Help with removing a virus

hey guys its been along time since i have posted on here because my computer has been virus. But today i believe i got one. I run my Panda Antivirus and it says i have 6 infected files but only deleted 2 of the 6. And i get a icon on the bottom right hand size where the clock is with a red X saying i have infected software. When i click on it it says personal security center and tries to get me to install "ultimate defender" i know thats a virus and i didnt install it but it keeps poping up. Here is my hijack log any help is appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:42 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\SecCenter\scprot4.exe
E:\WINDOWS\system32\regsvr32.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\iTunes\iTunes.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\SecCenter\scprot4.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [APVXDWIN] "E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mhwfofut] rundll32.exe "E:\Program Files\mhwfofut\ebahmliz.dll ",Init
O4 - HKLM\..\Run: [CTDrive] rundll32.exe E:\WINDOWS\system32\drvloz.dll,startup
O4 - HKLM\..\Run: [SC2] E:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [ynqryvqp] regsvr32 /u "E:\Documents and Settings\All Users\Application Data\ynqryvqp.dll "
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = E:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

--
End of file - 8747 bytes

 

Hi backer

Download ComboFix by sUBs from here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

 

I downloaded ComboFix and when i open it i get this message

Windows cannot access the specified device,path or file. You may not have appropiate permission to access them.

 

Did you save it on your desktop? Is your user account limited or administrative?

 

Yes i saved it to my desktop but it didnt work
I am unsure if i have limited or administrative how can i check?

 

any help boys?

 

It's possible that your antivirus/antispyware realtime protection corrupted ComboFix. Please disable the monitoring and download a fresh copy of ComboFix, then try running it again.

 

I turned off the Panda and it worked here is the log

ComboFix 07-12-02.1 - Steve 2007-12-01 3:35:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.221 [GMT -8:00]
Running from: E:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\All Users\Application Data.\ynqryvqp.dll
E:\Documents and Settings\Steve\Application Data\inst.exe
E:\Program Files\SecCenter
E:\Program Files\SecCenter\scprot4.exe
E:\WINDOWS\system32\gjllm.bak1
E:\WINDOWS\system32\gjllm.bak2
E:\WINDOWS\system32\gjllm.ini
E:\WINDOWS\system32\mlljg.dll
E:\WINDOWS\system32\vepcrmxd.dll
E:\WINDOWS\system32\wbemxkpw.dll
E:\WINDOWS\system32\winwil32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\LEGACY_NWSAPAGENT
-------\Iprip
-------\nm
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 03:51 . 2007-12-02 03:51 98,304 --a------ E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll
2007-12-01 02:22 . 2007-12-01 02:22 0 --a------ E:\WINDOWS\system32\scbdgfrf.dll
2007-11-29 11:01 . 2007-11-29 11:01 <DIR> d-------- E:\Program Files\Gabest
2007-11-29 10:58 . 2007-11-29 10:58 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\vlc
2007-11-29 10:56 . 2007-11-29 11:46 <DIR> d-------- E:\Program Files\VideoLAN
2007-11-29 10:07 . 2007-11-29 10:07 <DIR> d-------- E:\Program Files\Trend Micro
2007-11-29 07:17 . 2007-12-02 03:52 <DIR> d-------- E:\WINDOWS\system32\skjlrsjp
2007-11-29 07:16 . 2007-11-29 07:16 <DIR> d-------- E:\Program Files\mhwfofut
2007-11-29 07:16 . 2007-11-29 07:16 <DIR> d-------- E:\Program Files\Kjgcbelr
2007-11-29 07:16 . 2007-11-29 07:16 102,912 --a------ E:\WINDOWS\system32\drvloz.dll
2007-11-29 07:15 . 2007-11-29 07:15 37,376 --a------ E:\WINDOWS\system32\xxyvwur.dll
2007-11-29 01:58 . 2007-11-30 04:12 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Vso
2007-11-29 01:58 . 2006-09-29 11:24 217,127 --a------ E:\WINDOWS\system32\drv43260.dll
2007-11-29 01:58 . 2006-09-29 11:25 208,935 --a------ E:\WINDOWS\system32\drv33260.dll
2007-11-29 01:58 . 2006-09-29 11:26 176,165 --a------ E:\WINDOWS\system32\drv23260.dll
2007-11-29 01:58 . 2007-11-29 01:58 47,360 --a------ E:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 01:58 . 2007-11-29 01:58 47,360 --a------ E:\Documents and Settings\Steve\Application Data\pcouffin.sys
2007-11-29 01:57 . 2007-11-29 01:58 <DIR> d-------- E:\Program Files\VSO
2007-11-16 16:00 . 2003-02-28 18:26 139,536 --a------ E:\WINDOWS\system32\javaee.dll
2007-11-08 00:37 . 2007-11-08 00:37 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Media Player Classic
2007-11-03 12:38 . 2004-08-03 22:08 31,744 --a------ E:\WINDOWS\system32\drivers\wceusbsh.sys
2007-11-03 12:38 . 2004-08-03 22:08 31,744 --a--c--- E:\WINDOWS\system32\dllcache\wceusbsh.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 11:51 --------- d-----w E:\Program Files\SecCenter
2007-12-02 11:51 --------- d-----w E:\Program Files\Nlrgadbh
2007-12-02 11:49 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-12-02 11:49 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-12-02 11:49 1,184 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-12-02 11:49 1,184 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-29 15:24 --------- d-----w E:\Documents and Settings\Steve\Application Data\Azureus
2007-11-29 14:35 --------- d-----w E:\Program Files\MagicISO
2007-11-28 22:02 --------- d-----w E:\Program Files\mIRC
2007-11-19 09:31 --------- d-----w E:\Program Files\Azureus
2007-11-18 03:00 --------- d-----w E:\Program Files\LimeWire
2007-11-17 03:19 --------- d-----w E:\Documents and Settings\Steve\Application Data\LimeWire
2007-11-14 11:01 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-08 09:16 --------- d-----w E:\Documents and Settings\Steve\Application Data\DivX
2007-11-08 08:35 --------- d-----w E:\Program Files\DivX
2007-11-03 20:40 --------- d-----w E:\Program Files\Universal Remote Control, Inc
2007-10-31 15:59 --------- d-----w E:\Documents and Settings\Steve\Application Data\U3
2007-10-31 15:45 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-31 06:17 --------- d-----w E:\Documents and Settings\All Users\Application Data\WinZip
2007-10-29 21:16 --------- d-----w E:\Program Files\Common Files\Motive
2007-10-29 21:15 --------- d-----w E:\Documents and Settings\All Users\Application Data\Motive
2007-10-28 06:27 --------- d-----w E:\Program Files\MediaMonkey
2007-10-22 20:22 --------- d-----w E:\Program Files\Common Files\Panda Software
2007-10-22 06:47 --------- d-----w E:\Program Files\MSN Messenger
2007-10-21 23:24 --------- d-----w E:\Program Files\iTunes
2007-10-21 17:11 --------- d-----w E:\Program Files\Bonjour
2007-10-20 13:17 --------- d-----w E:\Program Files\Apple Software Update
2007-10-20 00:56 43,528 ------w E:\WINDOWS\system32\drivers\PxHelp20.sys
2007-10-19 22:16 --------- d-----w E:\Program Files\QuickTime
2007-10-18 23:23 31,104 ----a-w E:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-10-18 23:23 170,800 ----a-w E:\WINDOWS\system32\drivers\PavProc.sys
2007-10-18 23:23 142,128 ----a-w E:\WINDOWS\system32\drivers\netimflt.sys
2007-10-18 23:23 1,990 ----a-w E:\WINDOWS\system32\drivers\net_m32.inf
2007-10-18 20:23 --------- d-----w E:\Program Files\Java
2007-10-18 20:08 --------- d-----w E:\Program Files\DAEMON Tools
2007-10-16 20:34 --------- d-----w E:\Program Files\PowerISO
2006-01-28 21:19 739 ----a-w E:\Program Files\Readme.txt
2005-12-13 20:25 925 ----a-w E:\Program Files\dlcfEN.vbs
2005-08-12 19:55 111 ----a-w E:\Program Files\setup.ini
2005-07-14 22:52 270,336 ----a-w E:\Program Files\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3146e70f-e024-4e90-9656-3231b52810c9}]
E:\WINDOWS\system32\wbemxkpw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C328686-3424-4F2F-9A2B-F58FFCCEF136}]
E:\WINDOWS\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
2007-12-02 03:51 98304 --a------ E:\Program Files\Nlrgadbh\mzjfvyqv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
E:\WINDOWS\VirtualDNS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 07:15 37376 --a------ E:\WINDOWS\system32\xxyvwur.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe "= "E:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56]
"MSMSGS "= "E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21]
"DAEMON Tools "= "E:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 07:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"QuickTime Task "= "E:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper "= "E:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched "= "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Acrobat Assistant 8.0 "= "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"igfxtray "= "E:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09]
"igfxhkcmd "= "E:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06]
"igfxpers "= "E:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10]
"mhwfofut "= "E:\Program Files\mhwfofut\ebahmliz.dll" [2007-11-29 07:16]
"ynqryvqp "= "regsvr32 /u E:\Documents and Settings\All Users\Application Data\ynqryvqp.dll" []
"combofix "= "E:\WINDOWS\system32\cmd.exe" [2004-08-03 15:56]
"SC2 "= "E:\Program Files\SecCenter\scprot4.exe" [2007-12-02 03:51]
"jgxqpqnm "= "regsvr32 /u E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll" []

