Not a good thing. Hmm, I really wish combofix was working...oh well. the only thing that the scan found before it was interrupted was what appears to be a crack.

If you didn't download this on purpose then delete it immediately.

Heres the file in question.

C:\Documents and Settings\dis0003\My Documents\WPA\aircrack-ng-0.6.2-win\bin\airodump-ng.exe

If you didn't put that there delete it.

Since Combofix is down lets try this.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in your next post
5. Please attach extra.txt to your next post do not copy and paste it.
*To attach click the icon above this text box that looks like a paperclip. Then click browse and navigate to extra.txt and select it, then hit upload. You can then close the pop up window.

What DSS will do:

* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Hopefully this will lets me see a little bit more of whats wrong. And also thanks for your patience

Main.txt:

Deckard's System Scanner v20071014.68
Run by DIS0003 on 2007-11-21 13:57:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-11-21 02:57:33 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-11-20 06:02:13 UTC - RP3 - Last known good configuration
2: 2007-11-20 06:01:24 UTC - RP2 - Test
1: 2007-11-20 06:01:23 UTC - RP1 - Screwed


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as DIS0003.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\dis0003\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\DIS0003.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar...ackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1189310549718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 11314 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\Trend Micro\HijackThis\backups\) ------

backup-20070910-171258-717 O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\dis0003\Desktop\RAP\rapget.htm
backup-20071117-231700-973 O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\jtpm0771e.dll (file missing)
backup-20071119-012518-517 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20071119-012538-137 O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
backup-20071119-012538-466 O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
backup-20071119-012617-876 O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe (file missing)
backup-20071119-155042-177 O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
backup-20071119-155042-349 O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
backup-20071119-155042-782 O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
backup-20071119-155042-882 O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
backup-20071119-155042-991 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
backup-20071119-200329-288 O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
backup-20071120-202132-415 O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
backup-20071120-224027-144 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071120-224241-285 O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\gpn0l35m1.dll (file missing)
backup-20071120-225030-546 O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
backup-20071120-225132-663 O20 - AppInit_DLLs: "",wbsys.dll
backup-20071120-225957-839 O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; Windows (R) 2000 DDK provider; OSA I/O Port Driver Version 1.0.5>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows (R) 2000 DDK provider; OSA int15 Driver Version 2.0.2>
R3 cmudau (C-Media USB Sound Interface) - c:\windows\system32\drivers\cmudau.sys <Not Verified; C-Media Inc; C-Media USB Audio Driver (WDM)>
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 int15.sys - c:\program files\acer\erecovery\int15.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S0 VClone - c:\windows\system32\drivers\vclone.sys (file missing)
S2 npkcrypt - d:\game program files\ms\npkcrypt.sys (file missing)
S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
S3 BPIKSp50 (BPIKSp50 NDIS Protocol Driver) - e:\bpiksp50.sys (file missing)
S3 DISK_DRIVE32 - d:\game program files\hizet\newhack\disk drove\ce\disk_1024.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 nocashio - c:\windows\system32\drivers\nocashio.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 MySql - c:/xampp/mysql/bin/mysqld-nt.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Intel PCIC compatible PCMCIA controller
Device ID: ROOT\PCMCIA\0000
Manufacturer: Intel
Name: Intel PCIC compatible PCMCIA controller
PNP Device ID: ROOT\PCMCIA\0000
Service: pcmcia

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Intel PCIC compatible PCMCIA controller
Device ID: ROOT\PCMCIA\0001
Manufacturer: Intel
Name: Intel PCIC compatible PCMCIA controller
PNP Device ID: ROOT\PCMCIA\0001
Service: pcmcia


