userinit.exe and Explorer.EXE - Bad Image

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every
inquiry.


Please download ComboFix
Save to the Desktop <<< Important!!

Close or disable all AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix.

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

Sorry for late reply.
_____________________________________________________________________________

This is my ComboFix log.

ComboFix 08-03-18.1 - swoolf 2008-03-25 4:12:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT 0:00]
Running from: C:\Documents and Settings\swoolf\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\robocopy.exe
C:\WINDOWS\BM73809ba2.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aacvmhda.dll
C:\WINDOWS\system32\aqblwxae.ini
C:\WINDOWS\system32\auhwhtki.dll
C:\WINDOWS\system32\auuykslw.ini
C:\WINDOWS\system32\avrbytmh.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\bevvbogv.ini
C:\WINDOWS\system32\cogwiyoj.dll
C:\WINDOWS\system32\cygqsvsb.dll
C:\WINDOWS\system32\dpdxhckw.dll
C:\WINDOWS\system32\ejajtsea.dll
C:\WINDOWS\system32\eucvgwon.dll
C:\WINDOWS\system32\fwookcai.dll
C:\WINDOWS\system32\fxfwidyw.dll
C:\WINDOWS\system32\gdstkxup.dll
C:\WINDOWS\system32\ggladlvi.dll
C:\WINDOWS\system32\golerytf.dll
C:\WINDOWS\system32\gqxnhrpw.dll
C:\WINDOWS\system32\guayrtek.ini
C:\WINDOWS\system32\hdpywmim.dll
C:\WINDOWS\system32\hgghfdd.dll
C:\WINDOWS\system32\hrpessck.dll
C:\WINDOWS\system32\hvltytxe.dll
C:\WINDOWS\system32\iackoowf.ini
C:\WINDOWS\system32\ivjdwsat.dll
C:\WINDOWS\system32\iyoqqgpr.dll
C:\WINDOWS\system32\jbdycnef.dll
C:\WINDOWS\system32\jkkhigf.dll
C:\WINDOWS\system32\jpumyyhd.ini
C:\WINDOWS\system32\jxojvdld.ini
C:\WINDOWS\system32\kenpjgxw.dll
C:\WINDOWS\system32\lptrnydu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqijbqjs.dll
C:\WINDOWS\system32\mrndlwbq.dll
C:\WINDOWS\system32\mwfgqyht.dll
C:\WINDOWS\system32\owmocnyh.dll
C:\WINDOWS\system32\pdadvcoq.ini
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\qeegatgu.dll
C:\WINDOWS\system32\reuqqwng.dll
C:\WINDOWS\system32\rffplfvj.dll
C:\WINDOWS\system32\uewtmakr.ini
C:\WINDOWS\system32\vgobvveb.dll
C:\WINDOWS\system32\wkqsusuy.dll
C:\WINDOWS\system32\wlskyuua.dll
C:\WINDOWS\system32\wprhnxqg.ini
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\xatbhjwr.dll
C:\WINDOWS\system32\xhtnkpdk.dll
C:\WINDOWS\system32\xlectlpm.dll