E:\Documents and Settings\Steve\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129} "= E:\WINDOWS\system32\xxyvwur.dll [2007-11-29 07:15 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-09-21 10:33 50736 E:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32]
winwil32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvwur]
xxyvwur.dll 2007-11-29 07:15 37376 E:\WINDOWS\system32\xxyvwur.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 E:\WINDOWS\system32\mlljg.dll

R1 APPFLT;App Filter Plugin;\??\E:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\E:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\E:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\E:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\E:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\E:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\E:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\E:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;E:\WINDOWS\system32\drivers\cpoint.sys
R2 NvNdis;NVIDIA NDIS IO Control Driver;\??\E:\WINDOWS\system32\Drivers\NvNdis.sys
R2 PavProc;Panda Process Protection Driver;\??\E:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;E:\WINDOWS\system32\drivers\av5flt.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;E:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\E:\WINDOWS\system32\PavSRK.sys
S3 p2pgasvc;Peer Networking Group Authentication;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PavTPK.sys;PavTPK.sys;\??\E:\WINDOWS\system32\PavTPK.sys
S3 PNRPSvc;Peer Name Resolution Protocol;E:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fd6ef77-b9fa-11db-9413-00123f1dfc8a}]
\Shell\AutoRun\command - C:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 14:17:01 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-02 3:55:12 - machine was rebooted
.
--- E O F ---
















And Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:37 AM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\WINDOWS\Explorer.EXE
e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\WINDOWS\system32\regsvr32.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ApvxdWin.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [jgxqpqnm] regsvr32 /u "E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll "
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

--
End of file - 8095 bytes

 

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll
E:\WINDOWS\system32\scbdgfrf.dll
E:\WINDOWS\system32\drvloz.dll
E:\WINDOWS\system32\xxyvwur.dll
Folder::
E:\WINDOWS\system32\skjlrsjp
E:\Program Files\mhwfofut
E:\Program Files\Kjgcbelr
E:\Program Files\SecCenter
E:\Program Files\Nlrgadbh
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3146e70f-e024-4e90-9656-3231b52810c9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C328686-3424-4F2F-9A2B-F58FFCCEF136}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "mhwfofut "=-
 "ynqryvqp "=-
 "combofix "=-
 "SC2 "=-
 "jgxqpqnm "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
 "{8E3FBDE2-7DBD-4040-85D9-29BBC559C129} "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwil32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvwur]

Disable your Panda monitoring again. Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

 