-- Scheduled Tasks -------------------------------------------------------------

2007-11-18 01:39:02 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

2007-11-21 13:48:43 6925 --ahs--c- C:\WINDOWS\system32\fihjl.ini2
2007-11-21 13:48:29 319072 -------c- C:\WINDOWS\system32\ljhif.dll
2007-11-21 00:20:31 317 --ahs--c- C:\WINDOWS\system32\ppsut.ini2
2007-11-21 00:20:19 319072 -------c- C:\WINDOWS\system32\tuspp.dll
2007-11-20 23:50:16 6925 --ahs--c- C:\WINDOWS\system32\nmnpo.ini2
2007-11-20 23:50:00 319072 -------c- C:\WINDOWS\system32\opnmn.dll
2007-11-20 23:19:41 6925 --ahs--c- C:\WINDOWS\system32\ggjlm.ini2
2007-11-20 23:19:30 319072 --a----c- C:\WINDOWS\system32\mljgg.dll
2007-11-20 17:12:15 0 d------c- C:\WINDOWS\system32\ActiveScan
2007-11-20 15:48:50 0 d------c- C:\VundoFix Backups
2007-11-19 21:29:05 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 20:14:16 0 d------c- C:\Program Files\CCleaner
2007-11-19 00:27:32 317 --ahs--c- C:\WINDOWS\system32\aaycf.ini2
2007-11-19 00:27:17 320608 -------c- C:\WINDOWS\system32\fcyaa.dll
2007-11-19 00:07:21 3552 --a----c- C:\WINDOWS\system32\tmp.reg
2007-11-19 00:05:50 25600 --a----c- C:\WINDOWS\system32\WS2Fix.exe
2007-11-19 00:05:50 289144 --a----c- C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-19 00:05:50 288417 --a----c- C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-19 00:05:50 53248 --a----c- C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-19 00:05:50 51200 --a----c- C:\WINDOWS\system32\dumphive.exe
2007-11-18 18:09:52 7375 --ahs--c- C:\WINDOWS\system32\nnmoq.ini2
2007-11-18 18:09:41 320608 -------c- C:\WINDOWS\system32\qomnn.dll
2007-11-18 13:20:33 0 d------c- C:\Documents and Settings\dis0003\Application Data\Uniblue
2007-11-17 22:28:56 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 20:18:24 37376 --a----c- C:\WINDOWS\system32\wvurqnm.dll
2007-11-17 19:35:18 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-16 19:16:31 0 d------c- C:\Program Files\Pointstone
2007-11-13 23:01:50 0 d------c- C:\Program Files\AimGames
2007-11-04 22:18:22 0 d------c- C:\Documents and Settings\dis0003\Application Data\teamspeak2
2007-11-03 17:28:12 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Xfire


-- Find3M Report ---------------------------------------------------------------

2007-11-20 23:07:22 0 d------c- C:\Documents and Settings\dis0003\Application Data\AVG7
2007-11-20 22:58:43 0 d------c- C:\Program Files\mIRC
2007-11-20 19:13:05 0 d------c- C:\Program Files\Windows Defender
2007-11-20 19:12:45 0 d------c- C:\Program Files\MSN Messenger
2007-11-20 17:52:52 0 d------c- C:\Program Files\NetBattle
2007-11-19 00:44:44 0 d------c- C:\Program Files\Spyware Doctor
2007-11-18 17:05:30 0 d------c- C:\Program Files\PowerISO
2007-11-18 17:05:29 0 d------c- C:\Program Files\7-Zip
2007-11-18 17:05:27 0 d------c- C:\Program Files\Notepad++
2007-11-18 17:04:28 0 d------c- C:\Program Files\Microsoft Silverlight
2007-11-18 00:43:19 0 d------c- C:\Program Files\Alwil Software
2007-11-17 19:45:28 0 d------c- C:\Program Files\Common Files\Symantec Shared
2007-11-15 23:48:43 0 d------c- C:\Program Files\Bonjour
2007-11-09 17:06:19 0 d------c- C:\Documents and Settings\dis0003\Application Data\Xfire
2007-10-23 16:52:35 0 d------c- C:\Documents and Settings\dis0003\Application Data\Hamachi
2007-10-22 18:37:07 0 d------c- C:\Program Files\Cheat Engine
2007-10-20 20:23:15 0 d------c- C:\Program Files\IObit
2007-10-19 00:53:34 0 d------c- C:\Program Files\Common Files
2007-10-19 00:53:34 0 d------c- C:\Program Files\Common Files\ScanSoft Shared
2007-10-19 00:52:36 0 d------c- C:\Program Files\ScanSoft
2007-10-16 18:11:59 0 d------c- C:\Program Files\Google
2007-10-16 17:18:41 0 d------c- C:\Program Files\Softnyx Canada
2007-10-07 02:14:05 0 d------c- C:\Documents and Settings\dis0003\Application Data\Audacity
2007-10-06 19:45:06 0 d------c- C:\Program Files\Any Sound Recorder
2007-10-04 20:37:14 0 d------c- C:\Program Files\Audacity 1.3 Beta (Unicode)
2007-10-02 06:39:39 0 d------c- C:\Program Files\Microsoft Visual Studio 9.0
2007-10-02 02:43:38 0 d------c- C:\Program Files\Common Files\AOL
2007-10-01 22:59:34 0 d------c- C:\Program Files\Microsoft SDKs
2007-10-01 22:53:34 0 d------c- C:\Program Files\MSBuild
2007-10-01 22:53:25 0 d------c- C:\Program Files\Reference Assemblies
2007-10-01 21:44:27 0 d------c- C:\Program Files\Canon
2007-10-01 21:42:58 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-10-01 06:44:04 0 d------c- C:\Program Files\Microsoft
2007-10-01 06:02:27 0 d------c- C:\Program Files\Fiddler2
2007-10-01 04:52:48 0 d------c- C:\Program Files\Fiddler
2007-10-01 04:48:26 796672 --a----c- C:\WINDOWS\GPInstall.exe <Not Verified; Qsc; GP-Install>
2007-10-01 04:47:27 0 d------c- C:\Program Files\AutoTypist
2007-09-26 22:38:25 0 d------c- C:\Documents and Settings\dis0003\Application Data\Avant Profiles
2007-09-26 22:37:27 0 d------c- C:\Program Files\Avant Browser
2007-09-10 12:55:54 692224 --a----c- C:\WINDOWS\system32\ijjiSetup.exe <Not Verified; NHN USA; ijjiSetup Application>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 03:47 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 12:41 C:\WINDOWS\AGRSMMSG.exe]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2004-07-20 01:14]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 09:10]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 02:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 05:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-06-30 03:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 05:15]
"CmUsbSound"="cmcnfgu.cpl" []
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 07:03]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 10:28]
"avast!"="C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 08:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Oshddndf"=C:\WINDOWS\YSTEM3~1\IXPLOR~1.EXE
"Spyware Doctor"=

C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 2:49:31 PM]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-07-04 5:26:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 2:49:31 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 5:05:26 PM]
NETGEAR Smart Wizard.lnk - C:\WINDOWS\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut2.exe [2007-02-05 11:17:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8ED2EE63-44E2-46A6-8BB4-E486F5F22EF4}"= C:\WINDOWS\system32\wvurqnm.dll [2007-11-17 08:18 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ljhif

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\0\0]
"Script"=StudentScripts.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\1\0]
"Script"=LaptopProgram.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dis0003^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"D:\Game Program Files\Bit\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1158301443\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
"C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Documents and Settings\dis0003\Desktop\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7489 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-21 14:08:39 ------------

Kyle, please read all of this.

Ok, now I think I've made some headway into this.

I examined my own HijackThis log and actually fixed a couple of things that I thought shouldn't have been auto loading themselves into my registry on startup.

They were:

ixplore.exe
ixplore.exe

Google told me that this is actually a trojan. Deleting this seemed to reveal the real problem, as conducting another scan revealed an entry I hadn't seen before, ljhif.dll. A quick Google search told me that this was a bad thing and that it was somehow related to winlogon.exe (I told you how a certain program had caused winlogon.exe to crash right before this whole problem started).

I went into the System 32 folder and used Unlocker to unlock the process. This caused absolute chaos, message boxes were popping up really fast. The first one was an error telling me that "rundll32.exe had crashed", which was then followed by two "Data Execution Prevention" message boxes telling me that "run dll as an app" was stopped to prevent damage to my laptop.

After that, it seemed to be over. No more explorer.exe restarting. The lag was gone. I was even starting to type my post here on how it was fixed...until all of a sudden explorer.exe crashed again, and the occasional freezing lag thing appeared again.

I went back into HijackThis and found that instead of ljhif.dll, there was a new entry, xxwvt.dll. I then went and found it in the System 32 file, unlocked it with Unlocker (Unlocker said that it being used by explorer.exe), and then used HijackThis to fix it.

Once again, explorer stopped crashing and the lag was gone. So I thought once again that I had won. I had even typed the first couple of lines into the post when explorer.exe disappeared again. HijackThis showed me that xxwvt.dll was back again.

I'm pretty sure that if I can find a way to stop the dlls from respawning, my problem will be fixed. Please help me find the cause of this.

After the second time of removing xxwvt.dll, it didn't come back. I even restarted just to make sure.

I guess it's over. Problem solved.

Nice Find! Now Combofix is working again so I'd like you to run it just to make sure everything is gone. Just to let you know it restarts your computer so don't freak out.

Please download Combofix.exe from here to your desktop. Double click it to run and and when prompted type 1 and enter. Now DO NOT touch the mouse or keyboard until the scan is done completely. It should finish shortly after it restarts the computer. After its done it will open up notepad, copy and paste the contents here in your next post.

Combofix and Deckards system scanner are similar, but combofix deletes problem files automatically and dss does not. It also has the abitlity to delete files.

Also you have entries in your hosts file that were created by this trojan, so you should use hjt this to fix that. To do this run hjt and select "open misc tools section" and then click on "Open hosts file manager"
Now select the bogus entries by click on them and then click delete line. (The ones you should delete will be pretty obvious...if youve never seen the site thats listed delete the line)

It seemed that rather than respawning, each .dll was simply being replaced with another one. ComboFix just removed all of these backup replacement dlls.

I checked the hosts file before and after I ran ComboFix. ComboFix deleted all of the bad website URLs that were in there.

And it's apparently not over. Even after using ComboFix another .dll appeared.

Here's the ComboFix.txt:

ComboFix 07-11-19.3 - DIS0003 2007-11-23 17:07:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT 11:00]
Running from: C:\Documents and Settings\dis0003\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\misc001
C:\WINDOWS\sks~1
C:\WINDOWS\system32\aaycf.ini
C:\WINDOWS\system32\aaycf.ini2
C:\WINDOWS\system32\dfefe.ini
C:\WINDOWS\system32\dfefe.ini2
C:\WINDOWS\system32\fcyaa.dll
C:\WINDOWS\system32\fihjl.ini
C:\WINDOWS\system32\fihjl.ini2
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\nmnpo.ini
C:\WINDOWS\system32\nmnpo.ini2
C:\WINDOWS\system32\nnmoq.ini
C:\WINDOWS\system32\nnmoq.ini2
C:\WINDOWS\system32\opnmn.dll
C:\WINDOWS\system32\ppsut.ini
C:\WINDOWS\system32\ppsut.ini2
C:\WINDOWS\system32\qomnn.dll
C:\WINDOWS\system32\tuspp.dll
C:\WINDOWS\system32\tuwxx.ini
C:\WINDOWS\system32\tuwxx.ini2
C:\WINDOWS\system32\tvwxx.ini
C:\WINDOWS\system32\tvwxx.ini2
C:\WINDOWS\system32\wnstssu.exe
C:\WINDOWS\ystem3~1
C:\WINDOWS\ystem3~1\i?xplore.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 17:09 272,820 --a--c--- C:\WINDOWS\system32\wvurs.dll
2007-11-21 14:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-21 14:22 <DIR> d----c--- C:\Program Files\AIM6
2007-11-21 13:56 <DIR> d----c--- C:\Deckard
2007-11-20 17:12 <DIR> d----c--- C:\WINDOWS\system32\ActiveScan
2007-11-20 17:12 30,590 --a--c--- C:\WINDOWS\system32\pavas.ico
2007-11-20 15:48 <DIR> d----c--- C:\VundoFix Backups
2007-11-19 21:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 20:14 <DIR> d----c--- C:\Program Files\CCleaner
2007-11-19 17:07 73,472 --a--c--- C:\WINDOWS\system32\dllcache\sr.sys
2007-11-19 16:01 317 --ahsc--- C:\WINDOWS\system32\jknpo.ini
2007-11-19 00:05 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-11-18 02:25 0 --a--c--- C:\WINDOWS\system32\asfiles.txt
2007-11-18 02:02 1,406 --a--c--- C:\WINDOWS\system32\Help.ico
2007-11-18 00:43 801,144 --a--c--- C:\WINDOWS\system32\aswBoot.exe
2007-11-18 00:43 95,608 --a--c--- C:\WINDOWS\system32\AvastSS.scr
2007-11-18 00:43 92,848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-18 00:43 26,624 --a--c--- C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-17 22:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 20:26 317 --ahsc--- C:\WINDOWS\system32\xwvwa.ini
2007-11-17 20:18 37,376 --a--c--- C:\WINDOWS\system32\wvurqnm.dll
2007-11-17 19:35 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-16 19:16 <DIR> d----c--- C:\Program Files\Pointstone
2007-11-13 23:01 <DIR> d----c--- C:\Program Files\AimGames
2007-11-04 22:18 <DIR> d----c--- C:\Documents and Settings\dis0003\Application Data\teamspeak2
2007-11-04 22:18 34,064 --a--c--- C:\WINDOWS\system32\lhacm.acm
2007-11-03 17:28 <DIR> d----c--- C:\Documents and Settings\NetworkService\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 14:43 --------- dc----w C:\Documents and Settings\dis0003\Application Data\AVG7
2007-11-22 13:13 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 12:54 --------- dc----w C:\Program Files\Avant Browser
2007-11-22 12:52 --------- dc----w C:\Program Files\DFX
2007-11-22 10:18 --------- dc----w C:\Program Files\mIRC
2007-11-21 04:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 03:26 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-21 03:23 --------- dc----w C:\Program Files\Common Files\AOL
2007-11-20 08:13 --------- dc----w C:\Program Files\Windows Defender
2007-11-20 08:12 --------- dc----w C:\Program Files\MSN Messenger
2007-11-20 06:52 --------- dc----w C:\Program Files\NetBattle
2007-11-18 13:44 --------- dc----w C:\Program Files\Spyware Doctor
2007-11-18 11:25 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 06:05 --------- dc----w C:\Program Files\PowerISO
2007-11-18 06:05 --------- dc----w C:\Program Files\Notepad++
2007-11-18 06:05 --------- dc----w C:\Program Files\7-Zip
2007-11-18 06:04 --------- dc----w C:\Program Files\Microsoft Silverlight
2007-11-17 13:43 --------- dc----w C:\Program Files\Alwil Software
2007-11-17 11:26 --------- dc----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-17 08:45 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2007-11-15 12:48 --------- dc----w C:\Program Files\Bonjour
2007-11-09 06:06 --------- dc----w C:\Documents and Settings\dis0003\Application Data\Xfire
2007-10-23 05:52 --------- dc----w C:\Documents and Settings\dis0003\Application Data\Hamachi
2007-10-22 07:37 --------- dc----w C:\Program Files\Cheat Engine
2007-10-20 09:23 --------- dc----w C:\Program Files\IObit
2007-10-18 13:53 --------- dc----w C:\Program Files\Common Files\ScanSoft Shared
2007-10-18 13:53 --------- dc----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-18 13:52 --------- dc----w C:\Program Files\ScanSoft
2007-10-16 07:11 --------- dc----w C:\Program Files\Google
2007-10-16 06:18 --------- dc----w C:\Program Files\Softnyx Canada
2007-10-06 15:14 --------- dc----w C:\Documents and Settings\dis0003\Application Data\Audacity
2007-10-06 08:45 --------- dc----w C:\Program Files\Any Sound Recorder
2007-10-04 09:37 --------- dc----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2007-10-01 19:39 --------- dc----w C:\Program Files\Microsoft Visual Studio 9.0
2007-10-01 12:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-01 11:59 --------- dc----w C:\Program Files\Microsoft SDKs
2007-10-01 11:53 --------- dc----w C:\Program Files\Reference Assemblies
2007-10-01 11:53 --------- dc----w C:\Program Files\MSBuild
2007-10-01 10:44 --------- dc----w C:\Program Files\Canon
2007-10-01 10:42 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-09-30 19:44 --------- dc----w C:\Program Files\Microsoft
2007-09-30 19:02 --------- dc----w C:\Program Files\Fiddler2
2007-09-30 17:52 --------- dc----w C:\Program Files\Fiddler
2007-09-30 17:48 796,672 -c--a-w C:\WINDOWS\GPInstall.exe
2007-09-26 11:38 --------- dc----w C:\Documents and Settings\dis0003\Application Data\Avant Profiles
2006-07-07 12:43 0 -c-ha-w C:\Program Files\Common Files\mqmq
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 15:47 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 00:41 C:\WINDOWS\AGRSMMSG.exe]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2004-07-20 13:14]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-06-30 15:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]
"CmUsbSound"="RunDll32 cmcnfgu.cpl" []
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 07:03]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 22:28]
"avast!"="C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 20:06]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 11:34]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-17 22:29]

