0

So I was watching some Katt Williams and tons of pop-up's started to happen. Obviously the site was bad. Ever since then, i've had lots of problems.

Right before the log in screen i get an application error. It says spoolsv.exe or something is the application. It also pop's up from being detected by AVG.

I also get something that flashes briefly and says it's a windows downloader.

And usually windows will block me from doing anything; task manager, no desktop icons, start menu, etc. But if i'm lucky enough (like now) to be able to come to firefox the computer will usually shut it's self down.

When avg pops up it's full of things in system32 folder. Most of which it says it's in white or something and cannot delete.

Anyway, i've ran AVG, Spybot, CCleaner, Ad-Aware, Mal-warebytes, all in safe mode. Then ran a hijackthis report. This is what it comes up with.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:51 AM, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5406eba0-b0c3-4979-a397-b499ff6c86a4} - C:\WINDOWS\system32\awtUkIby.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [jrfnycxb.exe] C:\WINDOWS\jrfnycxb.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfngdek.exe] C:\WINDOWS\jrfngdek.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjwleqc.exe] C:\WINDOWS\zzjwleqc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpraccqn.exe] C:\WINDOWS\fpraccqn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfnbthh.exe] C:\WINDOWS\jrfnbthh.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bndakuiy.exe] C:\WINDOWS\bndakuiy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpruryzg.exe] C:\WINDOWS\fpruryzg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bnwgwjpg.exe] C:\WINDOWS\bnwgwjpg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpnjewfn.exe] C:\WINDOWS\fpnjewfn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbmimnx.exe] C:\WINDOWS\tjbmimnx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbtazdn.exe] C:\WINDOWS\tjbtazdn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrcnrtes.exe] C:\WINDOWS\jrcnrtes.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [vxserapq.exe] C:\WINDOWS\vxserapq.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jrfnycxb.exe] C:\WINDOWS\jrfnycxb.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll jmadjo.dll kcoflv.dll c:\windows\system32\ziyoyide.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: geBsqRhe - geBsqRhe.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

--
End of file - 7481 bytes

It's running a bit better now, but there's still something wrong. I still get the spoolsv.exe application error at the beginning and then avg blocks it. And avg will also pick up a backdoor and block it.

I also still have the problem with the computer occasionally blocking everything and not letting me on, or it crashes automatically.

Please help.

2
Contributors
20
Replies
21
Views
8 Years
Discussion Span
Last Post by jholland1964
0

1st of all, Disable Spybot's TeaTimer, it will interfere with fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

2. HiJackThis shouldn't be run in Safe Mode, unless this is the only way you can run it.
Run it in Normal Mode and place check marks next to the following entries:

O2 - BHO: (no name) - {5406eba0-b0c3-4979-a397-b499ff6c86a4} - C:\WINDOWS\system32\awtUkIby.dll (file missing)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [jrfnycxb.exe] C:\WINDOWS\jrfnycxb.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfngdek.exe] C:\WINDOWS\jrfngdek.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjwleqc.exe] C:\WINDOWS\zzjwleqc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpraccqn.exe] C:\WINDOWS\fpraccqn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfnbthh.exe] C:\WINDOWS\jrfnbthh.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bndakuiy.exe] C:\WINDOWS\bndakuiy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpruryzg.exe] C:\WINDOWS\fpruryzg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bnwgwjpg.exe] C:\WINDOWS\bnwgwjpg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fpnjewfn.exe] C:\WINDOWS\fpnjewfn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbmimnx.exe] C:\WINDOWS\tjbmimnx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbtazdn.exe] C:\WINDOWS\tjbtazdn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrcnrtes.exe] C:\WINDOWS\jrcnrtes.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [vxserapq.exe] C:\WINDOWS\vxserapq.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jrfnycxb.exe] C:\WINDOWS\jrfnycxb.exe (User 'Default user')

O20 - AppInit_DLLs: avgrsstx.dll jmadjo.dll kcoflv.dll c:\windows\system32\ziyoyide.dll
O20 - Winlogon Notify: geBsqRhe - geBsqRhe.dll (file missing)

O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
Once you have placed the check marks click the Fix Checked button.
Exit HJT
Reboot in NORMAL mode again.

3. Malwarebytes' Anti-Malware is not meant to be run in Safe Mode. Please update it and run a Full System Scan in NORMAL mode.
Tell it to Remove Everything found.
Save the log to the desktop I have to see the log.
Reboot the system.

Once you are rebooted run HJT again, save the log.
Post back here with the MBA-M log and the new HJT log.

0

Awesome. Thanks a lot. I'm going to do everything you said in just a bit.

Also... I did run hijackthis in safemode because my comp was either crash after being on so long, or would block anything from popping up. I also didn't know it shouldn't be ran in safe mode.

But yeah, i'll post results after i do all of that.

0

Ok, I've done everything you said, in exact order.

It was quite frustraiting as well since everytime I rebooted it (after every task)
it wouldn't allow me to do anything and I had to keep rebooting until I would get lucky and could use the computer.

When it gets to the desktop it says;
Data Execution Prevention
Windows Closed:
Usernit Logon App
(and sometimes it'll either close after it says this, or this won't pop up till after the desktop has loaded and such)

And AVG pops up and says it found this.
c:/windows/system32/spools.exe


And

AVG blocks
Win32.Backdoor.agent
from running

And the computer still crashes randomly. Like during my first couple attempts at posting this. Very annoying.

And all of that is still happening.

Here's my logs.

Malware:
Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 2

3/5/2009 4:25:24 AM
mbam-log-2009-03-05 (04-25-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154313
Time elapsed: 50 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


And HJ:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:50 AM, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rvhkisic.exe] C:\WINDOWS\rvhkisic.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpmqoan.exe] C:\WINDOWS\xlpmqoan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

--
End of file - 7556 bytes


So pretty much the same stuff is happening from before I done the above mentioned tasks.

0

Run HJT again and put a check mark next to this entry;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\makehm.exe,

Then click the Fix Checked button. Exit HJT and reboot.
Then do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

0

Ok I ran HJT and deleted that file and rebooted.

Then I downloaded combofix and closed all running virus scanners and things.

It still says AVG is active and will interfere.

How can I disable avg before I run combo fix? I go to avg and it says everything is active, but I don't know how to make it un-active. Do I need to uninstall it for the time being?

Also, should I be connected to the internet while running combofix or not?

There's also 1 window I can't close which is due to the data execution prevention. I close it and it opens up again, so yeah...

0

1. Click Start
2. Select Control Panel
3. Select System
4. Click the Advanced tab
5. In the Performance region select Settings
6. Click the Data Execute tab in the dialog box that opens
7. Select Turn on DEP for all programs and services except for those I select
8. Click Add.
9. The open dialog box will open. Browse and select your application.
10. Click Open
11. Click Apply
12. Click Ok
13. Reboot

To turn off AVG do the following: Right click on the AVG icon in System Tray and hit Exit.

0

1. Click Start
2. Select Control Panel
3. Select System
4. Click the Advanced tab
5. In the Performance region select Settings
6. Click the Data Execute tab in the dialog box that opens
7. Select Turn on DEP for all programs and services except for those I select
8. Click Add.
9. The open dialog box will open. Browse and select your application.
10. Click Open
11. Click Apply
12. Click Ok
13. Reboot

#7What am I supposed to select in the DEP list?
#9 What am I supposed to open?

And I turned off AVG like you said. But still, when I open up combofix it still says it's active.

Also should combofix be ran while connected to the internet or not? Or does it matter?

0

I would suggest for now you turn off that DEP control for combofix for sure so when the box opens then you tell it to turn off for combofix.
You will have to disable AVG from starting at all, probably via msconfig.
You can disconnect from the internet if you want, since your protection programs have to be off. It doesn't matter though, it's up to you.

0

Ok I turned off the dep for combofix as you said.

But I can still not get avg to not be recognized by combofix.

I went in to msconfig and unselected everything AVG related. It no longer is on the icon tray, and even when I go to AVG it says no active programs or something. Nothing shows up at all on avg to be running.

Yet when I start up combofix it still recognizes it and says it's active.

I've even tried to delete AVG and it wont let me delete it.

Man this is getting frustrating.

And since this is taking so long, thanks again for you help. Hopefully this is resolved soon.

0

This was almost impossible due to DEP programs popping up, combofix in the middle of running and the computer crashing, combofix rebooting and on reboot DEP is the only things showing up.

But it worked just a bit ago. So here's the log.

ComboFix 09-03-04.01 - HP_Administrator 2009-03-06 16:41:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.533 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\reader_s.exe
c:\windows\system32\9.tmp
c:\windows\system32\reader_s.exe
.
---- Previous Run -------
.
c:\documents and settings\HP_Administrator\Application Data\020000009090ee97517C.manifest
c:\documents and settings\HP_Administrator\Application Data\020000009090ee97517O.manifest
c:\documents and settings\HP_Administrator\Application Data\020000009090ee97517P.manifest
c:\documents and settings\HP_Administrator\Application Data\020000009090ee97517S.manifest
c:\documents and settings\HP_Administrator\reader_s.exe
c:\windows\file.bat
c:\windows\services.exe
c:\windows\system32\3.tmp
c:\windows\system32\4.tmp
c:\windows\system32\6.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\B.tmp
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\reader_s.exe
c:\windows\xccwinsys.ini
D:\Autorun.inf

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 16:46 . 2009-03-06 16:46 38,913 --a------ c:\windows\system32\59.tmp
2009-03-06 16:34 . 2009-03-06 16:34 38,913 --a------ c:\windows\system32\58.tmp
2009-03-06 16:34 . 2009-03-06 16:34 80 --a------ c:\windows\system32\56.tmp
2009-03-06 03:02 . 2009-03-06 03:02 1,355 --a------ c:\windows\imsins.BAK
2009-03-06 02:50 . 2009-03-06 02:50 0 --a------ c:\windows\system32\54.tmp
2009-03-06 02:30 . 2009-03-06 02:30 161,792 --a------ c:\windows\system32\53.tmp
2009-03-06 02:30 . 2009-03-06 02:30 24,577 --a------ c:\windows\system32\55.tmp
2009-03-06 02:30 . 2009-03-06 02:30 11,776 --a------ c:\windows\jrfuvzex.exe
2009-03-06 02:30 . 2009-03-06 02:30 124 --a------ c:\windows\system32\52.tmp
2009-03-06 02:28 . 2009-03-06 02:28 24,577 --a------ c:\windows\system32\57.tmp
2009-03-06 02:28 . 2009-03-06 02:28 11,776 --a------ c:\windows\jrfsjqod.exe
2009-03-06 02:25 . 2009-03-06 02:28 161,792 --a------ c:\windows\system32\4F.tmp
2009-03-06 02:23 . 2009-03-06 02:23 24,577 --a------ c:\windows\system32\50.tmp
2009-03-06 02:23 . 2009-03-06 02:23 11,776 --a------ c:\windows\ntthprqq.exe
2009-03-06 02:20 . 2009-03-06 02:23 161,792 --a------ c:\windows\system32\B.tmp
2009-03-06 01:31 . 2009-03-06 01:31 38,913 --a------ c:\windows\system32\51.tmp
2009-03-06 01:31 . 2009-03-06 01:31 124 --a------ c:\windows\system32\4D.tmp
2009-03-06 01:31 . 2009-03-06 01:31 0 --a------ c:\windows\system32\4E.tmp
2009-03-06 01:29 . 2009-03-06 01:29 162,304 --a------ c:\windows\system32\4A.tmp
2009-03-06 01:29 . 2009-03-06 01:29 38,913 --a------ c:\windows\system32\4C.tmp
2009-03-06 01:29 . 2009-03-06 01:29 11,776 --a------ c:\windows\phnygygt.exe
2009-03-06 01:29 . 2009-03-06 01:29 124 --a------ c:\windows\system32\48.tmp
2009-03-06 01:29 . 2009-03-06 01:29 0 --a------ c:\windows\system32\4B.tmp
2009-03-06 01:27 . 2009-03-06 01:27 162,304 --a------ c:\windows\system32\47.tmp
2009-03-06 01:27 . 2009-03-06 01:27 38,913 --a------ c:\windows\system32\49.tmp
2009-03-06 01:27 . 2009-03-06 01:27 11,776 --a------ c:\windows\zzjwjlox.exe
2009-03-06 01:27 . 2009-03-06 01:27 124 --a------ c:\windows\system32\45.tmp
2009-03-06 01:19 . 2009-03-06 01:19 38,913 --a------ c:\windows\system32\46.tmp
2009-03-06 01:19 . 2009-03-06 01:19 11,776 --a------ c:\windows\tjblfcql.exe
2009-03-06 01:16 . 2009-03-06 01:19 162,304 --a------ c:\windows\system32\43.tmp
2009-03-06 01:16 . 2009-03-06 01:16 124 --a------ c:\windows\system32\A.tmp
2009-03-06 01:12 . 2009-03-06 01:12 11,776 --a------ c:\windows\nttmpmjt.exe
2009-03-06 01:10 . 2009-03-06 01:10 124 --a------ c:\windows\system32\4.tmp
2009-03-06 01:01 . 2009-03-06 01:03 125,619 --a------ c:\windows\system32\42.tmp
2009-03-06 01:01 . 2009-03-06 01:01 124 --a------ c:\windows\system32\41.tmp
2009-03-06 00:51 . 2009-03-06 00:51 0 --a------ c:\windows\system32\3F.tmp
2009-03-06 00:49 . 2009-03-06 00:49 25,601 --a------ c:\windows\system32\40.tmp
2009-03-06 00:49 . 2009-03-06 00:49 11,776 --a------ c:\windows\dbxkizhe.exe
2009-03-06 00:41 . 2009-03-06 00:41 11,776 --a------ c:\windows\ntthhgwp.exe
2009-03-06 00:39 . 2009-03-06 00:39 124 --a------ c:\windows\system32\3.tmp
2009-03-06 00:31 . 2009-03-06 00:31 124 --a------ c:\windows\system32\6.tmp
2009-03-06 00:28 . 2009-03-06 00:28 11,776 --a------ c:\windows\xlpgewlg.exe
2009-03-05 17:57 . 2009-03-05 17:57 0 --a------ c:\windows\system32\3C.tmp
2009-03-05 17:55 . 2009-03-05 17:55 24,577 --a------ c:\windows\system32\44.tmp
2009-03-05 17:55 . 2009-03-05 17:55 11,776 --a------ c:\windows\tjblnwsd.exe
2009-03-05 17:53 . 2009-03-05 17:55 162,816 --a------ c:\windows\system32\3D.tmp
2009-03-05 17:53 . 2009-03-05 17:53 124 --a------ c:\windows\system32\3B.tmp
2009-03-05 17:51 . 2009-03-05 17:51 24,577 --a------ c:\windows\system32\3E.tmp
2009-03-05 17:51 . 2009-03-05 17:51 11,776 --a------ c:\windows\xlpfbmot.exe
2009-03-05 17:48 . 2009-03-05 17:51 162,816 --a------ c:\windows\system32\3A.tmp
2009-03-05 17:48 . 2009-03-05 17:48 124 --a------ c:\windows\system32\38.tmp
2009-03-05 16:18 . 2009-03-05 16:18 38,913 --a------ c:\windows\system32\39.tmp
2009-03-05 16:18 . 2009-03-05 16:18 124 --a------ c:\windows\system32\34.tmp
2009-03-05 16:18 . 2009-03-05 16:18 0 --a------ c:\windows\system32\35.tmp
2009-03-05 16:16 . 2009-03-05 16:16 38,913 --a------ c:\windows\system32\37.tmp
2009-03-05 16:16 . 2009-03-05 16:16 11,776 --a------ c:\windows\zzjzavyp.exe
2009-03-05 16:15 . 2009-03-05 16:16 161,792 --a------ c:\windows\system32\33.tmp
2009-03-05 16:15 . 2009-03-05 16:15 124 --a------ c:\windows\system32\32.tmp
2009-03-05 16:13 . 2009-03-05 16:13 38,913 --a------ c:\windows\system32\36.tmp
2009-03-05 16:13 . 2009-03-05 16:13 11,776 --a------ c:\windows\xlpgzhxf.exe
2009-03-05 16:11 . 2009-03-05 16:13 161,792 --a------ c:\windows\system32\31.tmp
2009-03-05 16:11 . 2009-03-05 16:11 124 --a------ c:\windows\system32\2E.tmp
2009-03-05 16:02 . 2009-03-05 16:02 162,304 --a------ c:\windows\system32\2C.tmp
2009-03-05 16:02 . 2009-03-05 16:02 38,913 --a------ c:\windows\system32\30.tmp
2009-03-05 16:02 . 2009-03-05 16:02 11,776 --a------ c:\windows\xlpmipqq.exe
2009-03-05 16:02 . 2009-03-05 16:02 124 --a------ c:\windows\system32\2B.tmp
2009-03-05 16:00 . 2009-03-05 16:00 25,601 --a------ c:\windows\system32\2F.tmp
2009-03-05 16:00 . 2009-03-05 16:00 11,776 --a------ c:\windows\tjblgbek.exe
2009-03-05 15:57 . 2009-03-05 16:00 162,304 --a------ c:\windows\system32\2A.tmp
2009-03-05 15:57 . 2009-03-05 15:57 124 --a------ c:\windows\system32\29.tmp
2009-03-05 15:49 . 2009-03-05 15:49 25,601 --a------ c:\windows\system32\2D.tmp
2009-03-05 15:49 . 2009-03-05 15:49 11,776 --a------ c:\windows\dbxjszxr.exe
2009-03-05 15:46 . 2009-03-05 15:49 162,304 --a------ c:\windows\system32\28.tmp
2009-03-05 15:46 . 2009-03-05 15:46 124 --a------ c:\windows\system32\23.tmp
2009-03-05 12:47 . 2009-03-05 12:47 25,601 --a------ c:\windows\system32\27.tmp
2009-03-05 12:45 . 2009-03-05 12:47 81,785 --a------ c:\windows\system32\1F.tmp
2009-03-05 12:45 . 2009-03-05 12:45 124 --a------ c:\windows\system32\1C.tmp
2009-03-05 12:43 . 2009-03-05 12:43 25,601 --a------ c:\windows\system32\1E.tmp
2009-03-05 12:43 . 2009-03-05 12:43 11,776 --a------ c:\windows\hdldfybo.exe
2009-03-05 12:41 . 2009-03-05 12:43 161,792 --a------ c:\windows\system32\F.tmp
2009-03-05 12:41 . 2009-03-05 12:41 124 --a------ c:\windows\system32\E.tmp
2009-03-05 12:39 . 2009-03-05 12:39 25,601 --a------ c:\windows\system32\1D.tmp
2009-03-05 12:39 . 2009-03-05 12:39 11,776 --a------ c:\windows\xlpftlhf.exe
2009-03-05 12:36 . 2009-03-05 12:39 161,792 --a------ c:\windows\system32\D.tmp
2009-03-05 12:36 . 2009-03-05 12:36 124 --a------ c:\windows\system32\C.tmp
2009-03-05 12:30 . 2009-03-05 12:30 0 --a------ c:\windows\system32\8.tmp
2009-03-05 05:13 . 2009-03-05 05:13 11,776 --a------ c:\windows\jrfnggzq.exe
2009-03-05 05:10 . 2009-03-05 05:13 162,304 --a------ c:\windows\system32\7.tmp
2009-03-05 05:10 . 2009-03-05 05:10 84 --a------ c:\windows\system32\5.tmp
2009-03-05 04:43 . 2009-03-05 04:43 11,776 --a------ c:\windows\xlpmqoan.exe
2009-03-05 04:43 . 2009-03-05 04:43 84 --a------ c:\windows\system32\2.tmp
2009-03-05 04:37 . 2009-03-05 04:37 11,776 --a------ c:\windows\rvhkisic.exe
2009-03-05 02:56 . 2009-03-05 02:56 29,184 --a------ c:\windows\fpruyxxm.exe
2009-03-05 00:48 . 2009-03-05 00:48 29,184 --a------ c:\windows\jrfwlkzj.exe
2009-03-05 00:28 . 2009-03-05 00:28 29,184 --a------ c:\windows\vxserapq.exe
2009-03-04 21:27 . 2009-03-04 21:27 28,672 --a------ c:\windows\jrcnrtes.exe
2009-03-04 17:35 . 2009-03-04 17:35 <DIR> d-------- c:\program files\CCleaner
2009-03-04 17:34 . 2009-03-04 17:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 16:54 . 2009-03-04 16:54 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-04 16:54 . 2009-03-04 23:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 16:39 . 2009-03-04 16:39 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SampleView
2009-03-04 16:31 . 2009-03-06 02:30 136,096 --a------ c:\windows\system32\drivers\ethqszcx.sys
2009-03-04 16:29 . 2009-03-04 16:31 161,792 --a------ c:\windows\system32\26.tmp
2009-03-04 16:29 . 2009-03-04 16:29 38,913 --a------ c:\windows\system32\25.tmp
2009-03-04 16:29 . 2009-03-04 16:29 84 --a------ c:\windows\system32\24.tmp
2009-03-04 05:56 . 2009-03-04 17:41 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-04 04:09 . 2009-03-04 04:12 162,816 --a------ c:\windows\system32\22.tmp
2009-03-04 04:09 . 2009-03-04 04:09 38,913 --a------ c:\windows\system32\21.tmp
2009-03-04 04:09 . 2009-03-04 04:09 30,208 --a------ c:\windows\system32\1B.tmp
2009-03-04 04:09 . 2009-03-04 04:09 124 --a------ c:\windows\system32\1A.tmp
2009-03-04 04:06 . 2009-03-04 04:06 101,581 --a------ c:\windows\system32\20.tmp
2009-03-04 04:06 . 2009-03-04 04:06 38,913 --a------ c:\windows\system32\19.tmp
2009-03-04 04:06 . 2009-03-04 04:06 30,208 --a------ c:\windows\system32\18.tmp
2009-03-04 04:06 . 2009-03-04 04:06 124 --a------ c:\windows\system32\17.tmp
2009-03-04 04:00 . 2009-03-04 04:02 162,816 --a------ c:\windows\system32\16.tmp
2009-03-04 04:00 . 2009-03-04 04:00 30,208 --a------ c:\windows\system32\14.tmp
2009-03-04 04:00 . 2009-03-04 04:00 25,601 --a------ c:\windows\system32\15.tmp
2009-03-04 04:00 . 2009-03-04 04:00 124 --a------ c:\windows\system32\13.tmp
2009-03-04 02:47 . 2009-03-04 02:47 161,792 --a------ c:\windows\system32\12.tmp
2009-03-04 02:47 . 2009-03-04 02:47 30,208 --a------ c:\windows\system32\10.tmp
2009-03-04 02:47 . 2009-03-04 02:47 24,577 --a------ c:\windows\system32\11.tmp
2009-03-02 01:57 . 2009-03-05 16:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 23:15 . 2009-03-04 19:55 <DIR> d-------- c:\windows\system32\inf
2009-02-27 01:58 . 2009-02-27 01:59 3,903,110 --a------ C:\A Day To Remember - If It Means A Lot To You.mp3
2009-02-13 18:27 . 2009-02-13 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-04 22:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-04 22:40 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-03 03:42 --------- d-----w c:\program files\World of Warcraft
2009-03-01 08:44 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-02-13 23:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 23:22 --------- d-----w c:\program files\Common Files\Adobe
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-06 10:52 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-06 10:47 --------- d-----w c:\program files\Common Files\Research In Motion
2009-02-05 13:31 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-05 13:31 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-04 20:03 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Research In Motion
2009-02-04 20:00 --------- d-----w c:\program files\Research In Motion
2009-02-04 20:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop
2009-01-30 13:14 --------- d-----w c:\program files\LimeWire
2009-01-30 13:14 --------- d-----w c:\program files\Java
2009-01-30 11:07 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-30 11:07 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 23:50 0 ----a-w c:\windows\system32\drivers\11cb1818.sys
2009-01-29 01:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-29 01:25 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-29 01:24 --------- d-----w c:\program files\Lavasoft
2009-01-25 08:29 --------- d-----w c:\program files\AlphaZIP
2009-01-25 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2009-01-25 04:59 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-25 01:16 --------- d-----w c:\program files\AVG
2009-01-24 10:56 --------- d-----w c:\program files\Last.fm
2009-01-24 03:32 --------- d-----w c:\program files\iTunes
2009-01-24 03:31 --------- d-----w c:\program files\QuickTime
2009-01-24 03:14 1,915 --sha-r c:\windows\system32\drivers\103C_HP_CPC_EK425AA-ABA M7259C_YC_0Pavi_QMXK544_E54NAemMPC3_48_IAMETHYST-M_SMSI_V1.0_B3.35_T050930_WXP2_L409_M959_J250_7AMD_8Athlon 64 X2 Dual Core_92.19_#051226_N10EC8139_Z11C1048C_G10025954.MRK
2009-01-24 03:14 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-01-24 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\AppRanger
2009-01-24 02:19 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-01-24 01:45 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-01-24 01:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-18 00:45 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\acccore
2009-01-18 00:42 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 00:42 --------- d-----w c:\program files\AIM6
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-18 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-01-18 00:03 --------- d-----w c:\program files\Common Files\Apple
2009-01-18 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 00:02 --------- d-----w c:\program files\Bonjour
2009-01-18 00:02 --------- d-----w c:\program files\Apple Software Update
2009-01-18 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 32256]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 81408]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 69632]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 266240]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 274432]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zzjpuuvc.exe"="c:\windows\zzjpuuvc.exe" [BU]
"rvhkisic.exe"="c:\windows\rvhkisic.exe" [2009-03-05 11776]
"xlpmqoan.exe"="c:\windows\xlpmqoan.exe" [2009-03-05 11776]
"jrfnggzq.exe"="c:\windows\jrfnggzq.exe" [2009-03-05 11776]
"xlpftlhf.exe"="c:\windows\xlpftlhf.exe" [2009-03-05 11776]
"hdldfybo.exe"="c:\windows\hdldfybo.exe" [2009-03-05 11776]
"dbxjszxr.exe"="c:\windows\dbxjszxr.exe" [2009-03-05 11776]
"tjblgbek.exe"="c:\windows\tjblgbek.exe" [2009-03-05 11776]
"xlpmipqq.exe"="c:\windows\xlpmipqq.exe" [2009-03-05 11776]
"xlpgzhxf.exe"="c:\windows\xlpgzhxf.exe" [2009-03-05 11776]
"zzjzavyp.exe"="c:\windows\zzjzavyp.exe" [2009-03-05 11776]
"xlpfbmot.exe"="c:\windows\xlpfbmot.exe" [2009-03-05 11776]
"tjblnwsd.exe"="c:\windows\tjblnwsd.exe" [2009-03-05 11776]
"xlpgewlg.exe"="c:\windows\xlpgewlg.exe" [2009-03-06 11776]
"ntthhgwp.exe"="c:\windows\ntthhgwp.exe" [2009-03-06 11776]
"dbxkizhe.exe"="c:\windows\dbxkizhe.exe" [2009-03-06 11776]
"nttmpmjt.exe"="c:\windows\nttmpmjt.exe" [2009-03-06 11776]
"tjblfcql.exe"="c:\windows\tjblfcql.exe" [2009-03-06 11776]
"zzjwjlox.exe"="c:\windows\zzjwjlox.exe" [2009-03-06 11776]
"phnygygt.exe"="c:\windows\phnygygt.exe" [2009-03-06 11776]
"ntthprqq.exe"="c:\windows\ntthprqq.exe" [2009-03-06 11776]
"jrfsjqod.exe"="c:\windows\jrfsjqod.exe" [2009-03-06 11776]
"jrfuvzex.exe"="c:\windows\jrfuvzex.exe" [2009-03-06 11776]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 08:31 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-02-05 08:31 1601304 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\A.tmp"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-28 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-24 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-24 107272]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S1 11cb1818;11cb1818;c:\windows\system32\drivers\11cb1818.sys [2009-01-25 0]
S2 vmfezqpn;IPX Traffic Forwarder Monitor;c:\windows\System32\svchost.exe -k netsvcs [2004-08-10 14336]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-24 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-24 298264]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vmfezqpn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 17:40]

2009-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-05 c:\windows\Tasks\At1.job
- c:\windows\system32\lzaapgm.dll []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zwnub4bw.default\
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zwnub4bw.default\extensions\{d0c29249-27c7-4192-aec8-6c84436aeb80}\components\TSBoxFF.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 16:46:52
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-618976518-1615240946-2069970529-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19118023-ED5C-40C9-7A76-2AA9A8440217}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaphjhmoocpodknnpe"=hex:69,61,64,70,6b,68,6d,62,6a,69,63,6d,70,6e,6e,70,6c,6a,
00,00
"habhfmeogabdiopm"=hex:69,61,64,70,6b,68,6d,62,6a,69,63,6d,70,6e,6e,70,6c,6a,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-06 16:49:25 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-03-06 21:49:21

Pre-Run: 177,069,494,272 bytes free
Post-Run: 177,073,504,256 bytes free

395 --- E O F --- 2009-03-06 21:37:11

And a HJT log, just in case it helps:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:31 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\System32\svchost.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rvhkisic.exe] C:\WINDOWS\rvhkisic.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpmqoan.exe] C:\WINDOWS\xlpmqoan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfnggzq.exe] C:\WINDOWS\jrfnggzq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpftlhf.exe] C:\WINDOWS\xlpftlhf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdldfybo.exe] C:\WINDOWS\hdldfybo.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [dbxjszxr.exe] C:\WINDOWS\dbxjszxr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjblgbek.exe] C:\WINDOWS\tjblgbek.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpmipqq.exe] C:\WINDOWS\xlpmipqq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpgzhxf.exe] C:\WINDOWS\xlpgzhxf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjzavyp.exe] C:\WINDOWS\zzjzavyp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpfbmot.exe] C:\WINDOWS\xlpfbmot.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjblnwsd.exe] C:\WINDOWS\tjblnwsd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpgewlg.exe] C:\WINDOWS\xlpgewlg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntthhgwp.exe] C:\WINDOWS\ntthhgwp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [dbxkizhe.exe] C:\WINDOWS\dbxkizhe.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nttmpmjt.exe] C:\WINDOWS\nttmpmjt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjblfcql.exe] C:\WINDOWS\tjblfcql.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjwjlox.exe] C:\WINDOWS\zzjwjlox.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [phnygygt.exe] C:\WINDOWS\phnygygt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntthprqq.exe] C:\WINDOWS\ntthprqq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfsjqod.exe] C:\WINDOWS\jrfsjqod.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfuvzex.exe] C:\WINDOWS\jrfuvzex.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zzjpuuvc.exe] C:\WINDOWS\zzjpuuvc.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

--
End of file - 9048 bytes

0

As you can imagine this is going to take while to go through this whole log. Have to look at each entry.
Two things I note, other than the notations about the infected files,
are this C:\A Day To Remember - If It Means A Lot To You.mp3
This file came onto the computer on 2/27/2009. Looks to me like all the rest of this junk began arriving the next day.
Another thing I noted is that you have an odd task in your Task Scheduler;
2009-03-05 c:\windows\Tasks\At1.job
- c:\windows\system32\lzaapgm.dll
See if you can get that out of there. It shouldn't be there.
Also see that AdAware has been added as a Scheduled task..take that one out too.
I will get back with you on the rest of the log.
AFTER you do those things above Update MBA-M and run a Full System scan with it. Have it REMOVE all found. Save the log.
Reboot and post back with the MBA-M log

0

Well as you can see both MBA-M and combofix did remove "some" infections but certainly not all. The computer is "grossly" infected and there are more coming on daily.
One may have been added just yesterday. If you note in the combofix log there is a Scheduled Task added yesterday, Ad-AwareAdmin.exe. DID you add that yourself?
And if you did why did you add a new program in the middle of a fix?
If you didn't then this could be a sign of a new infection.
I have given this a lot of thought since my post to you less than an hour ago, you may be better off reformatting and reloading. The reason being, the computer has so many infections on it that key files may have been damaged and even if the infections are removed the computer may not work the way it once did.
I will let you choose. If you wish to go on then I will try to help you get the computer clean, but I cannot guarantee this will work, but I am willing to try.
Let me know.
Judy

0

First I didn't add adaware to the scheduled tasks.

Secondly, the computer is running noticeably better as of now. One reboot's and things DEP is only popping up sometimes, rather than every time. And it hasn't crashed as often.

There's still a few problems such as application errors and things like that, but definitely not as bad as it was.

So I won't waste too much more of your time. If it's not resolved soon, I'll give up. But right now I have to much to lose and don't really want to reformat. Mainly almost 10k songs on my iTunes... and i've lost my iPod recently, so can't just put them back on my computer after reformatting.

Here's the Malware log:
Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/6/2009 11:40:24 PM
mbam-log-2009-03-06 (23-40-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 153872
Time elapsed: 49 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Help\bnts.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Help\sniffpol.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Help\sstub.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Help\tshoot.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

0

Do another run with combofix and post that log. Be sure to turn off all antivirus, firewall and antispy programs

0

ComboFix 09-03-06.02 - HP_Administrator 2009-03-07 18:57:41.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.532 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\reader_s.exe
c:\windows\file.bat
c:\windows\services.exe
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\A.tmp
c:\windows\system32\C.tmp
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\reader_s.exe

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-07 19:10 . 2009-03-07 19:10 38,913 --a------ c:\windows\system32\8.tmp
2009-03-07 16:06 . 2009-03-07 16:06 80 --a------ c:\windows\system32\7.tmp
2009-03-07 13:07 . 2009-03-07 13:07 80 --a------ c:\windows\system32\6.tmp
2009-03-07 04:42 . 2009-03-07 04:43 180 --a------ c:\windows\system32\82.tmp
2009-03-07 02:41 . 2009-03-07 02:42 80 --a------ c:\windows\system32\3.tmp
2009-03-06 23:44 . 2009-03-06 23:44 80 --a------ c:\windows\system32\2.tmp
2009-03-06 17:59 . 2009-03-06 17:59 24,577 --a------ c:\windows\system32\AC.tmp
2009-03-06 17:59 . 2009-03-06 17:59 80 --a------ c:\windows\system32\AB.tmp
2009-03-06 16:46 . 2009-03-06 16:46 38,913 --a------ c:\windows\system32\59.tmp
2009-03-06 16:34 . 2009-03-06 16:34 38,913 --a------ c:\windows\system32\58.tmp
2009-03-06 16:34 . 2009-03-06 16:34 80 --a------ c:\windows\system32\56.tmp
2009-03-06 03:02 . 2009-03-06 03:02 1,355 --a------ c:\windows\imsins.BAK
2009-03-06 02:50 . 2009-03-06 02:50 0 --a------ c:\windows\system32\54.tmp
2009-03-06 02:30 . 2009-03-06 02:30 161,792 --a------ c:\windows\system32\53.tmp
2009-03-06 02:30 . 2009-03-06 02:30 24,577 --a------ c:\windows\system32\55.tmp
2009-03-06 02:30 . 2009-03-06 02:30 11,776 --a------ c:\windows\jrfuvzex.exe
2009-03-06 02:30 . 2009-03-06 02:30 124 --a------ c:\windows\system32\52.tmp
2009-03-06 02:28 . 2009-03-06 02:28 24,577 --a------ c:\windows\system32\57.tmp
2009-03-06 02:28 . 2009-03-06 02:28 11,776 --a------ c:\windows\jrfsjqod.exe
2009-03-06 02:25 . 2009-03-06 02:28 161,792 --a------ c:\windows\system32\4F.tmp
2009-03-06 02:23 . 2009-03-06 02:23 24,577 --a------ c:\windows\system32\50.tmp
2009-03-06 02:23 . 2009-03-06 02:23 11,776 --a------ c:\windows\ntthprqq.exe
2009-03-06 01:31 . 2009-03-06 01:31 38,913 --a------ c:\windows\system32\51.tmp
2009-03-06 01:31 . 2009-03-06 01:31 124 --a------ c:\windows\system32\4D.tmp
2009-03-06 01:31 . 2009-03-06 01:31 0 --a------ c:\windows\system32\4E.tmp
2009-03-06 01:29 . 2009-03-06 01:29 162,304 --a------ c:\windows\system32\4A.tmp
2009-03-06 01:29 . 2009-03-06 01:29 38,913 --a------ c:\windows\system32\4C.tmp
2009-03-06 01:29 . 2009-03-06 01:29 11,776 --a------ c:\windows\phnygygt.exe
2009-03-06 01:29 . 2009-03-06 01:29 124 --a------ c:\windows\system32\48.tmp
2009-03-06 01:29 . 2009-03-06 01:29 0 --a------ c:\windows\system32\4B.tmp
2009-03-06 01:27 . 2009-03-06 01:27 162,304 --a------ c:\windows\system32\47.tmp
2009-03-06 01:27 . 2009-03-06 01:27 38,913 --a------ c:\windows\system32\49.tmp
2009-03-06 01:27 . 2009-03-06 01:27 11,776 --a------ c:\windows\zzjwjlox.exe
2009-03-06 01:27 . 2009-03-06 01:27 124 --a------ c:\windows\system32\45.tmp
2009-03-06 01:19 . 2009-03-06 01:19 38,913 --a------ c:\windows\system32\46.tmp
2009-03-06 01:19 . 2009-03-06 01:19 11,776 --a------ c:\windows\tjblfcql.exe
2009-03-06 01:16 . 2009-03-06 01:19 162,304 --a------ c:\windows\system32\43.tmp
2009-03-06 01:12 . 2009-03-06 01:12 11,776 --a------ c:\windows\nttmpmjt.exe
2009-03-06 01:01 . 2009-03-06 01:03 125,619 --a------ c:\windows\system32\42.tmp
2009-03-06 01:01 . 2009-03-06 01:01 124 --a------ c:\windows\system32\41.tmp
2009-03-06 00:51 . 2009-03-06 00:51 0 --a------ c:\windows\system32\3F.tmp
2009-03-06 00:49 . 2009-03-06 00:49 25,601 --a------ c:\windows\system32\40.tmp
2009-03-06 00:49 . 2009-03-06 00:49 11,776 --a------ c:\windows\dbxkizhe.exe
2009-03-06 00:41 . 2009-03-06 00:41 11,776 --a------ c:\windows\ntthhgwp.exe
2009-03-06 00:28 . 2009-03-06 00:28 11,776 --a------ c:\windows\xlpgewlg.exe
2009-03-05 17:57 . 2009-03-05 17:57 0 --a------ c:\windows\system32\3C.tmp
2009-03-05 17:55 . 2009-03-05 17:55 24,577 --a------ c:\windows\system32\44.tmp
2009-03-05 17:55 . 2009-03-05 17:55 11,776 --a------ c:\windows\tjblnwsd.exe
2009-03-05 17:53 . 2009-03-05 17:55 162,816 --a------ c:\windows\system32\3D.tmp
2009-03-05 17:53 . 2009-03-05 17:53 124 --a------ c:\windows\system32\3B.tmp
2009-03-05 17:51 . 2009-03-05 17:51 24,577 --a------ c:\windows\system32\3E.tmp
2009-03-05 17:51 . 2009-03-05 17:51 11,776 --a------ c:\windows\xlpfbmot.exe
2009-03-05 17:48 . 2009-03-05 17:51 162,816 --a------ c:\windows\system32\3A.tmp
2009-03-05 17:48 . 2009-03-05 17:48 124 --a------ c:\windows\system32\38.tmp
2009-03-05 16:18 . 2009-03-05 16:18 38,913 --a------ c:\windows\system32\39.tmp
2009-03-05 16:18 . 2009-03-05 16:18 124 --a------ c:\windows\system32\34.tmp
2009-03-05 16:18 . 2009-03-05 16:18 0 --a------ c:\windows\system32\35.tmp
2009-03-05 16:16 . 2009-03-05 16:16 38,913 --a------ c:\windows\system32\37.tmp
2009-03-05 16:16 . 2009-03-05 16:16 11,776 --a------ c:\windows\zzjzavyp.exe
2009-03-05 16:15 . 2009-03-05 16:16 161,792 --a------ c:\windows\system32\33.tmp
2009-03-05 16:15 . 2009-03-05 16:15 124 --a------ c:\windows\system32\32.tmp
2009-03-05 16:13 . 2009-03-05 16:13 38,913 --a------ c:\windows\system32\36.tmp
2009-03-05 16:13 . 2009-03-05 16:13 11,776 --a------ c:\windows\xlpgzhxf.exe
2009-03-05 16:11 . 2009-03-05 16:13 161,792 --a------ c:\windows\system32\31.tmp
2009-03-05 16:11 . 2009-03-05 16:11 124 --a------ c:\windows\system32\2E.tmp
2009-03-05 16:02 . 2009-03-05 16:02 162,304 --a------ c:\windows\system32\2C.tmp
2009-03-05 16:02 . 2009-03-05 16:02 38,913 --a------ c:\windows\system32\30.tmp
2009-03-05 16:02 . 2009-03-05 16:02 11,776 --a------ c:\windows\xlpmipqq.exe
2009-03-05 16:02 . 2009-03-05 16:02 124 --a------ c:\windows\system32\2B.tmp
2009-03-05 16:00 . 2009-03-05 16:00 25,601 --a------ c:\windows\system32\2F.tmp
2009-03-05 16:00 . 2009-03-05 16:00 11,776 --a------ c:\windows\tjblgbek.exe
2009-03-05 15:57 . 2009-03-05 16:00 162,304 --a------ c:\windows\system32\2A.tmp
2009-03-05 15:57 . 2009-03-05 15:57 124 --a------ c:\windows\system32\29.tmp
2009-03-05 15:49 . 2009-03-05 15:49 25,601 --a------ c:\windows\system32\2D.tmp
2009-03-05 15:49 . 2009-03-05 15:49 11,776 --a------ c:\windows\dbxjszxr.exe
2009-03-05 15:46 . 2009-03-05 15:49 162,304 --a------ c:\windows\system32\28.tmp
2009-03-05 15:46 . 2009-03-05 15:46 124 --a------ c:\windows\system32\23.tmp
2009-03-05 12:47 . 2009-03-05 12:47 25,601 --a------ c:\windows\system32\27.tmp
2009-03-05 12:45 . 2009-03-05 12:47 81,785 --a------ c:\windows\system32\1F.tmp
2009-03-05 12:45 . 2009-03-05 12:45 124 --a------ c:\windows\system32\1C.tmp
2009-03-05 12:43 . 2009-03-05 12:43 25,601 --a------ c:\windows\system32\1E.tmp
2009-03-05 12:43 . 2009-03-05 12:43 11,776 --a------ c:\windows\hdldfybo.exe
2009-03-05 12:39 . 2009-03-05 12:39 25,601 --a------ c:\windows\system32\1D.tmp
2009-03-05 12:39 . 2009-03-05 12:39 11,776 --a------ c:\windows\xlpftlhf.exe
2009-03-05 05:13 . 2009-03-05 05:13 11,776 --a------ c:\windows\jrfnggzq.exe
2009-03-05 04:43 . 2009-03-05 04:43 11,776 --a------ c:\windows\xlpmqoan.exe
2009-03-05 04:37 . 2009-03-05 04:37 11,776 --a------ c:\windows\rvhkisic.exe
2009-03-05 02:56 . 2009-03-05 02:56 29,184 --a------ c:\windows\fpruyxxm.exe
2009-03-05 00:48 . 2009-03-05 00:48 29,184 --a------ c:\windows\jrfwlkzj.exe
2009-03-05 00:28 . 2009-03-05 00:28 29,184 --a------ c:\windows\vxserapq.exe
2009-03-04 21:27 . 2009-03-04 21:27 28,672 --a------ c:\windows\jrcnrtes.exe
2009-03-04 17:35 . 2009-03-04 17:35 <DIR> d-------- c:\program files\CCleaner
2009-03-04 17:34 . 2009-03-04 17:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 16:54 . 2009-03-04 16:54 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-04 16:54 . 2009-03-04 23:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 16:39 . 2009-03-04 16:39 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SampleView
2009-03-04 16:31 . 2009-03-06 02:30 136,096 --a------ c:\windows\system32\drivers\ethqszcx.sys
2009-03-04 16:29 . 2009-03-04 16:31 161,792 --a------ c:\windows\system32\26.tmp
2009-03-04 16:29 . 2009-03-04 16:29 38,913 --a------ c:\windows\system32\25.tmp
2009-03-04 16:29 . 2009-03-04 16:29 84 --a------ c:\windows\system32\24.tmp
2009-03-04 05:56 . 2009-03-04 17:41 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-04 04:09 . 2009-03-04 04:12 162,816 --a------ c:\windows\system32\22.tmp
2009-03-04 04:09 . 2009-03-04 04:09 38,913 --a------ c:\windows\system32\21.tmp
2009-03-04 04:09 . 2009-03-04 04:09 30,208 --a------ c:\windows\system32\1B.tmp
2009-03-04 04:09 . 2009-03-04 04:09 124 --a------ c:\windows\system32\1A.tmp
2009-03-04 04:06 . 2009-03-04 04:06 101,581 --a------ c:\windows\system32\20.tmp
2009-03-04 04:06 . 2009-03-04 04:06 38,913 --a------ c:\windows\system32\19.tmp
2009-03-04 04:06 . 2009-03-04 04:06 30,208 --a------ c:\windows\system32\18.tmp
2009-03-04 04:06 . 2009-03-04 04:06 124 --a------ c:\windows\system32\17.tmp
2009-03-04 04:00 . 2009-03-04 04:02 162,816 --a------ c:\windows\system32\16.tmp
2009-03-04 04:00 . 2009-03-04 04:00 30,208 --a------ c:\windows\system32\14.tmp
2009-03-04 04:00 . 2009-03-04 04:00 25,601 --a------ c:\windows\system32\15.tmp
2009-03-04 04:00 . 2009-03-04 04:00 124 --a------ c:\windows\system32\13.tmp
2009-03-04 02:47 . 2009-03-04 02:47 161,792 --a------ c:\windows\system32\12.tmp
2009-03-04 02:47 . 2009-03-04 02:47 30,208 --a------ c:\windows\system32\10.tmp
2009-03-04 02:47 . 2009-03-04 02:47 24,577 --a------ c:\windows\system32\11.tmp
2009-03-02 01:57 . 2009-03-05 16:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 23:15 . 2009-03-04 19:55 <DIR> d-------- c:\windows\system32\inf
2009-02-27 01:58 . 2009-02-27 01:59 3,903,110 --a------ C:\A Day To Remember - If It Means A Lot To You.mp3
2009-02-13 18:27 . 2009-02-13 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-02-13 18:22 . 2009-02-13 18:22 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2009-02-12 16:42 . 2009-02-28 03:01 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-04 22:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-04 22:40 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-03 03:42 --------- d-----w c:\program files\World of Warcraft
2009-03-01 08:44 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-02-13 23:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 23:22 --------- d-----w c:\program files\Common Files\Adobe
2009-02-12 19:48 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Roxio
2009-02-12 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 16:13 --------- d-----w c:\documents and settings\LocalService\Application Data\Roxio
2009-02-06 11:18 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-06 11:14 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-06 11:13 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AVS4YOU
2009-02-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-06 10:52 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-06 10:51 --------- d-----w c:\program files\Roxio
2009-02-06 10:51 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-02-06 10:47 --------- d-----w c:\program files\Common Files\Research In Motion
2009-02-05 13:31 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-05 13:31 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-04 20:03 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Research In Motion
2009-02-04 20:00 --------- d-----w c:\program files\Research In Motion
2009-02-04 20:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop
2009-01-30 13:14 --------- d-----w c:\program files\LimeWire
2009-01-30 13:14 --------- d-----w c:\program files\Java
2009-01-30 11:07 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-30 11:07 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 23:50 0 ----a-w c:\windows\system32\drivers\11cb1818.sys
2009-01-29 01:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-29 01:25 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-29 01:24 --------- d-----w c:\program files\Lavasoft
2009-01-25 08:29 --------- d-----w c:\program files\AlphaZIP
2009-01-25 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2009-01-25 04:59 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-25 01:16 --------- d-----w c:\program files\AVG
2009-01-24 10:56 --------- d-----w c:\program files\Last.fm
2009-01-24 03:32 --------- d-----w c:\program files\iTunes
2009-01-24 03:31 --------- d-----w c:\program files\QuickTime
2009-01-24 03:14 1,915 --sha-r c:\windows\system32\drivers\103C_HP_CPC_EK425AA-ABA M7259C_YC_0Pavi_QMXK544_E54NAemMPC3_48_IAMETHYST-M_SMSI_V1.0_B3.35_T050930_WXP2_L409_M959_J250_7AMD_8Athlon 64 X2 Dual Core_92.19_#051226_N10EC8139_Z11C1048C_G10025954.MRK
2009-01-24 03:14 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-01-24 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\AppRanger
2009-01-24 02:19 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-01-24 01:45 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-01-24 01:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-18 00:45 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\acccore
2009-01-18 00:42 --------- d-----w c:\program files\Common Files\AOL
2009-01-18 00:42 --------- d-----w c:\program files\AIM6
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-18 00:42 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-18 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-01-18 00:03 --------- d-----w c:\program files\Common Files\Apple
2009-01-18 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 00:02 --------- d-----w c:\program files\Bonjour
2009-01-18 00:02 --------- d-----w c:\program files\Apple Software Update
2009-01-18 00:01 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 32256]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 81408]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 69632]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 266240]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 274432]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zzjpuuvc.exe"="c:\windows\zzjpuuvc.exe" [BU]
"rvhkisic.exe"="c:\windows\rvhkisic.exe" [2009-03-05 11776]
"xlpmqoan.exe"="c:\windows\xlpmqoan.exe" [2009-03-05 11776]
"jrfnggzq.exe"="c:\windows\jrfnggzq.exe" [2009-03-05 11776]
"xlpftlhf.exe"="c:\windows\xlpftlhf.exe" [2009-03-05 11776]
"hdldfybo.exe"="c:\windows\hdldfybo.exe" [2009-03-05 11776]
"dbxjszxr.exe"="c:\windows\dbxjszxr.exe" [2009-03-05 11776]
"tjblgbek.exe"="c:\windows\tjblgbek.exe" [2009-03-05 11776]
"xlpmipqq.exe"="c:\windows\xlpmipqq.exe" [2009-03-05 11776]
"xlpgzhxf.exe"="c:\windows\xlpgzhxf.exe" [2009-03-05 11776]
"zzjzavyp.exe"="c:\windows\zzjzavyp.exe" [2009-03-05 11776]
"xlpfbmot.exe"="c:\windows\xlpfbmot.exe" [2009-03-05 11776]
"tjblnwsd.exe"="c:\windows\tjblnwsd.exe" [2009-03-05 11776]
"xlpgewlg.exe"="c:\windows\xlpgewlg.exe" [2009-03-06 11776]
"ntthhgwp.exe"="c:\windows\ntthhgwp.exe" [2009-03-06 11776]
"dbxkizhe.exe"="c:\windows\dbxkizhe.exe" [2009-03-06 11776]
"nttmpmjt.exe"="c:\windows\nttmpmjt.exe" [2009-03-06 11776]
"tjblfcql.exe"="c:\windows\tjblfcql.exe" [2009-03-06 11776]
"zzjwjlox.exe"="c:\windows\zzjwjlox.exe" [2009-03-06 11776]
"phnygygt.exe"="c:\windows\phnygygt.exe" [2009-03-06 11776]
"ntthprqq.exe"="c:\windows\ntthprqq.exe" [2009-03-06 11776]
"jrfsjqod.exe"="c:\windows\jrfsjqod.exe" [2009-03-06 11776]
"jrfuvzex.exe"="c:\windows\jrfuvzex.exe" [2009-03-06 11776]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 08:31 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-02-05 08:31 1601304 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-28 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-24 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-24 107272]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S1 11cb1818;11cb1818;c:\windows\system32\drivers\11cb1818.sys [2009-01-25 0]
S2 vmfezqpn;IPX Traffic Forwarder Monitor;c:\windows\System32\svchost.exe -k netsvcs [2004-08-10 14336]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-24 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-24 298264]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vmfezqpn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-04 17:40]

2009-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zwnub4bw.default\
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zwnub4bw.default\extensions\{d0c29249-27c7-4192-aec8-6c84436aeb80}\components\TSBoxFF.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 19:14:50
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-618976518-1615240946-2069970529-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19118023-ED5C-40C9-7A76-2AA9A8440217}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaphjhmoocpodknnpe"=hex:69,61,64,70,6b,68,6d,62,6a,69,63,6d,70,6e,6e,70,6c,6a,
00,00
"habhfmeogabdiopm"=hex:69,61,64,70,6b,68,6d,62,6a,69,63,6d,70,6e,6e,70,6c,6a,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dumprep.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\hp\KBD\kbd.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2009-03-07 19:16:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 00:16:42
ComboFix2.txt 2009-03-06 21:49:27

Pre-Run: 176,945,377,280 bytes free
Post-Run: 176,919,404,544 bytes free

387 --- E O F --- 2009-03-07 08:00:49

0

Ok, here you go. Again I say, are you sure you do not want to just go ahead and reformat?

You can decide. If you choose not to do these next steps that is fine.

· Make sure that combofix.exe is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Files::

c:\windows\jrfuvzex.exe
c:\windows\jrfsjqod.exe
c:\windows\ntthprqq.exe
c:\windows\phnygygt.exe
c:\windows\zzjwjlox.exe
c:\windows\tjblfcql.exe
c:\windows\nttmpmjt.exe
c:\windows\dbxkizhe.exe
c:\windows\ntthhgwp.exe
c:\windows\xlpgewlg.exe
c:\windows\tjblnwsd.exe
c:\windows\xlpfbmot.exe
c:\windows\zzjzavyp.exe
c:\windows\xlpgzhxf.exe
c:\windows\xlpmipqq.exe
c:\windows\tjblgbek.exe
c:\windows\dbxjszxr.exe
c:\windows\hdldfybo.exe
c:\windows\xlpftlhf.exe
c:\windows\jrfnggzq.exe
c:\windows\xlpmqoan.exe
c:\windows\rvhkisic.exe
c:\windows\fpruyxxm.exe
c:\windows\jrfwlkzj.exe
c:\windows\vxserapq.exe
c:\windows\jrcnrtes.exe
c:\windows\system32\lsdelete.exe
c:\windows\system32\8.tmp
c:\windows\system32\7.tmp
c:\windows\system32\6.tmp
c:\windows\system32\82.tmp
c:\windows\system32\3.tmp
c:\windows\system32\2.tmp
c:\windows\system32\AC.tmp
c:\windows\system32\AB.tmp
c:\windows\system32\59.tmp
c:\windows\system32\58.tmp
c:\windows\system32\56.tmp
c:\windows\system32\54.tmp
c:\windows\system32\53.tmp
c:\windows\system32\55.tmp
c:\windows\system32\52.tmp
c:\windows\system32\57.tmp
c:\windows\system32\4F.tmp
c:\windows\system32\50.tmp
c:\windows\system32\51.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4E.tmp
c:\windows\system32\4A.tmp
c:\windows\system32\4C.tmp
c:\windows\system32\48.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\47.tmp
c:\windows\system32\49.tmp
c:\windows\system32\45.tmp
c:\windows\system32\46.tmp
c:\windows\system32\43.tmp
c:\windows\system32\42.tmp
c:\windows\system32\41.tmp
c:\windows\system32\3F.tmp
c:\windows\system32\40.tmp
c:\windows\system32\3C.tmp
c:\windows\system32\44.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\3B.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\38.tmp
c:\windows\system32\39.tmp
c:\windows\system32\34.tmp
c:\windows\system32\35.tmp
c:\windows\system32\37.tmp
c:\windows\system32\33.tmp
c:\windows\system32\32.tmp
c:\windows\system32\36.tmp
c:\windows\system32\31.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\30.tmp
c:\windows\system32\2B.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\29.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\28.tmp
c:\windows\system32\23.tmp
c:\windows\system32\27.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\26.tmp
c:\windows\system32\25.tmp
c:\windows\system32\24.tmp
c:\windows\system32\22.tmp
c:\windows\system32\21.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\20.tmp
c:\windows\system32\19.tmp
c:\windows\system32\18.tmp
c:\windows\system32\17.tmp
c:\windows\system32\16.tmp
c:\windows\system32\14.tmp
c:\windows\system32\15.tmp
c:\windows\system32\13.tmp
c:\windows\system32\12.tmp
c:\windows\system32\10.tmp
c:\windows\system32\11.tmp
c:\windows\imsins.BAK
c:\windows\system32\drivers\11cb1818.sys
c:\windows\system32\drivers\ethqszcx.sys

Driver::

ethqszcx
11cb1818


Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zzjpuuvc.exe"=-
"rvhkisic.exe"=-
"xlpmqoan.exe"=-
"jrfnggzq.exe"=-
"xlpftlhf.exe"=-
"hdldfybo.exe"=-
"dbxjszxr.exe"=-
"tjblgbek.exe"=-
"xlpmipqq.exe"=-
"xlpgzhxf.exe"=-
"zzjzavyp.exe"=-
"xlpfbmot.exe"=-
"tjblnwsd.exe"=-
"xlpgewlg.exe"=-
"ntthhgwp.exe"=-
"dbxkizhe.exe"=-
"nttmpmjt.exe"=-
"tjblfcql.exe"=-
"zzjwjlox.exe"=-
"phnygygt.exe"=-
"ntthprqq.exe"=-
"jrfsjqod.exe"=-
"jrfuvzex.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
Post back here with that log for your next instructions.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.