ComboFix 07-12-02.5 - Steve 2007-12-03 11:55:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -8:00]
Running from: E:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\All Users\Application Data.\jgxqpqnm.dll
E:\Program Files\SecCenter
E:\Program Files\SecCenter\scprot4.exe
E:\WINDOWS\system32\jhltffts.dll
E:\WINDOWS\system32\jkklm.dll
E:\WINDOWS\system32\mlkkj.bak1
E:\WINDOWS\system32\mlkkj.bak2
E:\WINDOWS\system32\mlkkj.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 22:33 . 2007-12-02 22:33 <DIR> d-------- E:\Program Files\AviSynth 2.5
2007-12-02 22:33 . 2007-12-02 22:34 43,602 --a------ E:\WINDOWS\system32\xvid-uninstall.exe
2007-12-02 22:32 . 2007-12-02 22:34 <DIR> d-------- E:\Program Files\AutoGK
2007-12-02 18:25 . 2007-12-02 18:25 0 --a------ E:\WINDOWS\system32\nkareexu.dll
2007-12-02 03:51 . 2007-12-02 03:51 <DIR> d-------- E:\Program Files\Nlrgadbh
2007-12-01 02:22 . 2007-12-01 02:22 0 --a------ E:\WINDOWS\system32\scbdgfrf.dll
2007-11-29 11:01 . 2007-11-29 11:01 <DIR> d-------- E:\Program Files\Gabest
2007-11-29 10:58 . 2007-11-29 10:58 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\vlc
2007-11-29 10:56 . 2007-11-29 11:46 <DIR> d-------- E:\Program Files\VideoLAN
2007-11-29 10:07 . 2007-11-29 10:07 <DIR> d-------- E:\Program Files\Trend Micro
2007-11-29 07:17 . 2007-12-02 03:52 <DIR> d-------- E:\WINDOWS\system32\skjlrsjp
2007-11-29 07:16 . 2007-11-29 07:16 <DIR> d-------- E:\Program Files\mhwfofut
2007-11-29 07:16 . 2007-11-29 07:16 <DIR> d-------- E:\Program Files\Kjgcbelr
2007-11-29 07:16 . 2007-11-29 07:16 102,912 --a------ E:\WINDOWS\system32\drvloz.dll
2007-11-29 07:15 . 2007-11-29 07:15 37,376 --a------ E:\WINDOWS\system32\xxyvwur.dll
2007-11-29 01:58 . 2007-11-30 04:12 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Vso
2007-11-29 01:58 . 2006-09-29 11:24 217,127 --a------ E:\WINDOWS\system32\drv43260.dll
2007-11-29 01:58 . 2006-09-29 11:25 208,935 --a------ E:\WINDOWS\system32\drv33260.dll
2007-11-29 01:58 . 2006-09-29 11:26 176,165 --a------ E:\WINDOWS\system32\drv23260.dll
2007-11-29 01:58 . 2007-11-29 01:58 47,360 --a------ E:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 01:58 . 2007-11-29 01:58 47,360 --a------ E:\Documents and Settings\Steve\Application Data\pcouffin.sys
2007-11-29 01:57 . 2007-11-29 01:58 <DIR> d-------- E:\Program Files\VSO
2007-11-16 16:00 . 2003-02-28 18:26 139,536 --a------ E:\WINDOWS\system32\javaee.dll
2007-11-08 00:37 . 2007-11-08 00:37 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 03:01 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-12-04 03:01 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-12-04 03:01 1,184 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-12-04 03:01 1,184 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-29 15:24 --------- d-----w E:\Documents and Settings\Steve\Application Data\Azureus
2007-11-29 14:35 --------- d-----w E:\Program Files\MagicISO
2007-11-28 22:02 --------- d-----w E:\Program Files\mIRC
2007-11-19 09:31 --------- d-----w E:\Program Files\Azureus
2007-11-18 03:00 --------- d-----w E:\Program Files\LimeWire
2007-11-17 03:19 --------- d-----w E:\Documents and Settings\Steve\Application Data\LimeWire
2007-11-14 11:01 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-08 09:16 --------- d-----w E:\Documents and Settings\Steve\Application Data\DivX
2007-11-08 08:35 --------- d-----w E:\Program Files\DivX
2007-11-03 20:40 --------- d-----w E:\Program Files\Universal Remote Control, Inc
2007-10-31 15:59 --------- d-----w E:\Documents and Settings\Steve\Application Data\U3
2007-10-31 15:45 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-31 06:17 --------- d-----w E:\Documents and Settings\All Users\Application Data\WinZip
2007-10-29 21:16 --------- d-----w E:\Program Files\Common Files\Motive
2007-10-29 21:15 --------- d-----w E:\Documents and Settings\All Users\Application Data\Motive
2007-10-28 06:27 --------- d-----w E:\Program Files\MediaMonkey
2007-10-22 20:22 --------- d-----w E:\Program Files\Common Files\Panda Software
2007-10-22 06:47 --------- d-----w E:\Program Files\MSN Messenger
2007-10-21 23:24 --------- d-----w E:\Program Files\iTunes
2007-10-21 17:11 --------- d-----w E:\Program Files\Bonjour
2007-10-20 13:17 --------- d-----w E:\Program Files\Apple Software Update
2007-10-20 00:56 43,528 ------w E:\WINDOWS\system32\drivers\PxHelp20.sys
2007-10-19 22:16 --------- d-----w E:\Program Files\QuickTime
2007-10-18 23:23 31,104 ----a-w E:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-10-18 23:23 170,800 ----a-w E:\WINDOWS\system32\drivers\PavProc.sys
2007-10-18 23:23 142,128 ----a-w E:\WINDOWS\system32\drivers\netimflt.sys
2007-10-18 23:23 1,990 ----a-w E:\WINDOWS\system32\drivers\net_m32.inf
2007-10-18 20:23 --------- d-----w E:\Program Files\Java
2007-10-18 20:08 --------- d-----w E:\Program Files\DAEMON Tools
2007-10-16 20:34 --------- d-----w E:\Program Files\PowerISO
2006-01-28 21:19 739 ----a-w E:\Program Files\Readme.txt
2005-12-13 20:25 925 ----a-w E:\Program Files\dlcfEN.vbs
2005-08-12 19:55 111 ----a-w E:\Program Files\setup.ini
2005-07-14 22:52 270,336 ----a-w E:\Program Files\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2507a217-f0fe-4605-89f2-1cd06f470aec}]
E:\WINDOWS\system32\jhltffts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
2007-12-02 03:51 98304 --a------ E:\Program Files\Nlrgadbh\mzjfvyqv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
E:\WINDOWS\VirtualDNS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
2007-11-29 07:15 37376 --a------ E:\WINDOWS\system32\xxyvwur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBC6F800-B597-44AE-88D8-83B4CAF8890A}]
E:\WINDOWS\system32\jkklm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe "= "E:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56]
"MSMSGS "= "E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21]
"DAEMON Tools "= "E:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 07:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"QuickTime Task "= "E:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper "= "E:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched "= "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Acrobat Assistant 8.0 "= "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"igfxtray "= "E:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09]
"igfxhkcmd "= "E:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06]
"igfxpers "= "E:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10]
"jgxqpqnm "= "regsvr32 /u E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll" []
"combofix "= "E:\WINDOWS\system32\cmd.exe" [2004-08-03 15:56]

