Hello,

I am sure you get this all the time, but I am new to posting here and would love for some expert to help me out...I have tried everything I can think of and many of the google searches. Here is my issue:

I got some ugly virus - Many popups stating I have a virus and to go to their web site for fixes and the computer was running really slow. I used different programs including NOD (which was running when I got infected), AV8, Smitfraud, combofix and ATF (which highlighted Smitfraud and combofix as viruses). This cleaned many of my issues but here are the remaining problems:

1) wmsdkns.exe is in hijack this file and on my computer
2) My c:drive is "X"'d out with a RED "X".
3) I can install my purchased NOD application, but when I turn off the pc, I get a kernel error and it doesn't run. I have to do a new reinstall - but it only works until I turn off the pc.

I am running XP5.1 SP2

Here is my hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:52 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5543 bytes


If someone can help me I would be SOOOOO appreciative! I thank you in advance!
hwg

Hi hwg

welcome to geekstogo

i can see a few infections on your log, so we will remove them now and do a couple of scans to see what else is lurking on your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

there are 6 logs to post in your next reply, so feel free to post them as you complete them......i will wait for them all to come in


====STEP 1====
we will be doing this step in safe mode so you should save these instructions for this step in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do not run it yet



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. (if present)

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  [kill explorer]
  C:\WINDOWS\system32\wmsdkns.exe
  C:\old computer\Downloads\from joe\RapGet\rapget.htm
  C:\WINDOWS\winself.exe
  purity
  [start explorer]
  
  
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 3====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

====STEP 6====
could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




In your next reply could i see:
1. the Report.txt log
2. the OTMoveIT log
3. the malwarebytes log
4. the kaspersky scan log
5. the combofix log
6. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

WOW Andrewuk! What a GREAT reply! I shall start this straight away and let you know the results! Thank you for your detailed and thorough response!

hwg

O.K. Here are the logs for part 1. I am sure I have to finish all steps before I am finished, but I thought I would do it in parts to keep the post for getting too long.

Thanks!
hwg

Step 1
=======

SDFix: Version 1.180
Run by Roe on Tue 05/06/2008 at 10:10 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\17PHolmes572.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted





Removing Temp Files

ADS Check :


C:\WINDOWS\system32
:svchost 769
Total size: 769 bytes.
system32: deleted 769 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 10:17:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:f315fd62
"s1"=dword:d5d3c651
"s2"=dword:cb6f383f
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0d,5c,c4,1d,8a,05,1b,d4,b8,af,25,03,43,bf,a6,e8,0e,89,44,98,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0d,5c,c4,1d,8a,05,1b,d4,b8,af,25,03,43,bf,a6,e8,0e,89,44,98,7d,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe:*:Enabled:Messenger"
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe:*:Enabled:Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\old computer\\Program Files\\Adobe\\Foxit editor\\FoxIt PDF Editor\\PDF Editor Pro v1.4 cracked\\PDFEdit.exe"="C:\\old computer\\Program Files\\Adobe\\Foxit editor\\FoxIt PDF Editor\\PDF Editor Pro v1.4 cracked\\PDFEdit.exe:*:Enabled:Foxit PDF Editor, the first REAL editor for PDF files!"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 21 Aug 2005 213 A.SHR --- "C:\old computer\BOOT.BAK"
Wed 6 Feb 2008 1,310,720 A..H. --- "C:\Documents and Settings\LocalService\NTUSER.bak"
Wed 6 Feb 2008 1,310,720 A..H. --- "C:\Documents and Settings\NetworkService\NTUSER.bak"
Wed 6 Feb 2008 6,815,744 A..H. --- "C:\Documents and Settings\Roe\NTUSER.bak"
Tue 19 Jun 2001 65,536 A..H. --- "C:\old computer\MobMircV201XTR\moo2.dll"
Mon 17 May 2004 8,007,680 A..H. --- "C:\Program Files\XSite Pro\Microsoft.mshtml.dll"
Mon 5 Nov 2007 88 A.SH. --- "C:\WINDOWS\system32\4D7CD740B4.sys"
Mon 28 Jan 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 14 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 11 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL0001.tmp"
Fri 13 Jul 2007 24,064 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL0048.tmp"
Fri 13 Jul 2007 24,576 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL1514.tmp"
Thu 12 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL2872.tmp"
Thu 12 Jul 2007 23,040 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL2898.tmp"
Fri 13 Jul 2007 24,064 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL3587.tmp"
Thu 12 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL3875.tmp"
Wed 6 Dec 2006 4,348 A.SH. --- "C:\old computer\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Oct 2007 4,348 ...H. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv1key.bak"
Wed 27 Feb 2008 20 A..H. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 27 Feb 2008 312 A.SH. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv2key.bak"
Sun 16 Sep 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Sun 16 Sep 2007 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Wed 6 Feb 2008 262,144 A..H. --- "C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Tue 13 Mar 2007 365,056 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Templates\~WRL1460.tmp"
Tue 6 Dec 2005 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 31 Jan 2006 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 6 Dec 2005 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0194.tmp"
Tue 31 Jan 2006 107,008 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL1507.tmp"
Fri 13 Jul 2007 22,528 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3513.tmp"
Fri 13 Jul 2007 743,424 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3631.tmp"
Sat 2 Dec 2006 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3884.tmp"

Finished!



************************************************************

Step 2
=========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:17 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4414 bytes

This post has been edited by hwg: May 7 2008, 09:27 AM

STEP 3

File/Folder CODE not found.
File/Folder not found.
Explorer killed successfully
File/Folder C:\WINDOWS\system32\wmsdkns.exe not found.
C:\old computer\Downloads\from joe\RapGet\rapget.htm moved successfully.
File/Folder C:\WINDOWS\winself.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_200749

This post has been edited by hwg: May 7 2008, 09:26 AM

Step 4 Log:
==========

Malwarebytes' Anti-Malware 1.12
Database version: 727

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 238423
Time elapsed: 45 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Roe\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

This post has been edited by hwg: May 7 2008, 09:26 AM

Step 5
============

Wednesday, May 07, 2008 2:04:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/05/2008
Kaspersky Anti-Virus database records: 744315


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 202045
Number of viruses found 9
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 02:46:33

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\cert8.db Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\history.dat Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\key3.db Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\linkpad.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\parent.lock Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Desktop\download\MIRC616.EXE/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Documents and Settings\Roe\Desktop\download\MIRC616.EXE mIRC: infected - 1 skipped

C:\Documents and Settings\Roe\Desktop\mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Temp\~DF255C.tmp Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Roe\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Roe\ntuser.dat.LOG Object is locked skipped

C:\Downloads\rview31.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n skipped

C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe/mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe/system\alias\alias3.ini Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe Gentee: infected - 2 skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe/mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe/system\alias\alias3.ini Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip ZIP: infected - 3 skipped

C:\old computer\Downloads\Office 2003 Prokeygen.rar/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\old computer\Downloads\Office 2003 Prokeygen.rar ZIP: infected - 1 skipped

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-06.10-14-58.log Object is locked skipped

C:\Program Files\Netscape\Navigator 9\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP272\A0061242.dll Infected: Trojan.Win32.Agent.lkz skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP286\change.log Object is locked skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe/file01 Infected: not-a-virus:Monitor.Win32.GoldenEye.401 skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe/file23 Infected: Trojan.Win32.Hooker.j skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe Inno: infected - 2 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4913207B-2E49-4688-B5E8-3BE896640E49}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd6477.sys Object is locked skipped

C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

This is the 6th and final step. All logs and instructions were followed exactly! Please let me know what else I need to do! I REALLY appreciate it! I also would like to put on my NOD virus software that I purchased. Is that suggested at this time. Lastly, I need a recommendation for a Firewall.
Thanks a BUNCH!
hwg