C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 14:49:31]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-07-04 17:26:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 14:49:31]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 17:05:26]
NETGEAR Smart Wizard.lnk - C:\WINDOWS\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut2.exe [2007-02-05 11:17:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8ED2EE63-44E2-46A6-8BB4-E486F5F22EF4}"= C:\WINDOWS\system32\wvurqnm.dll [2007-11-17 20:18 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\0\0]
"Script"=StudentScripts.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\1\0]
"Script"=LaptopProgram.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dis0003^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Game Program Files\Bit\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1158301443\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-19 04:55 49152 --a--c--- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 14:19 69632 --a--c--- C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-01-20 18:09 200704 --a--c--- C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-21 11:52 40960 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 05:00 132496 --a--c--- C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-05-20 04:57 532480 --a--c--- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-05-20 04:57 98304 --a--c--- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Documents and Settings\dis0003\Desktop\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2002-08-28 14:12 77824 --a--c--- C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys
R3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 int15.sys;int15.sys;\??\C:\Program Files\acer\erecovery\int15.sys
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys
R3 W8335XP;NETGEAR WG511v2 54 Mbps Wireless PC Card for Windows XP (8335);C:\WINDOWS\system32\DRIVERS\WG511v2XP.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\E:\BPIKSp50.sys
S3 DISK_DRIVE32;DISK_DRIVE32;\??\D:\Game Program Files\Hizet\newhack\Disk Drove\ce\disk_1024.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 14:39:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 17:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-11-23 17:16:16 - machine was rebooted
.
--- E O F ---

Another update. As I said earlier, new problematic dlls appear each time. One of which was pmnlk.dll.

Using HijackThis' process manager with the "show dlls" box checked, I scanned each running process for pmnlk.dll. I eventually found it under ctfmon.exe. I got rid of the dll and ended the ctfmon.exe process. Unfortunately, ctfmon.exe keeps reloading itself no matter how many times I end it.

Is ctfmon.exe infected?

Those dlls are Virtumondo again. Run Vundofix.exe again and it should find all of those and delete them. Then rename hijackthis.exe to random.exe and run it again. post the vundofix log and the new renamed hjt log in your next post.

Also sorry for the delay.