E:\Documents and Settings\Steve\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129} "= E:\WINDOWS\system32\xxyvwur.dll [2007-11-29 07:15 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-09-21 10:33 50736 E:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvwur]
xxyvwur.dll 2007-11-29 07:15 37376 E:\WINDOWS\system32\xxyvwur.dll

R1 APPFLT;App Filter Plugin;\??\E:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\E:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\E:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\E:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\E:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\E:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\E:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\E:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;E:\WINDOWS\system32\drivers\cpoint.sys
R2 NvNdis;NVIDIA NDIS IO Control Driver;\??\E:\WINDOWS\system32\Drivers\NvNdis.sys
R2 PavProc;Panda Process Protection Driver;\??\E:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;E:\WINDOWS\system32\drivers\av5flt.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;E:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\E:\WINDOWS\system32\PavSRK.sys
S3 p2pgasvc;Peer Networking Group Authentication;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PavTPK.sys;PavTPK.sys;\??\E:\WINDOWS\system32\PavTPK.sys
S3 PNRPSvc;Peer Name Resolution Protocol;E:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fd6ef77-b9fa-11db-9413-00123f1dfc8a}]
\Shell\AutoRun\command - C:\setupSNK.exe

*Newly Created Service* - COMFILTR
.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 14:17:01 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-03 19:07:40 - machine was rebooted
E:\ComboFix2.txt ... 2007-12-02 03:55
.
--- E O F ---

 

It does not appear that you followed my directions above to create the CFScript.txt file and drop it onto ComboFix.exe
Please re-read my last post and complete as instructed.

 

so i dragged CFScript.txt from my desktop into ComboFix.exe which is also on my desktop and this is file it created after everything was complete (hope i did it right this time)

ComboFix 07-12-02.7 - Steve 2007-12-03 20:34:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.227 [GMT -8:00]
Running from: E:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

FILE
E:\Documents and Settings\All Users\Application Data\jgxqpqnm.dll
E:\WINDOWS\system32\drvloz.dll
E:\WINDOWS\system32\scbdgfrf.dll
E:\WINDOWS\system32\xxyvwur.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\Steve\Application Data\inst.exe
E:\Program Files\Kjgcbelr
E:\Program Files\Kjgcbelr\onhcoiju.dll
E:\Program Files\mhwfofut
E:\Program Files\mhwfofut\ebahmliz.dll
E:\Program Files\Nlrgadbh
E:\WINDOWS\system32\drvloz.dll
E:\WINDOWS\system32\scbdgfrf.dll
E:\WINDOWS\system32\skjlrsjp
E:\WINDOWS\system32\skjlrsjp\bg1.gif
E:\WINDOWS\system32\skjlrsjp\bgtop.gif
E:\WINDOWS\system32\skjlrsjp\bottom1.gif
E:\WINDOWS\system32\skjlrsjp\essentials.gif
E:\WINDOWS\system32\skjlrsjp\icon1.ico
E:\WINDOWS\system32\skjlrsjp\install1.gif
E:\WINDOWS\system32\skjlrsjp\left1.gif
E:\WINDOWS\system32\skjlrsjp\li.gif
E:\WINDOWS\system32\skjlrsjp\logo.gif
E:\WINDOWS\system32\skjlrsjp\main.htm
E:\WINDOWS\system32\skjlrsjp\mainframe.htm
E:\WINDOWS\system32\skjlrsjp\reinstall1.gif
E:\WINDOWS\system32\skjlrsjp\right1.gif
E:\WINDOWS\system32\skjlrsjp\s1.htm
E:\WINDOWS\system32\skjlrsjp\s2.htm
E:\WINDOWS\system32\skjlrsjp\s3.htm
E:\WINDOWS\system32\skjlrsjp\SMTop1.gif
E:\WINDOWS\system32\skjlrsjp\SMTop2.gif
E:\WINDOWS\system32\skjlrsjp\SMTop3.gif
E:\WINDOWS\system32\skjlrsjp\SMTop4.gif
E:\WINDOWS\system32\skjlrsjp\soft1_off.gif
E:\WINDOWS\system32\skjlrsjp\soft1_off_ext.gif
E:\WINDOWS\system32\skjlrsjp\soft1_on.gif
E:\WINDOWS\system32\skjlrsjp\soft1_on_ext.gif
E:\WINDOWS\system32\skjlrsjp\soft2_off.gif
E:\WINDOWS\system32\skjlrsjp\soft2_off_ext.gif
E:\WINDOWS\system32\skjlrsjp\soft2_on.gif
E:\WINDOWS\system32\skjlrsjp\soft2_on_ext.gif
E:\WINDOWS\system32\skjlrsjp\soft3_off.gif
E:\WINDOWS\system32\skjlrsjp\soft3_off_ext.gif
E:\WINDOWS\system32\skjlrsjp\soft3_on.gif
E:\WINDOWS\system32\skjlrsjp\soft3_on_ext.gif
E:\WINDOWS\system32\skjlrsjp\softbottom_off.gif
E:\WINDOWS\system32\skjlrsjp\softbottom_on.gif
E:\WINDOWS\system32\skjlrsjp\softleft_off.gif
E:\WINDOWS\system32\skjlrsjp\softleft_on.gif
E:\WINDOWS\system32\skjlrsjp\top1.gif
E:\WINDOWS\system32\skjlrsjp\top2.gif
E:\WINDOWS\system32\skjlrsjp\turnoff1.gif
E:\WINDOWS\system32\skjlrsjp\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 22:33 . 2007-12-02 22:33 <DIR> d-------- E:\Program Files\AviSynth 2.5
2007-12-02 22:33 . 2007-12-02 22:34 43,602 --a------ E:\WINDOWS\system32\xvid-uninstall.exe
2007-12-02 22:32 . 2007-12-02 22:34 <DIR> d-------- E:\Program Files\AutoGK
2007-12-02 18:25 . 2007-12-02 18:25 0 --a------ E:\WINDOWS\system32\nkareexu.dll
2007-11-29 11:01 . 2007-11-29 11:01 <DIR> d-------- E:\Program Files\Gabest
2007-11-29 10:58 . 2007-11-29 10:58 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\vlc
2007-11-29 10:56 . 2007-11-29 11:46 <DIR> d-------- E:\Program Files\VideoLAN
2007-11-29 10:07 . 2007-11-29 10:07 <DIR> d-------- E:\Program Files\Trend Micro
2007-11-29 01:58 . 2007-12-03 20:28 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Vso
2007-11-29 01:58 . 2007-11-29 01:58 47,360 --a------ E:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 01:58 . 2007-12-03 20:28 47,360 --a------ E:\Documents and Settings\Steve\Application Data\pcouffin.sys
2007-11-16 16:00 . 2003-02-28 18:26 139,536 --a------ E:\WINDOWS\system32\javaee.dll
2007-11-08 00:37 . 2007-11-08 00:37 <DIR> d-------- E:\Documents and Settings\Steve\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 04:40 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-12-04 04:40 46,104 ----a-w E:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-12-04 04:40 1,204 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-12-04 04:40 1,204 ----a-w E:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-29 15:24 --------- d-----w E:\Documents and Settings\Steve\Application Data\Azureus
2007-11-29 14:35 --------- d-----w E:\Program Files\MagicISO
2007-11-28 22:02 --------- d-----w E:\Program Files\mIRC
2007-11-19 09:31 --------- d-----w E:\Program Files\Azureus
2007-11-18 03:00 --------- d-----w E:\Program Files\LimeWire
2007-11-17 03:19 --------- d-----w E:\Documents and Settings\Steve\Application Data\LimeWire
2007-11-14 11:01 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-08 09:16 --------- d-----w E:\Documents and Settings\Steve\Application Data\DivX
2007-11-08 08:35 --------- d-----w E:\Program Files\DivX
2007-11-03 20:40 --------- d-----w E:\Program Files\Universal Remote Control, Inc
2007-10-31 15:59 --------- d-----w E:\Documents and Settings\Steve\Application Data\U3
2007-10-31 15:45 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-31 06:17 --------- d-----w E:\Documents and Settings\All Users\Application Data\WinZip
2007-10-29 21:16 --------- d-----w E:\Program Files\Common Files\Motive
2007-10-29 21:15 --------- d-----w E:\Documents and Settings\All Users\Application Data\Motive
2007-10-28 06:27 --------- d-----w E:\Program Files\MediaMonkey
2007-10-22 20:22 --------- d-----w E:\Program Files\Common Files\Panda Software
2007-10-22 06:47 --------- d-----w E:\Program Files\MSN Messenger
2007-10-21 23:24 --------- d-----w E:\Program Files\iTunes
2007-10-21 17:11 --------- d-----w E:\Program Files\Bonjour
2007-10-20 13:17 --------- d-----w E:\Program Files\Apple Software Update
2007-10-20 00:56 43,528 ------w E:\WINDOWS\system32\drivers\PxHelp20.sys
2007-10-19 22:16 --------- d-----w E:\Program Files\QuickTime
2007-10-18 23:23 31,104 ----a-w E:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-10-18 23:23 170,800 ----a-w E:\WINDOWS\system32\drivers\PavProc.sys
2007-10-18 23:23 142,128 ----a-w E:\WINDOWS\system32\drivers\netimflt.sys
2007-10-18 23:23 1,990 ----a-w E:\WINDOWS\system32\drivers\net_m32.inf
2007-10-18 20:23 --------- d-----w E:\Program Files\Java
2007-10-18 20:08 --------- d-----w E:\Program Files\DAEMON Tools
2007-10-16 20:34 --------- d-----w E:\Program Files\PowerISO
2006-01-28 21:19 739 ----a-w E:\Program Files\Readme.txt
2005-12-13 20:25 925 ----a-w E:\Program Files\dlcfEN.vbs
2005-08-12 19:55 111 ----a-w E:\Program Files\setup.ini
2005-07-14 22:52 270,336 ----a-w E:\Program Files\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe "= "E:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56]
"MSMSGS "= "E:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21]
"DAEMON Tools "= "E:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 07:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor "= "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"QuickTime Task "= "E:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper "= "E:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched "= "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Acrobat Assistant 8.0 "= "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"igfxtray "= "E:\WINDOWS\system32\igfxtray.exe" [2006-06-06 17:09]
"igfxhkcmd "= "E:\WINDOWS\system32\hkcmd.exe" [2006-06-06 17:06]
"igfxpers "= "E:\WINDOWS\system32\igfxpers.exe" [2006-06-06 17:10]

E:\Documents and Settings\Steve\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-09-21 10:33 50736 E:\WINDOWS\system32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\E:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\E:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\E:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\E:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\E:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\E:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\E:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\E:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;E:\WINDOWS\system32\drivers\cpoint.sys
R2 NvNdis;NVIDIA NDIS IO Control Driver;\??\E:\WINDOWS\system32\Drivers\NvNdis.sys
R2 PavProc;Panda Process Protection Driver;\??\E:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;E:\WINDOWS\system32\DRIVERS\netimflt.sys
S3 AvFlt;Antivirus Filter Driver;E:\WINDOWS\system32\drivers\av5flt.sys
S3 p2pgasvc;Peer Networking Group Authentication;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;E:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PavSRK.sys;PavSRK.sys;\??\E:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\E:\WINDOWS\system32\PavTPK.sys
S3 PNRPSvc;Peer Name Resolution Protocol;E:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fd6ef77-b9fa-11db-9413-00123f1dfc8a}]
\Shell\AutoRun\command - C:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 14:17:01 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 20:41:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 20:43:01 - machine was rebooted
E:\ComboFix2.txt ... 2007-12-02 19:44
E:\ComboFix3.txt ... 2007-12-02 03:55
.
--- E O F ---

 

Perfect!

Delete the following file.

E:\WINDOWS\system32\nkareexu.dll

Click Start>Run and type ComboFix /u then hit enter to remove ComboFix and the files it quarantined.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 12:47:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/12/2007
Kaspersky Anti-Virus database records: 471755
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86794
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:25:31

Infected Object Name / Virus Name / Last Action
E:\Documents and Settings\All Users\Application Data\Adobe\ALM\alm.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\FLEXnet\adobe_00080000_tsf.data Object is locked skipped
E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Messenger\backer_22@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Messenger\backer_22@hotmail.com\SharingMetadata\Working\database_18D4_77AE_D477_8D2E\dfsr.db Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Messenger\backer_22@hotmail.com\SharingMetadata\Working\database_18D4_77AE_D477_8D2E\fsr.log Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Messenger\backer_22@hotmail.com\SharingMetadata\Working\database_18D4_77AE_D477_8D2E\fsrtmp.log Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Messenger\backer_22@hotmail.com\SharingMetadata\Working\database_18D4_77AE_D477_8D2E\tmp.edb Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007120420071205\index.dat Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\QNC7I5QB\in[1].mov Infected: Exploit.Multi.Qtp.d skipped
E:\Documents and Settings\Steve\My Documents\Downloads\AVICodecPackPlus210_exe.vir/stream/data0051 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
E:\Documents and Settings\Steve\My Documents\Downloads\AVICodecPackPlus210_exe.vir/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
E:\Documents and Settings\Steve\My Documents\Downloads\AVICodecPackPlus210_exe.vir NSIS: infected - 2 skipped
E:\Documents and Settings\Steve\My Documents\Downloads\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Steve\My Documents\Downloads\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Steve\My Documents\Downloads\mirc621.exe NSIS: infected - 2 skipped
E:\Documents and Settings\Steve\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
E:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
E:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\74222cf71bc5a0493360cf798679b5f3PSK_NAMES Object is locked skipped
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\74222cf71bc5a0493360cf798679b5f3PSK_NAMES2 Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{42774B4C-BC76-471D-881E-3DDFA3A14A3B}\RP1\change.log Object is locked skipped
E:\WINDOWS\CSC\00000001 Object is locked skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
E:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
E:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
E:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
E:\WINDOWS\system32\config\OSession.evt Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
E:\WINDOWS\system32\h323log.txt Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\WINDOWS\wmsetup.log Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:58 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ApvxdWin.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsCtrls.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - E:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - e:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - E:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

--
End of file - 8850 bytes

 

Great!

You actually only have 1 infected file.

E:\Documents and Settings\Steve\My Documents\Downloads\AVICodecPackPlus210_exe.vir

It's not viral infected, but has embedded adware. Looks as though something, possibly Panda, has already disabled it by renaming with a .vir extension. May as well delete it then empty the recycle bin.

Scan again with HijackThis and place a check next to the following entries, close all open browser windows then click Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


That should wrap things up. How's your computer running?

 

Thanks a lot for helping me. My computer is running better but a bit slower then it was before the virus.

 

Run disk cleanup, then disk check, then defragment and let me know if there's any improvement. Post back if you need how-to's for any of those.