Step 6
==================

ComboFix 08-05-01.3 - Roe 2008-05-07 16:32:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT -7:00]
Running from: C:\Documents and Settings\Roe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roe\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\system\msvbvm60.dll
C:\WINDOWS\system32\ajbpborm.ini
C:\WINDOWS\system32\CMMGR32.EXE
.
---- Previous Run -------
.
C:\WINDOWS\system32\qxkpwbly.dll
C:\Documents and Settings\Roe\Application Data\inst.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\ddtedibh.ini
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\erdxbeqp.ini
C:\WINDOWS\system32\fuqtjeex.ini
C:\WINDOWS\system32\lxgbiaea.ini
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.exe
C:\WINDOWS\system32\qxkpwbly.dll
C:\WINDOWS\system32\qxkpwbly.dllbox
C:\WINDOWS\system32\xhtjsfyf.dll
C:\WINDOWS\system32\yaywurq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 20:16 . 2008-05-06 20:16 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 20:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:07 . 2008-05-06 20:07 <DIR> d-------- C:\_OTMoveIt
2008-05-06 09:15 . 2008-05-06 09:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 09:06 . 2008-05-06 13:16 <DIR> d-------- C:\SDFix
2008-05-05 21:07 . 2008-05-05 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 20:37 . 2008-05-05 20:37 <DIR> d-------- C:\Program Files\Unlocker
2008-05-05 20:37 . 2008-05-07 08:22 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Desktopicon
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 18:34 . 2008-05-04 18:34 <DIR> d-------- C:\!KillBox
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d-------- C:\Program Files\Windows Live
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-04 18:32 . 2008-05-04 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-04 14:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-04 14:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Program Files\COMODO
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Comodo
2008-05-03 20:25 . 2008-05-03 20:25 <DIR> d-------- C:\Program Files\AVG
2008-05-03 20:25 . 2008-05-04 09:58 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\AVGTOOLBAR
2008-05-03 20:25 . 2008-05-05 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 18:31 . 2008-05-03 18:31 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-05-03 14:20 . 2008-05-03 14:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-03 14:20 . 2006-03-15 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 20:37 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\ZoomBrowser EX
2008-04-26 20:35 . 2008-04-26 20:35 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Canon
2008-04-26 20:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-26 20:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-25 12:19 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 11:51 . 2008-04-25 11:51 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-04-23 18:36 . 2008-04-23 18:36 <DIR> d-------- C:\Program Files\LizardTech
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> dr------- C:\UDC Output Files
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> d-------- C:\Program Files\Universal Document Converter
2008-04-23 18:35 . 2007-08-14 20:57 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
2008-04-08 17:44 . 2008-04-08 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-04-08 17:36 . 2008-04-08 17:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-08 10:29 . 2008-04-08 10:29 <DIR> d-------- C:\Western Digital
2008-04-08 10:18 . 2008-04-08 10:19 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-07 21:10 . 2008-04-07 21:10 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-04-07 21:10 . 2008-04-07 21:10 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-04-07 21:07 . 2008-04-07 21:07 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-07 21:07 . 2008-04-07 21:07 96,256 --a------ C:\WINDOWS\system32\drivers\sptd6477.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 03:58 --------- d-----w C:\Program Files\The Print Shop 20
2008-05-05 01:30 --------- d-----w C:\Program Files\MSN Messenger
2008-05-04 19:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\TeraCopy
2008-05-04 17:43 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-04 17:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 17:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\SUPERAntiSpyware.com
2008-05-01 21:23 --------- d-----w C:\Documents and Settings\Roe\Application Data\Vso
2008-04-25 19:21 --------- d-----w C:\Program Files\CANON
2008-04-24 01:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 04:05 --------- d-----w C:\Documents and Settings\Roe\Application Data\DMCache
2008-04-04 04:28 --------- d-----w C:\Documents and Settings\Roe\Application Data\Corel
2008-03-20 00:07 --------- d-----w C:\Program Files\Mayoko
2008-03-12 23:35 --------- d-----w C:\Program Files\VLCPortable
2008-01-11 03:03 47,360 ----a-w C:\Documents and Settings\Roe\Application Data\pcouffin.sys
2007-12-26 00:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-22 01:21 2,393 ----a-w C:\Documents and Settings\Roe\Application Data\SAS7_000.DAT
2007-11-05 21:11 88 --sha-w C:\WINDOWS\system32\4D7CD740B4.sys
2008-01-29 04:40 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=C:\WINDOWS\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-02-06 21:44 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 16:38 39264 c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxredir]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-19 22:57 162584 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-19 22:57 142104 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
--a------ 2008-02-07