Hey guys,

Our computer at work has recently started doing the same thing. Although it adds a little by not letting certain web pages load. Here is a copy of the Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:56 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digtrack.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070712
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [{5c963dbc-9662-1394-d254-bc20df59d0d4}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll" DllStart
O4 - HKLM\..\Run: [88310222] rundll32.exe "C:\WINDOWS\system32\fehhkssu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 4519 bytes

Next time please follow the forum guidlines. I have split this as you posted this in another persons topic.

Sorry, I put it in the same fourm sue to the fact I am having roughly the same issue.

Hi Cmiller,

Welcome to GSF. I hope you enjoy your time here. No need to apologize, its no problem, thats why im around. Usually there is a topic that redirects you to a message if you try to post in someone elses topic, however I think it could be broke.

Have a great day

First:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Second:
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.


Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Here are the logs.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:47 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digtrack.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070712
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C0AB5B8F-452F-4D2C-8CFA-BF881514F294} - C:\WINDOWS\system32\qoMeDuSM.dll (file missing)
O2 - BHO: {8694471a-4659-e33b-3884-b5f5be7b2b2d} - {d2b2b7eb-5f5b-4883-b33e-9564a1744968} - C:\WINDOWS\system32\tlbyuplf.dll
O2 - BHO: (no name) - {E7D78553-9E44-4155-9FF2-549F1946CE69} - C:\WINDOWS\system32\iiffFwxv.dll (file missing)
O2 - BHO: (no name) - {FCE786AE-52E0-4D86-8E82-354C477A1FB8} - C:\WINDOWS\system32\opnkJYrQ.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM8b0231be] Rundll32.exe "C:\WINDOWS\system32\hlrbtsus.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5117 bytes



Malwarebytes' Anti-Malware 1.18
Database version: 883

1:45:44 PM 6/23/2008
mbam-log-6-23-2008 (13-45-44).txt

Scan type: Quick Scan
Objects scanned: 38783
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fehhkssu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tvwmrasg.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayayaAs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnkKbCu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{acdc6ce7-cb9d-407d-b371-b5fe83d8364e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{acdc6ce7-cb9d-407d-b371-b5fe83d8364e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnkkbcu (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{474a2ced-6412-b054-c592-b63a1e055a60} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{474a2ced-6412-b054-c592-b63a1e055a60} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88310222 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{5c963dbc-9662-1394-d254-bc20df59d0d4} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayayaas -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayayaas -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\mir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\modtrux05 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\49a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdam (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fehhkssu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\usskhhef.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvwmrasg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gsarmwvt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayayaAs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sAayayay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAayayay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkKbCu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mir\snktrax.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xc\areamdel.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\modtrux05\modtrux051080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

ComboFix 08-06-20.4 - Triple E 2008-06-23 12:08:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1625 [GMT -4:00]
Running from: C:\Documents and Settings\Triple E\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Triple E\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\{98b18fa1-8199-5ecb-5839-2dbbfd486911}.dll-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b0231be.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gsarmwvt.ini
C:\WINDOWS\system32\MSuDeMoq.ini
C:\WINDOWS\system32\MSuDeMoq.ini2
C:\WINDOWS\system32\sAayayay.ini
C:\WINDOWS\system32\sAayayay.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 12:13 . 2008-06-23 12:13 110,419 --a------ C:\WINDOWS\BM8b0231be.xml
2008-06-23 12:13 . 2008-06-23 12:13 22 --a------ C:\WINDOWS\pskt.ini
2008-06-23 11:57 . 2008-06-23 11:57 298,496 --a------ C:\WINDOWS\system32\yayayaAs.dll
2008-06-23 09:51 . 2008-06-23 09:51 122,368 --a------ C:\WINDOWS\system32\tvwmrasg.dll
2008-06-23 09:49 . 2008-06-23 09:49 131,584 --a------ C:\WINDOWS\system32\rincvlbd.dll
2008-06-23 09:49 . 2008-06-23 09:49 131,584 --a------ C:\WINDOWS\system32\kwlovepd.dll
2008-06-23 09:43 . 2008-06-23 09:43 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-23 09:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-23 09:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-23 09:05 . 2008-06-23 09:05 131,584 --a------ C:\WINDOWS\system32\dmlufofv.dll
2008-06-23 08:54 . 2008-06-23 08:56 <DIR> d-------- C:\BFU
2008-06-20 17:00 . 2008-06-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-06-20 16:54 . 2008-06-20 16:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 16:54 . 2008-06-20 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 16:53 . 2008-06-20 16:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 15:52 . 2008-06-20 15:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 15:52 . 2008-06-20 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 15:27 . 2008-06-20 15:27 49,172 --a------ C:\WINDOWS\system32\jmwnw64j.exe
2008-06-20 14:22 . 2008-06-20 14:22 120,320 --a------ C:\WINDOWS\system32\ejcdnxew.dll
2008-06-20 14:17 . 2008-06-23 09:03 <DIR> d--hs---- C:\WINDOWS\VHJpcGxlIEU
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\xc
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\mir
2008-06-20 14:17 . 2008-06-23 08:31 <DIR> d-------- C:\WINDOWS\system32\jdam
2008-06-20 14:17 . 2008-06-23 08:31 <DIR> d-------- C:\WINDOWS\system32\49a
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d--hs---- C:\Documents and Settings\Triple E\!
2008-06-20 14:17 . 2008-06-20 14:17 63,918 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll-uninst.exe
2008-06-20 14:17 . 2008-06-20 14:17 44,544 --a------ C:\WINDOWS\system32\pmnkKbCu.dll
2008-05-27 09:35 . 2008-05-27 09:35 370,688 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-05 15:00 --------- d-----w C:\Program Files\Sierra Wireless
2008-05-05 14:57 --------- d-----w C:\Program Files\Sprint
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{172e426f-a752-4078-bce9-1db3be207342}]
2008-06-23 09:49 131584 --a------ C:\WINDOWS\system32\rincvlbd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D461DCF-0958-4A9C-9DFB-D21DD0C478DB}]
2008-06-23 11:57 298496 --a------ C:\WINDOWS\system32\yayayaAs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474a2ced-6412-b054-c592-b63a1e055a60}]
2008-05-27 09:35 370688 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E06327D-0415-475F-898B-6ACFB316073E}]
2008-06-20 14:17 44544 --a------ C:\WINDOWS\system32\pmnkKbCu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0AB5B8F-452F-4D2C-8CFA-BF881514F294}]
C:\WINDOWS\system32\qoMeDuSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7D78553-9E44-4155-9FF2-549F1946CE69}]
C:\WINDOWS\system32\iiffFwxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCE786AE-52E0-4D86-8E82-354C477A1FB8}]
C:\WINDOWS\system32\opnkJYrQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 08:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"DellNSCST_GRNCH"="C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 19:09 278528]
"{5c963dbc-9662-1394-d254-bc20df59d0d4}"="C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll" [2008-05-27 09:35 370688]
"88310222"="C:\WINDOWS\system32\tvwmrasg.dll" [2008-06-23 09:51 122368]
"BM8b0231be"="C:\WINDOWS\system32\kwlovepd.dll" [2008-06-23 09:49 131584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4E06327D-0415-475F-898B-6ACFB316073E}"= C:\WINDOWS\system32\pmnkKbCu.dll [2008-06-20 14:17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKbCu]
pmnkKbCu.dll 2008-06-20 14:17 44544 C:\WINDOWS\system32\pmnkKbCu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Triple E^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Triple E\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Triple E^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Triple E\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88310222]
--a------ 2008-06-20 14:22 120320 C:\WINDOWS\system32\ejcdnxew.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b0231be]
--a------ 2008-06-23 09:05 131584 C:\WINDOWS\system32\dmlufofv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\mcntnkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 17:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{10-02-28-8D-DW}]
--a------ 2008-06-20 15:27 49172 C:\windows\system32\jmwnw64j.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5c963dbc-9662-1394-d254-bc20df59d0d4}]
--a------ 2008-05-27 09:35 370688 C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-08-10 11:08]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e9078a5-a9f7-11dc-a8d8-001aa0a7a004}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9de48a77-0c77-11dd-a8ee-001aa0a7a004}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 12:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\gsarmwvt.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnkKbCu.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tvwmrasg.dll
-> C:\WINDOWS\system32\kwlovepd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-06-23 12:17:53 - machine was rebooted [Triple E]
ComboFix-quarantined-files.txt 2008-06-23 16:17:48

Pre-Run: 209,921,339,392 bytes free
Post-Run: 209,929,576,448 bytes free

192 --- E O F --- 2008-06-23 13:35:02

Here are the logs.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:47 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digtrack.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070712
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C0AB5B8F-452F-4D2C-8CFA-BF881514F294} - C:\WINDOWS\system32\qoMeDuSM.dll (file missing)
O2 - BHO: {8694471a-4659-e33b-3884-b5f5be7b2b2d} - {d2b2b7eb-5f5b-4883-b33e-9564a1744968} - C:\WINDOWS\system32\tlbyuplf.dll
O2 - BHO: (no name) - {E7D78553-9E44-4155-9FF2-549F1946CE69} - C:\WINDOWS\system32\iiffFwxv.dll (file missing)
O2 - BHO: (no name) - {FCE786AE-52E0-4D86-8E82-354C477A1FB8} - C:\WINDOWS\system32\opnkJYrQ.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM8b0231be] Rundll32.exe "C:\WINDOWS\system32\hlrbtsus.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 5117 bytes



Malwarebytes' Anti-Malware 1.18
Database version: 883

1:45:44 PM 6/23/2008
mbam-log-6-23-2008 (13-45-44).txt

Scan type: Quick Scan
Objects scanned: 38783
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fehhkssu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tvwmrasg.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayayaAs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnkKbCu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{acdc6ce7-cb9d-407d-b371-b5fe83d8364e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{acdc6ce7-cb9d-407d-b371-b5fe83d8364e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnkkbcu (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{474a2ced-6412-b054-c592-b63a1e055a60} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{474a2ced-6412-b054-c592-b63a1e055a60} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88310222 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4e06327d-0415-475f-898b-6acfb316073e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{5c963dbc-9662-1394-d254-bc20df59d0d4} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayayaas -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayayaas -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\mir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\modtrux05 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\49a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdam (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fehhkssu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\usskhhef.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvwmrasg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gsarmwvt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayayaAs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sAayayay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAayayay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkKbCu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mir\snktrax.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xc\areamdel.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\modtrux05\modtrux051080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

