Sorry what program should I use to do that?

I think AVG has it?

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

Ran Delete Domains, no change.

Downloaded AVG free, didn't include a rootkit scanner, ran the scan anyway and it found 75ish cookies and 5 instances of "autorun.inf" virus, and deleted them all.

Downloaded AVG Rootkit Scanner, did the scan and didn't find anything.

Some more curious happenings...

It takes 2 attempts to open my internet browser, and when I check Task Manager, 2 instances of Internet Explorer are running, but only one window.

If I try change my folder options to show hidden files/folders it will change it, but if I close the window and reopen the folder options, it changes itself back to do not show hidden files/folders.

Hope this info helps.

Is it possible to download SP3 from a different computer, transfer it over to this one, and install it? And would that make much a difference?

You say you have run numerous hijackthis logs. What did you do with them? Hijackthis does not fix anything without manual input.

Realised you never answered this question. How much did you 'Fix' with hijackthis before you posted here first?
==

Can't remember if I advised this already;

Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

==

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\kxqbqycr.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

yes, you can download SP3 onto another computer and transfer for it. Search for the SP3 standalone installer, i think its called "network install for it professionals" or something, its a few hubdred meg.

also "2 instances of Internet Explorer are running, but only one window." I think thats normal, i think there is the master IE process, then one for each window or tab.

I'm now able to access Microsoft websites!

To answer your question Crunchie, I had run HijackThis a few times before I initially posted, and remove a few items based on what I had researched about them in similar threads and/or google searches. I don't remember what they were and I believe the logs are overwritten (correct me if I'm wrong).

I've ran winsockfix before and I didn't see a change, but I ran it again anyways.

Then I created the CFScript file like you asked (I had created the previous one and run it with combofix to no avail) and ran it with combofix. This seems to have worked... here is the log.

ComboFix 09-01-13.04 - Bakx 2009-01-25 8:45:14.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.107 [GMT -6:00]
Running from: c:\documents and settings\Bakx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bakx\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\kxqbqycr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kxqbqycr.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-25 01:31 . 2009-01-25 01:32 <DIR> d-------- C:\32788R22FWJFW
2009-01-20 17:12 . 2009-01-24 14:39 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-20 16:32 . 2007-01-18 06:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2009-01-20 16:23 . 2009-01-20 16:23 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-20 16:23 . 2009-01-20 16:56 <DIR> d-------- c:\documents and settings\Bakx\Application Data\AVGTOOLBAR
2009-01-20 16:23 . 2009-01-20 16:23 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-20 16:23 . 2009-01-20 16:23 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-20 16:23 . 2009-01-20 16:23 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-20 16:22 . 2009-01-20 16:22 <DIR> d-------- c:\program files\AVG
2009-01-20 16:22 . 2009-01-20 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-20 15:16 . 2009-01-20 15:16 <DIR> d-------- c:\windows\Sun
2009-01-20 15:13 . 2009-01-20 15:13 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-20 15:13 . 2009-01-20 15:13 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-20 15:12 . 2009-01-20 15:12 <DIR> d-------- c:\program files\Java
2009-01-18 12:06 . 2009-01-18 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-01-18 12:04 . 2009-01-18 12:04 4,096 --a------ c:\windows\d3dx.dat
2009-01-18 12:00 . 2009-01-18 12:00 <DIR> d-------- c:\windows\Westward III Gold Rush
2009-01-18 12:00 . 2009-01-18 12:02 <DIR> d-------- c:\program files\Westward III Gold Rush
2009-01-18 11:40 . 2009-01-18 11:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-17 20:41 . 2009-01-17 20:42 <DIR> d-------- c:\program files\mIRC
2009-01-17 20:41 . 2009-01-17 20:42 <DIR> d-------- c:\documents and settings\Bakx\Application Data\mIRC
2009-01-17 20:37 . 2009-01-17 20:37 <DIR> d-------- c:\program files\ISODisk
2009-01-17 20:37 . 2006-04-26 01:03 9,600 --a------ c:\windows\system32\drivers\ISODisk.sys
2009-01-15 14:19 . 2009-01-23 02:58 <DIR> d-------- c:\windows\system32\CatRoot2
2009-01-13 23:46 . 2009-01-13 23:46 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-13 23:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 23:45 . 2009-01-13 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 23:45 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 16:42 . 2009-01-13 16:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 09:31 . 2009-01-11 09:31 0 --a------ c:\windows\nsreg.dat
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\program files\Foxit Software
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Foxit
2009-01-07 13:25 . 2009-01-07 13:33 <DIR> d-------- c:\documents and settings\Bakx\Application Data\vlc
2009-01-07 13:23 . 2009-01-07 13:23 <DIR> d-------- c:\program files\VideoLAN
2008-12-28 21:36 . 2008-04-13 18:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-28 21:36 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\scripting
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\en
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\l2schemas
2008-12-27 12:35 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-12-27 12:35 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-12-27 12:34 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2008-12-27 12:34 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2008-12-27 04:12 . 2008-09-09 19:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2008-12-27 04:11 . 2008-04-13 18:10 844,314 -----c--- c:\windows\system32\dllcache\msdxm.ocx
2008-12-27 04:10 . 2008-04-13 18:12 695,808 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2008-12-27 02:29 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 02:29 . 2008-08-14 04:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-27 02:28 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-27 02:28 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-27 02:27 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 02:27 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 02:26 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-27 02:25 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 02:25 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-27 02:25 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-27 02:24 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-27 02:22 . 2008-12-12 11:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2008-12-27 02:22 . 2008-10-15 19:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2008-12-27 02:22 . 2008-10-15 19:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2008-12-27 02:22 . 2008-10-15 19:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2008-12-27 02:21 . 2008-10-03 04:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2008-12-27 02:20 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-27 01:41 . 2008-12-27 01:41 <DIR> d-------- C:\fsaua.data
2008-12-27 01:37 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 01:37 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-26 09:15 . 2008-12-26 09:15 51,355 --a------ c:\windows\system32\muzika.xm
2008-12-26 09:09 . 2009-01-18 12:02 <DIR> d-------- c:\documents and settings\Bakx\Application Data\uTorrent
2008-12-26 08:48 . 2009-01-22 13:40 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 08:47 . 2008-12-26 08:47 <DIR> d-------- c:\documents and settings\Bakx\Application Data\PC Tools
2008-12-26 08:47 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-26 08:47 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-26 08:47 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-26 08:47 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 21:29 --------- d-----w c:\documents and settings\Bakx\Application Data\Download Manager
2008-12-26 14:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 07:14 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-24 06:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-20 22:35 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-20 21:06 --------- d-----w c:\program files\Common Files\Adobe
2008-12-20 20:46 --------- d-----w c:\program files\Microsoft.NET
2008-12-20 20:45 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-18 20:29 --------- d-----w c:\program files\Google
2008-12-18 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 19:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-18 18:21 --------- d-----w c:\program files\microsoft frontpage
2008-12-18 18:20 558,142 ----a-w c:\windows\java\Packages\EIS8JRBJ.ZIP
2008-12-18 18:20 155,995 ----a-w c:\windows\java\Packages\Y1RRD77J.ZIP
2007-10-18 17:09 733,517,824 ----a-w c:\program files\Common Files\Realplayer.avi
.

((((((((((((((((((((((((((((( snapshot_2009-01-08_ 0.33.28.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-01-31 13:33:46 5,632 ----a-w c:\windows\system32\drivers\avgarkt.sys
+ 2009-01-20 22:23:23 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2008-12-28 21:11:40 189,792 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-12 22:40:32 196,160 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-20 21:13:07 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-20 21:13:07 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-20 21:13:07 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-25 14:50:24 16,384 ----atw c:\windows\temp\Perflib_Perfdata_654.dat
+ 2009-01-18 18:00:49 574,464 ----a-w c:\windows\Westward III Gold Rush\uninstall.exe
+ 2006-12-02 04:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 04:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 04:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 04:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 06:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 06:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 06:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 06:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 06:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 06:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 06:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 06:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 06:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 39408]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-20 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programs\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7515:TCP"= 7515:TCP:oghndane

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-20 97928]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2009-01-17 9600]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-20 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-20 76040]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programs\Spyware Doctor\pctsAuxs.exe [2008-12-26 356920]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-20 875288]
S4 odwqd;Support Time;c:\windows\system32\svchost.exe -k netsvcs [2002-09-03 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
odwqd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6fccb14-d8f8-11dd-8d8a-000bdb164d0c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb022942-cd41-11dd-8d79-000bdb164d0c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnipegweather.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Bakx\Application Data\Mozilla\Firefox\Profiles\7vi4wx06.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 09:04:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odwqd]
"ServiceDll"="c:\windows\system32\kxqbqycr.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\programs\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-25 9:11:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 15:11:44
ComboFix2.txt 2009-01-17 20:53:38
ComboFix3.txt 2009-01-14 16:25:13
ComboFix4.txt 2009-01-11 16:02:30
ComboFix5.txt 2009-01-25 07:32:41

Pre-Run: 18,641,420,288 bytes free
Post-Run: 18,956,574,720 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
250 --- E O F --- 2008-12-29 09:01:22


After reboot I ran HijackThis, but I don't think I saved the log, so I ran it again just before posting this, here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:02 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe

--
End of file - 5350 bytes


I did do a Windows Update after the combofix (I checked Microsoft.com and in a moment of joy decided to do the long awaited update), but before the HijackThis scan.

Also, when I put my flashdrive card into the computer I got a security popup (I think it was windows security but it could have been AVG) that said file kxqbqycr.dll is infected and whether to heal or quaranteen. I chose heal. Not sure if its a coincidence with the flashdrive or if it is infected as well.

I'm assuming that I can go to online scanning websites now as well, and I will check and get back to you.

Thanks!

So I can access online AV scanners as well.

Also, I just remembered that before I ran ComboFix, I closed all AV and Anti-spyware programs that I could from the system tray (bottom right hand corner of screen) and then opened taskmanager and got rid of all AVG processes and aawservice and teatimer. But when I ran Combofix it still said AVG was running in the background. I opened taskmanager again and there were no AVG files running, so I let combofix continue.

Just FYI.

Can you do a search of your pc and make sure that that file does not exist anymore.
See if you can access those sites too.

Tried to find the file in explorer, couldn't find it. Enabled Hidden Files, couldn't see it, hidden files had been disabled automatically again.

Went to Jotti and tried to scan C:\Windows\system32\Kqblahblah.dll. and got this response:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

My PC is still somewhat infected...

Should I try some online scans? and which ones?

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3801 (20090126)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=36422d4453d6bd408cc6c1da6dd1dd8c
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-26 05:14:39
# local_time=2009-01-26 11:14:39 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=229536
# found=0
# scan_time=2786

Nothing showing there and eset is one of the best scanners out there.

So I'm in the clear?

I cannot see anything, but in your post before I had you run the eset scan, you stated that you were still somewhat infected.
Eset revealed nothing.
Do you still have reason to believe there is still something wrong?

Not at the moment, I had a pop up a day or so before the ESET scan, but I think AVG took care of it because I haven't had a problem since.

Thank you so much for all your help and patience with me. I'd be attempting to backup/reformat/research for programs without your help and guidance.

No worries :).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.