----- BITS: Possible infected sites -----

hxxp://MIDHARDYSMS01
hxxp://midhouhqwsus01
.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-21 09:57 . 2008-03-21 09:57 5,135 --a------ C:\WINDOWS\system32\kyilynpm.dll
2008-03-20 06:34 . 2008-03-20 06:14 1,599,141 --a------ C:\ComboFix.exe
2008-03-19 03:33 . 2008-03-20 03:34 1,335,448 ---hs---- C:\WINDOWS\system32\lrjcjyca.ini
2008-03-18 23:21 . 2008-03-18 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-18 03:35 . 2008-03-19 03:33 1,363,292 ---hs---- C:\WINDOWS\system32\abiefpen.ini
2008-03-17 09:13 . 2008-03-17 09:13 <DIR> d-------- C:\VundoFix Backups
2008-03-17 09:01 . 2007-08-28 11:09 <DIR> d-------- C:\Documents and Settings\akainan\Application Data\Juniper Networks
2008-03-17 09:01 . 2007-06-30 01:18 <DIR> d-------- C:\Documents and Settings\akainan\Application Data\InstallShield
2008-03-17 08:32 . 2007-08-28 11:09 <DIR> d-------- C:\Documents and Settings\vbackupexec\Application Data\Juniper Networks
2008-03-17 08:32 . 2007-06-30 01:18 <DIR> d-------- C:\Documents and Settings\vbackupexec\Application Data\InstallShield
2008-03-17 05:43 . 2008-03-17 05:43 <DIR> d-------- C:\Documents and Settings\swoolf\.java
2008-03-17 04:13 . 2008-02-18 03:53 401,720 --a------ C:\hijackthis.exe
2008-03-17 03:26 . 2008-03-18 03:30 1,362,692 ---hs---- C:\WINDOWS\system32\vtxxytbk.ini
2008-03-16 03:28 . 2008-03-16 03:28 5,136 --a------ C:\WINDOWS\system32\sacwysxc.dll
2008-03-16 03:25 . 2008-03-17 03:26 1,367,883 ---hs---- C:\WINDOWS\system32\cwgiopvs.ini
2008-03-15 03:02 . 2008-03-15 03:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-03-14 13:35 . 2008-03-16 03:20 1,351,275 ---hs---- C:\WINDOWS\system32\nfrxifce.ini
2008-03-14 09:08 . 2008-03-14 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-14 08:10 . 2008-02-20 04:18 14,113,576 --a------ C:\avgas-setup-7.5.1.43-3339.exe
2008-03-14 06:16 . 2008-03-14 06:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-03-14 06:13 . 2008-03-14 06:13 61,224 --a------ C:\Documents and Settings\swoolf\GoToAssistDownloadHelper.exe
2008-03-13 12:52 . 2008-03-13 12:52 4,434 ---hs---- C:\WINDOWS\system32\ogwtbrga.ini
2008-03-12 12:40 . 2008-03-13 12:51 4,374 ---hs---- C:\WINDOWS\system32\whrlidhg.ini
2008-03-12 09:39 . 2008-03-12 11:14 3,834 ---hs---- C:\WINDOWS\system32\mhcxbiar.ini
2008-03-12 09:35 . 2008-03-12 09:35 5,136 --a------ C:\WINDOWS\system32\xugyaqsa.dll
2008-03-12 09:32 . 2008-03-12 09:32 5,140 --a------ C:\WINDOWS\system32\cttiaspf.dll
2008-03-11 09:35 . 2008-03-12 09:29 3,594 ---hs---- C:\WINDOWS\system32\dccyanvl.ini
2008-03-11 00:27 . 2008-03-11 00:27 5,136 --a------ C:\WINDOWS\system32\fxelthau.dll
2008-03-11 00:25 . 2008-03-11 09:18 2,634 ---hs---- C:\WINDOWS\system32\wswnbult.ini
2008-03-10 03:33 . 2008-03-10 03:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-10 03:33 . 2008-03-10 03:33 2,546 --a------ C:\WINDOWS\unins000.dat
2008-03-09 11:59 . 2008-03-11 00:24 1,734 ---hs---- C:\WINDOWS\system32\ifuexaue.ini
2008-03-09 11:55 . 2008-03-09 11:55 5,140 --a------ C:\WINDOWS\system32\rrpdmdte.dll
2008-03-09 11:55 . 2008-03-09 11:55 5,136 --a------ C:\WINDOWS\system32\jjckhoiq.dll
2008-03-08 12:03 . 2008-03-08 12:03 5,136 --a------ C:\WINDOWS\system32\ccphyrsc.dll
2008-03-08 12:01 . 2008-03-09 11:57 654 ---hs---- C:\WINDOWS\system32\xstcubfv.ini
2008-03-08 11:54 . 2008-03-08 11:54 5,140 --a------ C:\WINDOWS\system32\cihgxdaq.dll
2008-03-07 11:53 . 2008-03-07 11:53 5,140 --a------ C:\WINDOWS\system32\xsdcwstq.dll
2008-03-05 01:01 . 2008-03-05 01:01 <DIR> d-------- C:\Documents and Settings\swoolf\Application Data\MSNInstaller
2008-03-04 04:59 . 2008-03-05 02:18 1,302,443 --ahs---- C:\WINDOWS\system32\txxyyfar.ini
2008-03-03 04:51 . 2008-03-04 04:52 1,302,203 --ahs---- C:\WINDOWS\system32\lwayqdib.ini
2008-02-27 06:43 . 2008-03-06 17:25 34,816 --a------ C:\WINDOWS\system32\mljiffg.dll
2008-02-25 17:32 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 06:15 --------- d-----w C:\Program Files\Citrix
2008-03-14 05:56 --------- d-----w C:\Documents and Settings\swoolf\Application Data\Skype
2008-03-14 04:54 --------- d-----w C:\Documents and Settings\swoolf\Application Data\skypePM
2008-03-10 03:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 01:03 --------- d-----w C:\Program Files\Google
2008-03-05 00:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 08:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-25 12:45 --------- d-----w C:\Program Files\Java
2008-01-21 01:13 3,799,643 ----a-w C:\WINDOWS\FramePkg.exe
2008-01-02 02:41 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-31 01:30 56,912 ----a-w C:\Documents and Settings\swoolf\g2mdlhlpx.exe
2007-07-30 08:56 5,548 ----a-w C:\Documents and Settings\swoolf\bicghi.exe
2007-07-30 08:50 5,546 ----a-w C:\Documents and Settings\swoolf\pefjty.exe
2007-07-30 08:43 5,548 ----a-w C:\Documents and Settings\swoolf\igbzzf.exe
2007-07-30 08:30 5,548 ----a-w C:\Documents and Settings\swoolf\zkveyc.exe
2007-07-30 08:23 5,548 ----a-w C:\Documents and Settings\swoolf\abovjr.exe
2007-07-30 08:16 5,548 ----a-w C:\Documents and Settings\swoolf\qlgjtk.exe
2007-07-30 08:10 5,548 ----a-w C:\Documents and Settings\swoolf\gkufrd.exe
2007-07-30 07:57 5,548 ----a-w C:\Documents and Settings\swoolf\pookqs.exe
2007-07-30 07:50 5,548 ----a-w C:\Documents and Settings\swoolf\imziso.exe
2007-07-30 07:43 5,548 ----a-w C:\Documents and Settings\swoolf\ebljzf.exe
2007-07-30 07:37 5,548 ----a-w C:\Documents and Settings\swoolf\xvcvju.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 13:50 112216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 11:40 4167376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll 2008-03-14 06:15 10536 C:\Program Files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiffg]
mljiffg.dll 2008-03-06 17:25 34816 C:\WINDOWS\system32\mljiffg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=ClientInstall3.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70b3a83e]
C:\WINDOWS\system32\vgobvveb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 19:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM73809ba2]
C:\WINDOWS\system32\aacvmhda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 15:08 1347584 C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
--a------ 2005-05-12 11:40 4167376 C:\Program Files\Microsoft Office Communicator\Communicator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-02-20 17:29 1191936 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 11:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-10 02:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 22:47 163840 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 22:47 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 22:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 22:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
--a------ 2002-10-14 20:09 57344 C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-I]
--a------ 2006-04-07 13:40 855 C:\WINDOWS\system32\MI_Startup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2007-08-30 15:06 136512 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 22:46 135168 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 22:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-12 15:20 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-08 03:12 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 22:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-18 03:05]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 21:14]
R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-18 01:12]
R0 megasas;DELL PERC RAID Driver;C:\WINDOWS\system32\drivers\megasas.sys [2006-04-18 16:51]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2004-08-04 08:05]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2005-08-25 19:41]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2007-07-12 14:52]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-01-30 05:37]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2004-06-27 07:50]
S0 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service []
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2006-09-08 16:24]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;C:\WINDOWS\system32\DRIVERS\ewusbser.sys [2006-09-08 16:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2008-02-29 22:49:55 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-02-25 22:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 04:23:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
.
**************************************************************************
.
Completion time: 2008-03-25 4:25:54 - machine was rebooted [vbackupexec]
ComboFix-quarantined-files.txt 2008-03-25 04:25:51
.
2008-02-29 09:56:04 --- E O F ---
_____________________________________________________________________________
and this is my HiJackThis log after running ComboFix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:30, on 2008-03-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Documents and Settings\vbackupexec\Desktop\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.miswaco.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = my.miswaco.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.miswaco.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.prod.miswaco.com (HKLM)
O15 - Trusted Zone: *.web.miswaco.com (HKLM)
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162857825750
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.miswaco.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.smith.com
O17 - HKLM\Software\..\Telephony: DomainName = net.smith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.smith.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O20 - Winlogon Notify: mljiffg - C:\WINDOWS\SYSTEM32\mljiffg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7607 bytes

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste the text inside the code box below to Notepad:


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop




Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply.