrprof] "C:\WINDOWS\System32\powrprof.exe"
O4 - HKCU\..\Run: [usp10] "C:\WINDOWS\System32\usp10.exe"
O4 - HKCU\..\Run: [pngfilt] "C:\WINDOWS\System32\pngfilt.exe"
O4 - HKCU\..\Run: [winhttp] "C:\WINDOWS\System32\winhttp.exe"
O4 - HKCU\..\Run: [ipmontr] "C:\WINDOWS\System32\ipmontr.exe"
O4 - HKCU\..\Run: [iuctl] "C:\WINDOWS\System32\iuctl.exe"
O4 - HKCU\..\Run: [schedsvc] "C:\WINDOWS\System32\schedsvc.exe"
O4 - HKCU\..\Run: [msisip] "C:\WINDOWS\System32\msisip.exe"
O4 - HKCU\..\Run: [eglivecam_1028] "C:\WINDOWS\System32\eglivecam_1028.exe"
O4 - HKCU\..\Run: [qedit] "C:\WINDOWS\System32\qedit.exe"
O4 - HKCU\..\Run: [mspatcha] "C:\WINDOWS\System32\mspatcha.exe"
O4 - HKCU\..\Run: [javacypt] "C:\WINDOWS\System32\javacypt.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\System32\msr2cenu.exe"
O4 - HKCU\..\Run: [igmpagnt] "C:\WINDOWS\System32\igmpagnt.exe"
O4 - HKCU\..\Run: [comctl32] "C:\WINDOWS\System32\comctl32.exe"
O4 - HKCU\..\Run: [ftsrch] "C:\WINDOWS\System32\ftsrch.exe"
O4 - HKCU\..\Run: [browsewm] "C:\WINDOWS\System32\browsewm.exe"
O4 - HKCU\..\Run: [digest] "C:\WINDOWS\System32\digest.exe"
O4 - HKCU\..\Run: [dpwsockx] "C:\WINDOWS\System32\dpwsockx.exe"
O4 - HKCU\..\Run: [neth] "C:\WINDOWS\System32\neth.exe"
O4 - HKCU\..\Run: [dmintf] "C:\WINDOWS\System32\dmintf.exe"
O4 - HKCU\..\Run: [kbdlt1] "C:\WINDOWS\System32\kbdlt1.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\System32\ir41_qcx.exe"
O4 - HKCU\..\Run: [modemui] "C:\WINDOWS\System32\modemui.exe"
O4 - HKCU\..\Run: [umpnpmgr] "C:\WINDOWS\System32\umpnpmgr.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\System32\netapi.exe"
O4 - HKCU\..\Run: [sccbase] "C:\WINDOWS\System32\sccbase.exe"
O4 - HKCU\..\Run: [tapisrv] "C:\WINDOWS\System32\tapisrv.exe"
O4 - HKCU\..\Run: [kbdla] "C:\WINDOWS\System32\kbdla.exe"
O4 - HKCU\..\Run: [rasppp] "C:\WINDOWS\System32\rasppp.exe"
O4 - HKCU\..\Run: [rdocurs] "C:\WINDOWS\System32\rdocurs.exe"
O4 - HKCU\..\Run: [inetcomm] "C:\WINDOWS\System32\inetcomm.exe"
O4 - HKCU\..\Run: [ntdsapi] "C:\WINDOWS\System32\ntdsapi.exe"
O4 - HKCU\..\Run: [dbmsvinn] "C:\WINDOWS\System32\dbmsvinn.exe"
O4 - HKCU\..\Run: [icmui] "C:\WINDOWS\System32\icmui.exe"
O4 - HKCU\..\Run: [wiaservc] "C:\WINDOWS\System32\wiaservc.exe"
O4 - HKCU\..\Run: [cnmlm38] "C:\WINDOWS\System32\cnmlm38.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [wupdinfo] "C:\WINDOWS\System32\wupdinfo.exe"
O4 - HKCU\..\Run: [ezstub3] "C:\WINDOWS\System32\ezstub3.exe"
O4 - HKCU\..\Run: [rtipxmib] "C:\WINDOWS\System32\rtipxmib.exe"
O4 - HKCU\..\Run: [kbdazel] "C:\WINDOWS\System32\kbdazel.exe"
O4 - HKCU\..\Run: [rdpcfgex] "C:\WINDOWS\System32\rdpcfgex.exe"
O4 - HKCU\..\Run: [ntlsapi] "C:\WINDOWS\System32\ntlsapi.exe"
O4 - HKCU\..\Run: [kbdnec] "C:\WINDOWS\System32\kbdnec.exe"
O4 - HKCU\..\Run: [dmdlgs] "C:\WINDOWS\System32\dmdlgs.exe"
O4 - HKCU\..\Run: [mswsock] "C:\WINDOWS\System32\mswsock.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\System32\dispex.exe"
O4 - HKCU\..\Run: [wifeman] "C:\WINDOWS\System32\wifeman.exe"
O4 - HKCU\..\Run: [wiashext] "C:\WINDOWS\System32\wiashext.exe"
O4 - HKCU\..\Run: [ds32gt] "C:\WINDOWS\System32\ds32gt.exe"
O4 - HKCU\..\Run: [wtsapi32] "C:\WINDOWS\System32\wtsapi32.exe"
O4 - HKCU\..\Run: [ialmgicd] "C:\WINDOWS\System32\ialmgicd.exe"
O4 - HKCU\..\Run: [bszip] "C:\WINDOWS\System32\bszip.exe"
O4 - HKCU\..\Run: [nmsapi] "C:\WINDOWS\System32\nmsapi.exe"
O4 - HKCU\..\Run: [rtm] "C:\WINDOWS\System32\rtm.exe"
O4 - HKCU\..\Run: [sfmapi] "C:\WINDOWS\System32\sfmapi.exe"
O4 - HKCU\..\Run: [wmpcd] "C:\WINDOWS\System32\wmpcd.exe"
O4 - HKCU\..\Run: [bidispl] "C:\WINDOWS\System32\bidispl.exe"
O4 - HKCU\..\Run: [riched32] "C:\WINDOWS\System32\riched32.exe"
O4 - HKCU\..\Run: [unimdmat] "C:\WINDOWS\System32\unimdmat.exe"
O4 - HKCU\..\Run: [msencode] "C:\WINDOWS\System32\msencode.exe"
O4 - HKCU\..\Run: [csh] "C:\WINDOWS\System32\csh.exe"
O4 - HKCU\..\Run: [racpldlg] "C:\WINDOWS\System32\racpldlg.exe"
O4 - HKCU\..\Run: [jgaw400] "C:\WINDOWS\System32\jgaw400.exe"
O4 - HKCU\..\Run: [txflog] "C:\WINDOWS\System32\txflog.exe"
O4 - HKCU\..\Run: [cabinet] "C:\WINDOWS\System32\cabinet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [kbdbu] "C:\WINDOWS\System32\kbdbu.exe"
O4 - HKCU\..\Run: [shlwapi] "C:\WINDOWS\System32\shlwapi.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\System32\wlnotify.exe"
O4 - HKCU\..\Run: [ntmssvc] "C:\WINDOWS\System32\ntmssvc.exe"
O4 - HKCU\..\Run: [mswebdvd] "C:\WINDOWS\System32\mswebdvd.exe"
O4 - HKCU\..\Run: [kbdal] "C:\WINDOWS\System32\kbdal.exe"
O4 - HKCU\..\Run: [ialmgdev] "C:\WINDOWS\System32\ialmgdev.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\System32\uniplat.exe"
O4 - HKCU\..\Run: [mindex] "C:\WINDOWS\System32\mindex.exe"
O4 - HKCU\..\Run: [pdh] "C:\WINDOWS\System32\pdh.exe"
O4 - HKCU\..\Run: [mfc42u] "C:\WINDOWS\System32\mfc42u.exe"
O4 - HKCU\..\Run: [certmgr] "C:\WINDOWS\System32\certmgr.exe"
O4 - HKCU\..\Run: [faultrep] "C:\WINDOWS\System32\faultrep.exe"
O4 - HKCU\..\Run: [odbc16gt] "C:\WINDOWS\System32\odbc16gt.exe"
O4 - HKCU\..\Run: [eventlog] "C:\WINDOWS\System32\eventlog.exe"
O4 - HKCU\..\Run: [wshext] "C:\WINDOWS\System32\wshext.exe"
O4 - HKCU\..\Run: [qedwipes] "C:\WINDOWS\System32\qedwipes.exe"
O4 - HKCU\..\Run: [feclient] "C:\WINDOWS\System32\feclient.exe"
O4 - HKCU\..\Run: [wmpui] "C:\WINDOWS\System32\wmpui.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\System32\comuid.exe"
O4 - HKCU\..\Run: [qmgr] "C:\WINDOWS\System32\qmgr.exe"
O4 - HKCU\..\Run: [dsound] "C:\WINDOWS\System32\dsound.exe"
O4 - HKCU\..\Run: [smlogcfg] "C:\WINDOWS\System32\smlogcfg.exe"
O4 - HKCU\..\Run: [srvsvc] "C:\WINDOWS\System32\srvsvc.exe"
O4 - HKCU\..\Run: [deskadp] "C:\WINDOWS\System32\deskadp.exe"
O4 - HKCU\..\Run: [autodisc] "C:\WINDOWS\System32\autodisc.exe"
O4 - HKCU\..\Run: [rtutils] "C:\WINDOWS\System32\rtutils.exe"
O4 - HKCU\..\Run: [fsusd] "C:\WINDOWS\System32\fsusd.exe"
O4 - HKCU\..\Run: [wowfax] "C:\WINDOWS\System32\wowfax.exe"
O4 - HKCU\..\Run: [dbmsrpcn] "C:\WINDOWS\System32\dbmsrpcn.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199756174781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qkihlbti - C:\WINDOWS\SYSTEM32\qkihlbti.dll
O20 - Winlogon Notify: tnjfcfka - C:\WINDOWS\SYSTEM32\tnjfcfka.dll
O20 - Winlogon Notify: winsqr32 - winsqr32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\jmmmttmk.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: svcpack - Unknown owner - C:\WINDOWS\System32\svcpack.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[dhult]

And I can only start the computer in safe mode or the last good config.

[Pancake]

Quote:

Please download MGADiag.exe to your desktop.http://go.microsoft.com/fwlink/?linkid=52012

Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.

When it's done, capture a screenshot of the finished scan, and post that.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.
Press the Print screen key
Click the "Start" button (normally located in the bottom left of your screen).
Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
Wait while the application "Paint" opens. Once it is open, proceed to the next step.
Click the "Edit" menu and select "Paste".
Click the "File" menu and select "Save As...". A dialog box will appear.
In the "File name" field, enter a name of your choice.
Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
Click the "Save" button.

Attach it in your next reply, please.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
Click Upload.

Download SDFix from here and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================

This will help to identify malware on your system.
Please download Combofix from any of these locations:

Here
or
Here

Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

===================================

Quote:

Please download MGADiag.exe to your desktop.http://go.microsoft.com/fwlink/?linkid=52012

Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.

When it's done, capture a screenshot of the finished scan, and post that.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.
Press the Print screen key
Click the "Start" button (normally located in the bottom left of your screen).
Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
Wait while the application "Paint" opens. Once it is open, proceed to the next step.
Click the "Edit" menu and select "Paste".
Click the "File" menu and select "Save As...". A dialog box will appear.
In the "File name" field, enter a name of your choice.
Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
Click the "Save" button.

Attach it in your next reply, please.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
Click Upload.

[dhult]

I cant get the MGADiag.exe log to upload. i keep getting an error. but i have attached and pasted the other logs you asked for. the flaching sheild is still there and i can only start my computer in safe mode with networking or just safe mode. thank you so much for all your help. it is greatly appreciated.


ComboFix 08-01-09.2 - Owner 2008-01-10 2:42:31.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.126 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\nitsys33.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 02:22 . 2008-01-10 02:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-10 01:45 . 2008-01-10 01:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-01-07 22:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-07 22:10 . 2008-01-08 01:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-07 22:10 . 2008-01-07 22:10 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-07 22:10 . 2008-01-07 22:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-07 22:10 . 2008-01-07 22:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-07 22:10 . 2008-01-07 22:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-07 19:47 . 2008-01-07 19:47 <DIR> d-------- C:\ie-spyad_zo
2008-01-07 19:21 . 2008-01-07 19:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-07 18:15 . 2008-01-07 18:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-06 15:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 14:54 . 2008-01-06 15:22 <DIR> d-------- C:\Program Files\InfeStop
2008-01-06 14:54 . 2008-01-06 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfeStop.com
2008-01-05 21:45 . 2008-01-05 21:45 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-05 21:21 . 2008-01-05 21:21 <DIR> d-------- C:\Deckard
2008-01-04 23:33 . 2008-01-06 15:21 <DIR> d-------- C:\Program Files\Spy-Rid
2008-01-04 23:33 . 2008-01-04 23:33 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\spy-rid.com
2008-01-02 02:10 . 2008-01-07 18:18 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-02 02:10 . 2008-01-02 02:10 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\EasySpywareCleaner.com
2007-12-28 20:37 . 2007-12-28 20:37 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2007-12-28 18:27 . 2007-12-28 18:27 <DIR> d-------- C:\WINDOWS\Favorites
2007-12-28 17:02 . 2007-12-28 17:02 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2007-12-28 17:02 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-28 17:02 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-28 17:02 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-28 17:02 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Program Files\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-12-28 17:01 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-28 17:00 . 2007-12-28 19:39 164 --a------ C:\install.dat
2007-12-21 00:31 . 2007-12-21 00:31 294 ---hs---- C:\WINDOWS\system32\cjbougsy.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 07:04 --------- d-----w C:\Program Files\QuickTime
2008-01-08 06:58 --------- d-----w C:\Program Files\iTunes
2008-01-08 06:57 --------- d-----w C:\Program Files\Ipovalue
2008-01-08 06:23 --------- d-----w C:\Program Files\Google
2008-01-08 00:40 --------- d-----w C:\Program Files\Viewpoint
2007-12-29 02:28 --------- d-----w C:\Program Files\6cqqsf0r
2007-11-29 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-27 19:43 34,545 ----a-w C:\sysvqna.exe
2007-11-27 19:11 --------- d-----w C:\Program Files\iConcepts Music Express
2007-11-27 19:10 --------- d-----w C:\Program Files\NStorm
2007-11-27 07:38 4,300,414 ----a-w C:\WINDOWS\java\Packages\3BBB13J7.ZIP
2007-11-27 07:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-11-27 07:03 --------- d-----w C:\Program Files\EmpirePokerMaster
2007-11-27 06:53 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-26 19:21 --------- d-----w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\AVG7
2007-11-20 18:13 --------- d-----w C:\Program Files\Qtbwnj
2007-11-20 18:12 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-17 02:35 --------- d-----w C:\Program Files\Cool
2007-11-12 08:13 --------- d-----w C:\Program Files\Gateway
2007-11-12 07:15 --------- d-----w C:\Program Files\MySpace
2007-11-12 07:04 --------- d-----w C:\Program Files\FastStone Photo Resizer
2007-10-30 05:24 221,696 ----a-w C:\WINDOWS\systeldd32.dll
2006-07-14 13:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-06-13 17:04 449 ----a-w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\UpdateReg.reg
2004-11-26 08:08 555,682,639 --sha-w C:\WINDOWS\Registration\nurs.bak1
2004-12-03 19:32 555,682,699 --sh--w C:\WINDOWS\Registration\nurs.bak2
2006-10-21 05:36 515,445 --sha-w C:\WINDOWS\system32\rrutv.bak2
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_18.10.45.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 14:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2008-01-10 08:42:19 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-10 08:42:19 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 08:42:19 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-10 08:42:20 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 08:42:20 5,570,560 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-10 08:42:20 40,960 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-09 07:50:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-10 08:22:06 5,570,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-10 08:22:07 40,960 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-09 07:50:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-10 08:22:04 5,570,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-10 08:22:05 40,960 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-07-31 01:19:20 92,504 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\cdm.dll
+ 2007-07-31 01:19:36 549,720 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wuapi.dll
+ 2007-07-31 01:19:16 53,080 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wuauclt.exe
+ 2007-07-31 01:19:42 1,712,984 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wuaueng.dll
+ 2007-07-31 01:19:32 325,976 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wucltui.dll
+ 2007-07-31 01:18:40 33,624 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wups.dll
+ 2007-07-31 01:19:12 43,352 ------w C:\WINDOWS\SoftwareDistribution\WebSetup\wups2.dll
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2001-08-30 10:30:00 50,620 ----a-w C:\WINDOWS\system32\command.com
+ 2001-08-18 19:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
- 2008-01-06 21:41:12 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-10 08:42:27 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-07-31 01:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-31 01:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-31 01:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-31 01:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-31 01:19:46 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA6D3DC-5327-4122-A52E-D06114743764}]
C:\WINDOWS\System32\mlljj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6AA9327-8DAD-4559-7AB3-20BAEA823D74}]
C:\Program Files\Outlook Express\quzajebi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F44D8E66-7BB6-49BD-A924-5E0368C00FD1}]
C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ulib"="C:\WINDOWS\System32\ulib.exe" [ ]
"197_150_ni_1"="C:\WINDOWS\System32\197_150_ni_1.exe" [ ]
"dbnetlib"="C:\WINDOWS\System32\dbnetlib.exe" [ ]
"wiavusd"="C:\WINDOWS\System32\wiavusd.exe" [ ]
"rsvpsp"="C:\WINDOWS\System32\rsvpsp.exe" [ ]
"adsmsext"="C:\WINDOWS\System32\adsmsext.exe" [ ]
"schannel"="C:\WINDOWS\System32\schannel.exe" [ ]
"sisbkup"="C:\WINDOWS\System32\sisbkup.exe" [ ]
"mll_hp"="C:\WINDOWS\System32\mll_hp.exe" [ ]
"tdi-sonyomg"="C:\WINDOWS\System32\tdi-sonyomg.exe" [ ]
"mchgrcoi"="C:\WINDOWS\System32\mchgrcoi.exe" [ ]
"powrprof"="C:\WINDOWS\System32\powrprof.exe" [ ]
"usp10"="C:\WINDOWS\System32\usp10.exe" [ ]
"pngfilt"="C:\WINDOWS\System32\pngfilt.exe" [ ]
"winhttp"="C:\WINDOWS\System32\winhttp.exe" [ ]
"ipmontr"="C:\WINDOWS\System32\ipmontr.exe" [ ]
"iuctl"="C:\WINDOWS\System32\iuctl.exe" [ ]
"schedsvc"="C:\WINDOWS\System32\schedsvc.exe" [ ]
"msisip"="C:\WINDOWS\System32\msisip.exe" [ ]
"eglivecam_1028"="C:\WINDOWS\System32\eglivecam_1028.exe" [ ]
"qedit"="C:\WINDOWS\System32\qedit.exe" [ ]
"mspatcha"="C:\WINDOWS\System32\mspatcha.exe" [ ]
"javacypt"="C:\WINDOWS\System32\javacypt.exe" [ ]
"msr2cenu"="C:\WINDOWS\System32\msr2cenu.exe" [ ]
"igmpagnt"="C:\WINDOWS\System32\igmpagnt.exe" [ ]
"comctl32"="C:\WINDOWS\System32\comctl32.exe" [ ]
"ftsrch"="C:\WINDOWS\System32\ftsrch.exe" [ ]
"browsewm"="C:\WINDOWS\System32\browsewm.exe" [ ]
"digest"="C:\WINDOWS\System32\digest.exe" [ ]
"dpwsockx"="C:\WINDOWS\System32\dpwsockx.exe" [ ]
"neth"="C:\WINDOWS\System32\neth.exe" [ ]
"dmintf"="C:\WINDOWS\System32\dmintf.exe" [ ]
"kbdlt1"="C:\WINDOWS\System32\kbdlt1.exe" [ ]
"ir41_qcx"="C:\WINDOWS\System32\ir41_qcx.exe" [ ]
"modemui"="C:\WINDOWS\System32\modemui.exe" [ ]
"umpnpmgr"="C:\WINDOWS\System32\umpnpmgr.exe" [ ]
"netapi"="C:\WINDOWS\System32\netapi.exe" [ ]
"sccbase"="C:\WINDOWS\System32\sccbase.exe" [ ]
"tapisrv"="C:\WINDOWS\System32\tapisrv.exe" [ ]
"kbdla"="C:\WINDOWS\System32\kbdla.exe" [ ]
"rasppp"="C:\WINDOWS\System32\rasppp.exe" [ ]
"rdocurs"="C:\WINDOWS\System32\rdocurs.exe" [ ]
"inetcomm"="C:\WINDOWS\System32\inetcomm.exe" [ ]
"ntdsapi"="C:\WINDOWS\System32\ntdsapi.exe" [ ]
"dbmsvinn"="C:\WINDOWS\System32\dbmsvinn.exe" [ ]
"icmui"="C:\WINDOWS\System32\icmui.exe" [ ]
"wiaservc"="C:\WINDOWS\System32\wiaservc.exe" [ ]
"cnmlm38"="C:\WINDOWS\System32\cnmlm38.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 14:00 68856]
"wupdinfo"="C:\WINDOWS\System32\wupdinfo.exe" [ ]
"ezstub3"="C:\WINDOWS\System32\ezstub3.exe" [ ]
"rtipxmib"="C:\WINDOWS\System32\rtipxmib.exe" [ ]
"kbdazel"="C:\WINDOWS\System32\kbdazel.exe" [ ]
"rdpcfgex"="C:\WINDOWS\System32\rdpcfgex.exe" [ ]
"ntlsapi"="C:\WINDOWS\System32\ntlsapi.exe" [ ]
"kbdnec"="C:\WINDOWS\System32\kbdnec.exe" [ ]
"dmdlgs"="C:\WINDOWS\System32\dmdlgs.exe" [ ]
"mswsock"="C:\WINDOWS\System32\mswsock.exe" [ ]
"dispex"="C:\WINDOWS\System32\dispex.exe" [ ]
"wifeman"="C:\WINDOWS\System32\wifeman.exe" [ ]
"wiashext"="C:\WINDOWS\System32\wiashext.exe" [ ]
"ds32gt"="C:\WINDOWS\System32\ds32gt.exe" [ ]
"wtsapi32"="C:\WINDOWS\System32\wtsapi32.exe" [ ]
"ialmgicd"="C:\WINDOWS\System32\ialmgicd.exe" [ ]
"bszip"="C:\WINDOWS\System32\bszip.exe" [ ]
"nmsapi"="C:\WINDOWS\System32\nmsapi.exe" [ ]
"rtm"="C:\WINDOWS\System32\rtm.exe" [ ]
"sfmapi"="C:\WINDOWS\System32\sfmapi.exe" [ ]
"wmpcd"="C:\WINDOWS\System32\wmpcd.exe" [ ]
"bidispl"="C:\WINDOWS\System32\bidispl.exe" [ ]
"riched32"="C:\WINDOWS\System32\riched32.exe" [ ]
"unimdmat"="C:\WINDOWS\System32\unimdmat.exe" [ ]
"msencode"="C:\WINDOWS\System32\msencode.exe" [ ]
"csh"="C:\WINDOWS\System32\csh.exe" [ ]
"racpldlg"="C:\WINDOWS\System32\racpldlg.exe" [ ]
"jgaw400"="C:\WINDOWS\System32\jgaw400.exe" [ ]
"txflog"="C:\WINDOWS\System32\txflog.exe" [ ]
"cabinet"="C:\WINDOWS\System32\cabinet.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"kbdbu"="C:\WINDOWS\System32\kbdbu.exe" [ ]
"shlwapi"="C:\WINDOWS\System32\shlwapi.exe" [ ]
"wlnotify"="C:\WINDOWS\System32\wlnotify.exe" [ ]
"ntmssvc"="C:\WINDOWS\System32\ntmssvc.exe" [ ]
"mswebdvd"="C:\WINDOWS\System32\mswebdvd.exe" [ ]
"kbdal"="C:\WINDOWS\System32\kbdal.exe" [ ]
"ialmgdev"="C:\WINDOWS\System32\ialmgdev.exe" [ ]
"uniplat"="C:\WINDOWS\System32\uniplat.exe" [ ]
"mindex"="C:\WINDOWS\System32\mindex.exe" [ ]
"pdh"="C:\WINDOWS\System32\pdh.exe" [ ]
"mfc42u"="C:\WINDOWS\System32\mfc42u.exe" [ ]
"certmgr"="C:\WINDOWS\System32\certmgr.exe" [ ]
"faultrep"="C:\WINDOWS\System32\faultrep.exe" [ ]
"odbc16gt"="C:\WINDOWS\System32\odbc16gt.exe" [ ]
"eventlog"="C:\WINDOWS\System32\eventlog.exe" [ ]
"wshext"="C:\WINDOWS\System32\wshext.exe" [ ]
"qedwipes"="C:\WINDOWS\System32\qedwipes.exe" [ ]
"feclient"="C:\WINDOWS\System32\feclient.exe" [ ]
"wmpui"="C:\WINDOWS\System32\wmpui.exe" [ ]
"comuid"="C:\WINDOWS\System32\comuid.exe" [ ]
"qmgr"="C:\WINDOWS\System32\qmgr.exe" [ ]
"dsound"="C:\WINDOWS\System32\dsound.exe" [ ]
"smlogcfg"="C:\WINDOWS\System32\smlogcfg.exe" [ ]
"srvsvc"="C:\WINDOWS\System32\srvsvc.exe" [ ]
"deskadp"="C:\WINDOWS\System32\deskadp.exe" [ ]
"autodisc"="C:\WINDOWS\System32\autodisc.exe" [ ]
"rtutils"="C:\WINDOWS\System32\rtutils.exe" [ ]
"fsusd"="C:\WINDOWS\System32\fsusd.exe" [ ]
"wowfax"="C:\WINDOWS\System32\wowfax.exe" [ ]
"dbmsrpcn"="C:\WINDOWS\System32\dbmsrpcn.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-30 04:30 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 03:25 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-07-10 03:13 114688]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 18:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-02 20:25 675840]
"rasfont"="C:\WINDOWS\security\Database\rasfont.exe" [ ]
"uvuditwh"="C:\WINDOWS\uvuditwh.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-07 12:02 98304]
"fol"="C:\WINDOWS\fol.exe" [ ]
"Etwawx"="C:\Program Files\Qtbwnj\Amoly.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36 36975]
"{77-7C-C8-8D-ZN}"="c:\windows\system32\dwdsrngt.exe" [ ]
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{b585105c-0e84-4ef0-9c6a-fbe134a72945}"= C:\WINDOWS\System32\ivrllc.dll [2007-11-23 22:55 12800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkihlbti]
qkihlbti.dll 2007-12-06 14:08 36928 C:\WINDOWS\system32\qkihlbti.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tnjfcfka]
tnjfcfka.dll 2007-12-06 14:17 36928 C:\WINDOWS\system32\tnjfcfka.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsqr32]
winsqr32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

S0 ccfzlgyh;ccfzlgyh;C:\WINDOWS\System32\drivers\cyjrngpt.da_ []
S1 drmProc;drmProc;C:\WINDOWS\System32\drivers\mskntmgr.sys [2005-10-20 12:56]
S2 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 13:36]
S2 svcpack;svcpack;C:\WINDOWS\System32\svcpack.exe []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 13:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 02:46:44
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qkihlbti.dll
-> C:\WINDOWS\system32\tnjfcfka.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2600.0000]
-> C:\WINDOWS\system32\qkihlbti.dll
-> C:\WINDOWS\System32\ivrllc.dll
.
Completion time: 2008-01-10 2:49:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 08:49:24
ComboFix2.txt 2008-01-08 00:11:23

[Pancake]

Can you post a screenshot of the MGADiag. If it won't attach use Photobucket to upload the image.We will also need SP2 next time around.I will let you know when to download that.

http://photobucket.com/


========================



Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {5AA6D3DC-5327-4122-A52E-D06114743764} - C:\WINDOWS\System32\mlljj.dll (file missing)
O2 - BHO: 0 - {D6AA9327-8DAD-4559-7AB3-20BAEA823D74} - C:\Program Files\Outlook Express\quzajebi.dll (file missing)
O2 - BHO: (no name) - {F44D8E66-7BB6-49BD-A924-5E0368C00FD1} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [IUgK6U] C:\docume~1\owner~1.pri\locals~1\temp\IUgK6U.exe
O4 - HKLM\..\Run: [rasfont] C:\WINDOWS\security\Database\rasfont.exe
O4 - HKLM\..\Run: [uvuditwh] C:\WINDOWS\uvuditwh.exe
O4 - HKLM\..\Run: [fol] C:\WINDOWS\fol.exe
O4 - HKLM\..\Run: [Etwawx] C:\Program Files\Qtbwnj\Amoly.exe
O4 - HKLM\..\Run: [{77-7C-C8-8D-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKCU\..\Run: [ulib] C:\WINDOWS\System32\ulib.exe
O4 - HKCU\..\Run: [197_150_ni_1] C:\WINDOWS\System32\197_150_ni_1.exe
O4 - HKCU\..\Run: [dbnetlib] "C:\WINDOWS\System32\dbnetlib.exe"
O4 - HKCU\..\Run: [wiavusd] "C:\WINDOWS\System32\wiavusd.exe"
O4 - HKCU\..\Run: [rsvpsp] "C:\WINDOWS\System32\rsvpsp.exe"
O4 - HKCU\..\Run: [adsmsext] "C:\WINDOWS\System32\adsmsext.exe"
O4 - HKCU\..\Run: [schannel] "C:\WINDOWS\System32\schannel.exe"
O4 - HKCU\..\Run: [sisbkup] "C:\WINDOWS\System32\sisbkup.exe"
O4 - HKCU\..\Run: [mll_hp] "C:\WINDOWS\System32\mll_hp.exe"
O4 - HKCU\..\Run: [tdi-sonyomg] "C:\WINDOWS\System32\tdi-sonyomg.exe"
O4 - HKCU\..\Run: [mchgrcoi] "C:\WINDOWS\System32\mchgrcoi.exe"
O4 - HKCU\..\Run: [powrprof] "C:\WINDOWS\System32\powrprof.exe"
O4 - HKCU\..\Run: [usp10] "C:\WINDOWS\System32\usp10.exe"
O4 - HKCU\..\Run: [pngfilt] "C:\WINDOWS\System32\pngfilt.exe"
O4 - HKCU\..\Run: [winhttp] "C:\WINDOWS\System32\winhttp.exe"
O4 - HKCU\..\Run: [ipmontr] "C:\WINDOWS\System32\ipmontr.exe"
O4 - HKCU\..\Run: [iuctl] "C:\WINDOWS\System32\iuctl.exe"
O4 - HKCU\..\Run: [schedsvc] "C:\WINDOWS\System32\schedsvc.exe"
O4 - HKCU\..\Run: [msisip] "C:\WINDOWS\System32\msisip.exe"
O4 - HKCU\..\Run: [eglivecam_1028] "C:\WINDOWS\System32\eglivecam_1028.exe"
O4 - HKCU\..\Run: [qedit] "C:\WINDOWS\System32\qedit.exe"
O4 - HKCU\..\Run: [mspatcha] "C:\WINDOWS\System32\mspatcha.exe"
O4 - HKCU\..\Run: [javacypt] "C:\WINDOWS\System32\javacypt.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\System32\msr2cenu.exe"
O4 - HKCU\..\Run: [igmpagnt] "C:\WINDOWS\System32\igmpagnt.exe"
O4 - HKCU\..\Run: [comctl32] "C:\WINDOWS\System32\comctl32.exe"
O4 - HKCU\..\Run: [ftsrch] "C:\WINDOWS\System32\ftsrch.exe"
O4 - HKCU\..\Run: [browsewm] "C:\WINDOWS\System32\browsewm.exe"
O4 - HKCU\..\Run: [digest] "C:\WINDOWS\System32\digest.exe"
O4 - HKCU\..\Run: [dpwsockx] "C:\WINDOWS\System32\dpwsockx.exe"
O4 - HKCU\..\Run: [neth] "C:\WINDOWS\System32\neth.exe"
O4 - HKCU\..\Run: [dmintf] "C:\WINDOWS\System32\dmintf.exe"
O4 - HKCU\..\Run: [kbdlt1] "C:\WINDOWS\System32\kbdlt1.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\System32\ir41_qcx.exe"
O4 - HKCU\..\Run: [modemui] "C:\WINDOWS\System32\modemui.exe"
O4 - HKCU\..\Run: [umpnpmgr] "C:\WINDOWS\System32\umpnpmgr.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\System32\netapi.exe"
O4 - HKCU\..\Run: [sccbase] "C:\WINDOWS\System32\sccbase.exe"
O4 - HKCU\..\Run: [kbdla] "C:\WINDOWS\System32\kbdla.exe"
O4 - HKCU\..\Run: [rasppp] "C:\WINDOWS\System32\rasppp.exe"
O4 - HKCU\..\Run: [rdocurs] "C:\WINDOWS\System32\rdocurs.exe"
O4 - HKCU\..\Run: [ntdsapi] "C:\WINDOWS\System32\ntdsapi.exe"
O4 - HKCU\..\Run: [dbmsvinn] "C:\WINDOWS\System32\dbmsvinn.exe"
O4 - HKCU\..\Run: [icmui] "C:\WINDOWS\System32\icmui.exe"
O4 - HKCU\..\Run: [wiaservc] "C:\WINDOWS\System32\wiaservc.exe"
O4 - HKCU\..\Run: [cnmlm38] "C:\WINDOWS\System32\cnmlm38.exe"
O4 - HKCU\..\Run: [wupdinfo] "C:\WINDOWS\System32\wupdinfo.exe"
O4 - HKCU\..\Run: [ezstub3] "C:\WINDOWS\System32\ezstub3.exe"
O4 - HKCU\..\Run: [rtipxmib] "C:\WINDOWS\System32\rtipxmib.exe"
O4 - HKCU\..\Run: [kbdazel] "C:\WINDOWS\System32\kbdazel.exe"
O4 - HKCU\..\Run: [rdpcfgex] "C:\WINDOWS\System32\rdpcfgex.exe"
O4 - HKCU\..\Run: [ntlsapi] "C:\WINDOWS\System32\ntlsapi.exe"
O4 - HKCU\..\Run: [kbdnec] "C:\WINDOWS\System32\kbdnec.exe"
O4 - HKCU\..\Run: [dmdlgs] "C:\WINDOWS\System32\dmdlgs.exe"
O4 - HKCU\..\Run: [mswsock] "C:\WINDOWS\System32\mswsock.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\System32\dispex.exe"
O4 - HKCU\..\Run: [wifeman] "C:\WINDOWS\System32\wifeman.exe"
O4 - HKCU\..\Run: [wiashext] "C:\WINDOWS\System32\wiashext.exe"
O4 - HKCU\..\Run: [ds32gt] "C:\WINDOWS\System32\ds32gt.exe"
O4 - HKCU\..\Run: [wtsapi32] "C:\WINDOWS\System32\wtsapi32.exe"
O4 - HKCU\..\Run: [ialmgicd] "C:\WINDOWS\System32\ialmgicd.exe"
O4 - HKCU\..\Run: [bszip] "C:\WINDOWS\System32\bszip.exe"
O4 - HKCU\..\Run: [nmsapi] "C:\WINDOWS\System32\nmsapi.exe"
O4 - HKCU\..\Run: [rtm] "C:\WINDOWS\System32\rtm.exe"
O4 - HKCU\..\Run: [sfmapi] "C:\WINDOWS\System32\sfmapi.exe"
O4 - HKCU\..\Run: [wmpcd] "C:\WINDOWS\System32\wmpcd.exe"
O4 - HKCU\..\Run: [bidispl] "C:\WINDOWS\System32\bidispl.exe"
O4 - HKCU\..\Run: [riched32] "C:\WINDOWS\System32\riched32.exe"
O4 - HKCU\..\Run: [unimdmat] "C:\WINDOWS\System32\unimdmat.exe"
O4 - HKCU\..\Run: [msencode] "C:\WINDOWS\System32\msencode.exe"
O4 - HKCU\..\Run: [csh] "C:\WINDOWS\System32\csh.exe"
O4 - HKCU\..\Run: [racpldlg] "C:\WINDOWS\System32\racpldlg.exe"
O4 - HKCU\..\Run: [jgaw400] "C:\WINDOWS\System32\jgaw400.exe"
O4 - HKCU\..\Run: [txflog] "C:\WINDOWS\System32\txflog.exe"
O4 - HKCU\..\Run: [cabinet] "C:\WINDOWS\System32\cabinet.exe"
O4 - HKCU\..\Run: [kbdbu] "C:\WINDOWS\System32\kbdbu.exe"
O4 - HKCU\..\Run: [shlwapi] "C:\WINDOWS\System32\shlwapi.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\System32\wlnotify.exe"
O4 - HKCU\..\Run: [ntmssvc] "C:\WINDOWS\System32\ntmssvc.exe"
O4 - HKCU\..\Run: [mswebdvd] "C:\WINDOWS\System32\mswebdvd.exe"
O4 - HKCU\..\Run: [kbdal] "C:\WINDOWS\System32\kbdal.exe"
O4 - HKCU\..\Run: [ialmgdev] "C:\WINDOWS\System32\ialmgdev.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\System32\uniplat.exe"
O4 - HKCU\..\Run: [mindex] "C:\WINDOWS\System32\mindex.exe"
O4 - HKCU\..\Run: [pdh] "C:\WINDOWS\System32\pdh.exe"
O4 - HKCU\..\Run: [mfc42u] "C:\WINDOWS\System32\mfc42u.exe"
O4 - HKCU\..\Run: [certmgr] "C:\WINDOWS\System32\certmgr.exe"
O4 - HKCU\..\Run: [faultrep] "C:\WINDOWS\System32\faultrep.exe"
O4 - HKCU\..\Run: [odbc16gt] "C:\WINDOWS\System32\odbc16gt.exe"
O4 - HKCU\..\Run: [wshext] "C:\WINDOWS\System32\wshext.exe"
O4 - HKCU\..\Run: [qedwipes] "C:\WINDOWS\System32\qedwipes.exe"
O4 - HKCU\..\Run: [feclient] "C:\WINDOWS\System32\feclient.exe"
O4 - HKCU\..\Run: [wmpui] "C:\WINDOWS\System32\wmpui.exe"
O4 - HKCU\..\Run: [comuid] "C:\WINDOWS\System32\comuid.exe"
O4 - HKCU\..\Run: [qmgr] "C:\WINDOWS\System32\qmgr.exe"
O4 - HKCU\..\Run: [dsound] "C:\WINDOWS\System32\dsound.exe"
O4 - HKCU\..\Run: [smlogcfg] "C:\WINDOWS\System32\smlogcfg.exe"
O4 - HKCU\..\Run: [srvsvc] "C:\WINDOWS\System32\srvsvc.exe"
O4 - HKCU\..\Run: [deskadp] "C:\WINDOWS\System32\deskadp.exe"
O4 - HKCU\..\Run: [autodisc] "C:\WINDOWS\System32\autodisc.exe"
O4 - HKCU\..\Run: [rtutils] "C:\WINDOWS\System32\rtutils.exe"
O4 - HKCU\..\Run: [fsusd] "C:\WINDOWS\System32\fsusd.exe"
O4 - HKCU\..\Run: [dbmsrpcn] "C:\WINDOWS\System32\dbmsrpcn.exe"
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O20 - Winlogon Notify: qkihlbti - C:\WINDOWS\SYSTEM32\qkihlbti.dll
O20 - Winlogon Notify: tnjfcfka - C:\WINDOWS\SYSTEM32\tnjfcfka.dll
O20 - Winlogon Notify: winsqr32 - winsqr32.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\jmmmttmk.exe (file missing)
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: svcpack - Unknown owner - C:\WINDOWS\System32\svcpack.exe (file missing)


Reboot and post a new HJT log...

[dhult]

Hello, the shield is still there and i can still only start windows in safe mode. Here is the new HJT log and i have attached the MGADiag screen shot. Thank you again for all the help.


Logfile of HijackThis v1.99.1
Scan saved at 3:49:58 AM, on 1/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ftsrch] "C:\WINDOWS\System32\ftsrch.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\System32\ir41_qcx.exe"
O4 - HKCU\..\Run: [tapisrv] "C:\WINDOWS\System32\tapisrv.exe"
O4 - HKCU\..\Run: [inetcomm] "C:\WINDOWS\System32\inetcomm.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [eventlog] "C:\WINDOWS\System32\eventlog.exe"
O4 - HKCU\..\Run: [wowfax] "C:\WINDOWS\System32\wowfax.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199756174781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qkihlbti - C:\WINDOWS\SYSTEM32\qkihlbti.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Pancake]

Now for the big cleanup.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\WINDOWS\system32\cjbougsy.ini
C:\WINDOWS\systeldd32.dll
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\Registration\nurs.bak1
C:\WINDOWS\Registration\nurs.bak2
C:\WINDOWS\System32\ftsrch.exe
C:\WINDOWS\System32\ir41_qcx.exe
C:\WINDOWS\System32\inetcomm.exe

Folder::
C:\Program Files\Viewpoint
C:\Program Files\Qtbwnj

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA6D3DC-5327-4122-A52E-D06114743764}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6AA9327-8DAD-4559-7AB3-20BAEA823D74}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F44D8E66-7BB6-49BD-A924-5E0368C00FD1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ulib"=-
"197_150_ni_1"=-
"dbnetlib"=-
"wiavusd"=-
"rsvpsp"=-
"adsmsext"=-
"schannel"=-
"sisbkup"=-
"mll_hp"=-
"tdi-sonyomg"=-
"mchgrcoi"=-
"powrprof"=-
"usp10"=-
"pngfilt"=-
"winhttp"=-
"ipmontr"=-
"iuctl"=-
"schedsvc"=-
"msisip"=-
"eglivecam_1028"=-
"qedit"=-
"mspatcha"=-
"javacypt"=-
"msr2cenu"=-
"igmpagnt"=-
"comctl32"=-
"ftsrch"=-
"browsewm"=-
"digest"=-
"dpwsockx"=-
"neth"=-
"dmintf"=-
"kbdlt1"=-
"ir41_qcx"=-
"modemui"=-
"umpnpmgr"=-
"netapi"=-
"sccbase"=-
"tapisrv"=-
"kbdla"=-
"rasppp"=-
"rdocurs"=-
"inetcomm"=-
"ntdsapi"=-
"dbmsvinn"=-
"icmui"=-
"wiaservc"=-
"cnmlm38"=-
"wupdinfo"=-
"ezstub3"=-
"rtipxmib"=-
"kbdazel"=-
"rdpcfgex"=-
"ntlsapi"=-
"kbdnec"=-
"dmdlgs"=-
"mswsock"=-
"dispex"=-
"wifeman"=-
"wiashext"=-
"ds32gt"=-
"wtsapi32"=-
"ialmgicd"=-
"bszip"=-
"nmsapi"=-
"rtm"=-
"sfmapi"=-
"wmpcd"=-
"bidispl"=-
"riched32"=-
"unimdmat"=-
"msencode"=-
"csh"=-
"racpldlg"=-
"jgaw400"=-
"txflog"=-
"cabinet"=-
"kbdbu"=-
"shlwapi"=-
"wlnotify"=-
"ntmssvc"=-
"mswebdvd"=-
"kbdal"=-
"ialmgdev"=-
"uniplat"=-
"mindex"=-
"pdh"=-
"mfc42u"=-
"certmgr"=-
"faultrep"=-
"odbc16gt"=-
"eventlog"=-
"wshext"=-
"qedwipes"=-
"feclient"=-
"wmpui"=-
"comuid"=-
"qmgr"=-
"dsound"=-
"smlogcfg"=-
"srvsvc"=-
"deskadp"=-
"autodisc"=-
"rtutils"=-
"fsusd"=-
"wowfax"=-
"dbmsrpcn"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rasfont"=-
"uvuditwh"=-
"fol"=-
"Etwawx"=-
"{77-7C-C8-8D-ZN}"=-
"ctfmona"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{b585105c-0e84-4ef0-9c6a-fbe134a72945}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkihlbti]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tnjfcfka]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsqr32]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

==============================

Important.We will need to update your Microsoft security.

Download Service Pack2 and install it.

http://www.microsoft.com/windowsxp/sp2/default.mspx

Post a fresh HJT log when done.

[dhult]

Thank you again for all the help. I still can not open windows normally and I get an error when i tried to download SP2. But i don't see the shield anymore! Here are the new logs....

ComboFix 08-01-09.2 - Owner 2008-01-12 3:08:14.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.137 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\CFScript.txt

FILE
C:\WINDOWS\Registration\nurs.bak1
C:\WINDOWS\Registration\nurs.bak2
C:\WINDOWS\systeldd32.dll
C:\WINDOWS\system32\cjbougsy.ini
C:\WINDOWS\System32\ftsrch.exe
C:\WINDOWS\System32\inetcomm.exe
C:\WINDOWS\System32\ir41_qcx.exe
C:\WINDOWS\system32\rrutv.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Qtbwnj
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetastreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewClassID.ini
C:\WINDOWS\Registration\nurs.bak1
C:\WINDOWS\Registration\nurs.bak2
C:\WINDOWS\systeldd32.dll
C:\WINDOWS\system32\cjbougsy.ini
C:\WINDOWS\system32\rrutv.bak2

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-10 02:22 . 2008-01-10 02:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-10 01:45 . 2008-01-10 01:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-01-07 22:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-07 22:10 . 2008-01-08 01:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-07 22:10 . 2008-01-07 22:10 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-07 22:10 . 2008-01-07 22:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-07 22:10 . 2008-01-07 22:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-07 22:10 . 2008-01-07 22:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-07 19:47 . 2008-01-07 19:47 <DIR> d-------- C:\ie-spyad_zo
2008-01-07 19:21 . 2008-01-07 19:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-07 18:15 . 2008-01-07 18:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-06 15:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 14:54 . 2008-01-06 15:22 <DIR> d-------- C:\Program Files\InfeStop
2008-01-06 14:54 . 2008-01-06 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfeStop.com
2008-01-05 21:45 . 2008-01-05 21:45 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-05 21:21 . 2008-01-05 21:21 <DIR> d-------- C:\Deckard
2008-01-04 23:33 . 2008-01-06 15:21 <DIR> d-------- C:\Program Files\Spy-Rid
2008-01-04 23:33 . 2008-01-04 23:33 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\spy-rid.com
2008-01-02 02:10 . 2008-01-07 18:18 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-02 02:10 . 2008-01-02 02:10 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\EasySpywareCleaner.com
2007-12-28 20:37 . 2007-12-28 20:37 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2007-12-28 18:27 . 2007-12-28 18:27 <DIR> d-------- C:\WINDOWS\Favorites
2007-12-28 17:02 . 2007-12-28 17:02 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2007-12-28 17:02 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-28 17:02 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-28 17:02 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-28 17:02 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Program Files\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-12-28 17:01 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-28 17:00 . 2007-12-28 19:39 164 --a------ C:\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 07:04 --------- d-----w C:\Program Files\QuickTime
2008-01-08 06:58 --------- d-----w C:\Program Files\iTunes
2008-01-08 06:57 --------- d-----w C:\Program Files\Ipovalue
2008-01-08 06:23 --------- d-----w C:\Program Files\Google
2007-12-29 02:28 --------- d-----w C:\Program Files\6cqqsf0r
2007-11-29 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-27 19:43 34,545 ----a-w C:\sysvqna.exe
2007-11-27 19:11 --------- d-----w C:\Program Files\iConcepts Music Express
2007-11-27 19:10 --------- d-----w C:\Program Files\NStorm
2007-11-27 07:38 4,300,414 ----a-w C:\WINDOWS\java\Packages\3BBB13J7.ZIP
2007-11-27 07:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-11-27 07:03 --------- d-----w C:\Program Files\EmpirePokerMaster
2007-11-27 06:53 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-26 19:21 --------- d-----w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\AVG7
2007-11-20 18:12 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-17 02:35 --------- d-----w C:\Program Files\Cool
2007-11-12 08:13 --------- d-----w C:\Program Files\Gateway
2007-11-12 07:15 --------- d-----w C:\Program Files\MySpace
2007-11-12 07:04 --------- d-----w C:\Program Files\FastStone Photo Resizer
2006-07-14 13:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-06-13 17:04 449 ----a-w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\UpdateReg.reg
.

((((((((((((((((((((((((((((( snapshot_2008-01-10_ 2.49.07.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 08:42:19 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 09:08:01 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 08:42:19 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 09:08:01 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-10 08:42:19 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 09:08:01 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 08:42:20 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 09:08:01 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-10 08:42:20 5,570,560 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 09:08:01 5,570,560 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-10 08:42:20 40,960 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 09:08:01 40,960 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-10 08:42:27 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 09:08:08 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 14:00 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-30 04:30 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 03:25 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-07-10 03:13 114688]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 18:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-02 20:25 675840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-07 12:02 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36 36975]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkihlbti]
qkihlbti.dll 2007-12-06 14:08 36928 C:\WINDOWS\system32\qkihlbti.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

S0 ccfzlgyh;ccfzlgyh;C:\WINDOWS\System32\drivers\cyjrngpt.da_ []
S1 drmProc;drmProc;C:\WINDOWS\System32\drivers\mskntmgr.sys [2005-10-20 12:56]
S2 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 13:36]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 13:36]
S4 svcpack;svcpack;C:\WINDOWS\System32\svcpack.exe []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 03:20:32
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qkihlbti.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2600.0000]
-> C:\WINDOWS\system32\qkihlbti.dll
.
Completion time: 2008-01-12 3:23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-12 09:23:03
ComboFix2.txt 2008-01-10 08:49:27
ComboFix3.txt 2008-01-08 00:11:23


Logfile of HijackThis v1.99.1
Scan saved at 3:36:00 AM, on 1/12/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199756174781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200130152984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qkihlbti - C:\WINDOWS\SYSTEM32\qkihlbti.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Pancake]

What was the error you got when you tried SP2 ?.You really need this or you will end up back at square one again without some of its protection.



Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\WINDOWS\system32\qkihlbti.dll
C:\sysvqna.exe

Folder::
C:\Program Files\6cqqsf0r

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qkihlbti]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

[dhult]

I still cannot start windows normally.
This is the error I get when I try to download SP2...

[Error number: 0x8007043C]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Here are the other logs...

ComboFix 08-01-09.2 - Owner 2008-01-13 3:09:52.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.134 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\CFScript.txt

FILE
C:\sysvqna.exe
C:\WINDOWS\system32\qkihlbti.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\6cqqsf0r
C:\Program Files\6cqqsf0r\15026076.bin
C:\Program Files\6cqqsf0r\17358224.bin
C:\Program Files\6cqqsf0r\25609600.txt
C:\Program Files\6cqqsf0r\2806107.txt
C:\Program Files\6cqqsf0r\30131026.bin
C:\Program Files\6cqqsf0r\35847138.txt
C:\Program Files\6cqqsf0r\36784800.dat
C:\Program Files\6cqqsf0r\58540545.dat
C:\Program Files\6cqqsf0r\64071462.dat
C:\Program Files\6cqqsf0r\65842484.dat
C:\Program Files\6cqqsf0r\67515720.bin
C:\Program Files\6cqqsf0r\93716766.txt
C:\Program Files\6cqqsf0r\control.dat
C:\sysvqna.exe
C:\WINDOWS\system32\qkihlbti.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-10 02:22 . 2008-01-10 02:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-10 01:45 . 2008-01-10 01:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-01-07 22:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-07 22:10 . 2008-01-08 01:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-07 22:10 . 2008-01-12 03:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-07 22:10 . 2008-01-07 22:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-07 22:10 . 2008-01-07 22:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-07 22:10 . 2008-01-07 22:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-07 19:47 . 2008-01-07 19:47 <DIR> d-------- C:\ie-spyad_zo
2008-01-07 19:21 . 2008-01-07 19:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-07 18:15 . 2008-01-07 18:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-06 15:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 14:54 . 2008-01-06 15:22 <DIR> d-------- C:\Program Files\InfeStop
2008-01-06 14:54 . 2008-01-06 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfeStop.com
2008-01-05 21:45 . 2008-01-05 21:45 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-05 21:21 . 2008-01-05 21:21 <DIR> d-------- C:\Deckard
2008-01-04 23:33 . 2008-01-06 15:21 <DIR> d-------- C:\Program Files\Spy-Rid
2008-01-04 23:33 . 2008-01-04 23:33 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\spy-rid.com
2008-01-02 02:10 . 2008-01-07 18:18 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-02 02:10 . 2008-01-02 02:10 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\EasySpywareCleaner.com
2007-12-28 20:37 . 2007-12-28 20:37 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2007-12-28 18:27 . 2007-12-28 18:27 <DIR> d-------- C:\WINDOWS\Favorites
2007-12-28 17:02 . 2007-12-28 17:02 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2007-12-28 17:02 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-28 17:02 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-28 17:02 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-28 17:02 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Program Files\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\Webroot
2007-12-28 17:01 . 2007-12-28 17:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2007-12-28 17:01 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-28 17:00 . 2007-12-28 19:39 164 --a------ C:\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 07:04 --------- d-----w C:\Program Files\QuickTime
2008-01-08 06:58 --------- d-----w C:\Program Files\iTunes
2008-01-08 06:57 --------- d-----w C:\Program Files\Ipovalue
2008-01-08 06:23 --------- d-----w C:\Program Files\Google
2007-11-29 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-27 19:11 --------- d-----w C:\Program Files\iConcepts Music Express
2007-11-27 19:10 --------- d-----w C:\Program Files\NStorm
2007-11-27 07:38 4,300,414 ----a-w C:\WINDOWS\java\Packages\3BBB13J7.ZIP
2007-11-27 07:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-11-27 07:03 --------- d-----w C:\Program Files\EmpirePokerMaster
2007-11-27 06:53 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-26 19:21 --------- d-----w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Application Data\AVG7
2007-11-20 18:12 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-17 02:35 --------- d-----w C:\Program Files\Cool
2006-07-14 13:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-06-13 17:04 449 ----a-w C:\Documents and Settings\Owner.PRINCETO-F4EVBC\UpdateReg.reg
.

((((((((((((((((((((((((((((( snapshot_2008-01-10_ 2.49.07.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 08:42:19 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 09:09:39 245,760 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 08:42:19 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 09:09:39 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-10 08:42:19 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 09:09:39 241,664 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 08:42:20 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 09:09:39 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-10 08:42:20 5,570,560 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 09:09:39 5,582,848 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-10 08:42:20 40,960 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 09:09:39 40,960 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2001-08-30 10:30:00 9,728 ----a-w C:\WINDOWS\LastGood\System32\cdm.dll
+ 2004-01-31 06:40:14 148,792 ----a-w C:\WINDOWS\LastGood\System32\wuauclt.exe
+ 2004-01-31 06:41:02 201,016 ----a-w C:\WINDOWS\LastGood\System32\wuaueng.dll
- 2001-08-30 10:30:00 9,728 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-31 01:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2008-01-10 08:42:27 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-13 09:09:46 253,952 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-07-31 01:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
- 2004-01-31 06:40:14 148,792 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-31 01:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2004-01-31 06:41:02 201,016 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-31 01:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 14:00 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-30 04:30 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 03:25 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-07-10 03:13 114688]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 18:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-02 20:25 675840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-07 12:02 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36 36975]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SDFix"="C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

S0 ccfzlgyh;ccfzlgyh;C:\WINDOWS\System32\drivers\cyjrngpt.da_ []
S1 drmProc;drmProc;C:\WINDOWS\System32\drivers\mskntmgr.sys [2005-10-20 12:56]
S2 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 13:36]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 13:36]
S4 svcpack;svcpack;C:\WINDOWS\System32\svcpack.exe []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 03:18:52
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 3:21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 09:21:20
ComboFix2.txt 2008-01-12 09:23:06
ComboFix3.txt 2008-01-10 08:49:27
ComboFix4.txt 2008-01-08 00:11:23



Logfile of HijackThis v1.99.1
Scan saved at 3:29:08 AM, on 1/13/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner.PRINCETO-F4EVBC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\DOCUME~1\OWNER~1.PRI\Desktop\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199756174781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200130152984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Pancake]

I dont see any more malware problems in you log so it looks like your problems lay with a file.See if this helps.


To do a Restore.

click on the Start button
select Programs
select Accessories
select System Tools
select System Restore

Start the System restore program.
Click the button next to "Restore my computer to an earlier time" and click the "Next" button.
A calendar will appear. Click on the date that you wish to restore Windows to. The box next to the calendar will show you the available restore points from that day. The ones marked "System Checkpoint" are the automatic ones that Windows XP created.
Choose the one you want, then click "Next". Don't pick a point too far back in the past,maybe one just before you started having problems -- remember, any programs you installed since your restoration point may not work anymore,so you may have to reinstall them.
Reboot your PC.

[dhult]

i tried this but it will only let me go back to the 7th, and the SP2 will get about half way done and then it will deny access and delete what it had already started.

[Pancake]

Sounds like you dont have a legal copy of XP....

[dhult]

How can I tell if it is legal or not. Everything else seems to be fixed. I just can't start windows normally. It will only start in safe mode. It will not start in last known good config anymore either.

[Pancake]

We can check validation here..

Quote:

Please download MGADiag.exe to your desktop.http://go.microsoft.com/fwlink/?linkid=52012

Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.

When it's done, capture a screenshot of the finished scan, and post that.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.
Press the Print screen key
Click the "Start" button (normally located in the bottom left of your screen).
Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
Wait while the application "Paint" opens. Once it is open, proceed to the next step.
Click the "Edit" menu and select "Paste".
Click the "File" menu and select "Save As...". A dialog box will appear.
In the "File name" field, enter a name of your choice.
Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
Click the "Save" button.

Attach it in your next reply, please.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
Click Upload.

[dhult]

I have attached the screenshot.

[Pancake]

Its legal.Try getting SP1a..


http://www.microsoft.com/windowsxp/sp1/default.mspx

[dhult]

I installed SP1 with no problems but I still can't start windows normally. When I try to start it normally, the computer shuts down and then turns back on several times and then it goes back to the screen with the options on how I want to run windows. and it will only work when I click on Safe Mode with Networking or Safe Mode.

[Pancake]

This no longer looks like a malware problem so I now suggest you go to one of our other forums and see if they can help further.

[dhult]

Thank you so much for your help. It is greatly appreciated. Can I remove the ComboFix and the MGADiag from my desktop?