ComboFix 08-06-20.4 - Triple E 2008-06-23 12:08:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1625 [GMT -4:00]
Running from: C:\Documents and Settings\Triple E\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Triple E\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\{98b18fa1-8199-5ecb-5839-2dbbfd486911}.dll-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b0231be.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gsarmwvt.ini
C:\WINDOWS\system32\MSuDeMoq.ini
C:\WINDOWS\system32\MSuDeMoq.ini2
C:\WINDOWS\system32\sAayayay.ini
C:\WINDOWS\system32\sAayayay.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 12:13 . 2008-06-23 12:13 110,419 --a------ C:\WINDOWS\BM8b0231be.xml
2008-06-23 12:13 . 2008-06-23 12:13 22 --a------ C:\WINDOWS\pskt.ini
2008-06-23 11:57 . 2008-06-23 11:57 298,496 --a------ C:\WINDOWS\system32\yayayaAs.dll
2008-06-23 09:51 . 2008-06-23 09:51 122,368 --a------ C:\WINDOWS\system32\tvwmrasg.dll
2008-06-23 09:49 . 2008-06-23 09:49 131,584 --a------ C:\WINDOWS\system32\rincvlbd.dll
2008-06-23 09:49 . 2008-06-23 09:49 131,584 --a------ C:\WINDOWS\system32\kwlovepd.dll
2008-06-23 09:43 . 2008-06-23 09:43 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-23 09:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-23 09:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-23 09:05 . 2008-06-23 09:05 131,584 --a------ C:\WINDOWS\system32\dmlufofv.dll
2008-06-23 08:54 . 2008-06-23 08:56 <DIR> d-------- C:\BFU
2008-06-20 17:00 . 2008-06-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-06-20 16:54 . 2008-06-20 16:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-20 16:54 . 2008-06-20 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 16:53 . 2008-06-20 16:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 15:52 . 2008-06-20 15:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 15:52 . 2008-06-20 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 15:27 . 2008-06-20 15:27 49,172 --a------ C:\WINDOWS\system32\jmwnw64j.exe
2008-06-20 14:22 . 2008-06-20 14:22 120,320 --a------ C:\WINDOWS\system32\ejcdnxew.dll
2008-06-20 14:17 . 2008-06-23 09:03 <DIR> d--hs---- C:\WINDOWS\VHJpcGxlIEU
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\xc
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d-------- C:\WINDOWS\system32\mir
2008-06-20 14:17 . 2008-06-23 08:31 <DIR> d-------- C:\WINDOWS\system32\jdam
2008-06-20 14:17 . 2008-06-23 08:31 <DIR> d-------- C:\WINDOWS\system32\49a
2008-06-20 14:17 . 2008-06-20 14:17 <DIR> d--hs---- C:\Documents and Settings\Triple E\!
2008-06-20 14:17 . 2008-06-20 14:17 63,918 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll-uninst.exe
2008-06-20 14:17 . 2008-06-20 14:17 44,544 --a------ C:\WINDOWS\system32\pmnkKbCu.dll
2008-05-27 09:35 . 2008-05-27 09:35 370,688 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-05 15:00 --------- d-----w C:\Program Files\Sierra Wireless
2008-05-05 14:57 --------- d-----w C:\Program Files\Sprint
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{172e426f-a752-4078-bce9-1db3be207342}]
2008-06-23 09:49 131584 --a------ C:\WINDOWS\system32\rincvlbd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D461DCF-0958-4A9C-9DFB-D21DD0C478DB}]
2008-06-23 11:57 298496 --a------ C:\WINDOWS\system32\yayayaAs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474a2ced-6412-b054-c592-b63a1e055a60}]
2008-05-27 09:35 370688 --a------ C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E06327D-0415-475F-898B-6ACFB316073E}]
2008-06-20 14:17 44544 --a------ C:\WINDOWS\system32\pmnkKbCu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0AB5B8F-452F-4D2C-8CFA-BF881514F294}]
C:\WINDOWS\system32\qoMeDuSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7D78553-9E44-4155-9FF2-549F1946CE69}]
C:\WINDOWS\system32\iiffFwxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCE786AE-52E0-4D86-8E82-354C477A1FB8}]
C:\WINDOWS\system32\opnkJYrQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 08:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"DellNSCST_GRNCH"="C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 19:09 278528]
"{5c963dbc-9662-1394-d254-bc20df59d0d4}"="C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll" [2008-05-27 09:35 370688]
"88310222"="C:\WINDOWS\system32\tvwmrasg.dll" [2008-06-23 09:51 122368]
"BM8b0231be"="C:\WINDOWS\system32\kwlovepd.dll" [2008-06-23 09:49 131584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4E06327D-0415-475F-898B-6ACFB316073E}"= C:\WINDOWS\system32\pmnkKbCu.dll [2008-06-20 14:17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKbCu]
pmnkKbCu.dll 2008-06-20 14:17 44544 C:\WINDOWS\system32\pmnkKbCu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Triple E^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Triple E\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Triple E^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Triple E\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88310222]
--a------ 2008-06-20 14:22 120320 C:\WINDOWS\system32\ejcdnxew.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b0231be]
--a------ 2008-06-23 09:05 131584 C:\WINDOWS\system32\dmlufofv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\mcntnkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 17:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{10-02-28-8D-DW}]
--a------ 2008-06-20 15:27 49172 C:\windows\system32\jmwnw64j.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5c963dbc-9662-1394-d254-bc20df59d0d4}]
--a------ 2008-05-27 09:35 370688 C:\WINDOWS\system32\{084af95f-0727-180a-556b-de27bc88c825}.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-08-10 11:08]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e9078a5-a9f7-11dc-a8d8-001aa0a7a004}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9de48a77-0c77-11dd-a8ee-001aa0a7a004}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 12:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\gsarmwvt.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnkKbCu.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tvwmrasg.dll
-> C:\WINDOWS\system32\kwlovepd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-06-23 12:17:53 - machine was rebooted [Triple E]
ComboFix-quarantined-files.txt 2008-06-23 16:17:48

Pre-Run: 209,921,339,392 bytes free
Post-Run: 209,929,576,448 bytes free

192 --- E O F --- 2008-06-23 13:35:02

UPDATE

I'm not really getting pop-ups anymore, the problem is certain web pages will not load. (I.e. www.google.com will load but when you go to search something it errors out, www.yahoo.com just won't load, and the oddest is the website we use for work loads until you go to login then it errors out saying connection not found. [All other computers in the office work just fine]).

This was (and still is) an extremely infected computer. Assuming it is part of a local network, I strongly suggest that each computer do a full scan with the AnitVirus program, any installed AntiSpyware programs, and also download, install and run MalwareBytes.

We have just begun to remove the junk on your computer. Now for the next step!


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall