Help... vundo virus

Read the thread Trojan. Vundo removal problems and got up to the hijack step here is my log for anyone to peruse.... not sure which ones to fix... didn't want to make the situation worse, however the system is running smoother but def. still has components of the virus... thank you for you assistance!!!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:26:44 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\AOL\1153616573\ee\AOLSoftware.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Owner\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\AOL\1153616573\EE\AOLDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {D03570B7-EEFE-4E92-8C51-EDACE2D7DB9C} - C:\WINDOWS\system32\qoMCrOfg.dll (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153616573\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Owner\svchost.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154388851406
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11641 bytes

 

Welcome to WindowsBBS tainamystique

You're using an outdate version of HijackThis. Lets get that updated and get another scan too. Please read this topic, install the latest version of Hijackthis, run a scan and save the log (you can close it for now). Then, download and run Deckard's System Scanner and post the main.txt log here.

 

thank you

thank u.. will do and get back to you!

Taina

 

in response to noahdfear

Followed everything you said.. here is the log.. thank you!!!




Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-15 16:01:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
104: 2008-04-15 22:44:06 UTC - RP712 - Deckard's System Scanner Restore Point
103: 2008-04-12 21:13:37 UTC - RP711 - System Checkpoint
102: 2008-04-10 22:23:21 UTC - RP710 - System Checkpoint
101: 2008-04-09 16:27:46 UTC - RP709 - Software Distribution Service 3.0
100: 2008-04-08 01:14:14 UTC - RP708 - System Checkpoint


-- First Restore Point --
1: 2008-04-02 21:23:56 UTC - RP609 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:52 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\AOL\1153616573\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Owner\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\AOL\1153616573\EE\AOLDesktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\limewire\limewire.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {D03570B7-EEFE-4E92-8C51-EDACE2D7DB9C} - C:\WINDOWS\system32\qoMCrOfg.dll (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153616573\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Owner\svchost.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154388851406
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11441 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 12:08:14 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-01 01:00:01 352 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-03-15 01:00:01 350 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 15:41:50 0 d-------- C:\Program Files\Trend Micro
2008-04-09 18:22:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-09 16:44:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 16:43:51 0 d-------- C:\Program Files\Spyware Doctor
2008-04-09 16:43:51 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-04-09 09:41:33 0 d-------- C:\Program Files\Panda Security
2008-04-07 21:52:03 0 d-------- C:\VundoFix Backups
2008-04-03 10:52:37 86592 --a------ C:\WINDOWS\system32\vjccnqja.dll
2008-04-02 09:26:50 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-02 09:26:50 0 d-------- C:\Program Files\Common Files\Napster Shared
2008-04-02 09:26:48 0 d-------- C:\Program Files\Napster
2008-04-02 09:26:48 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-01 16:25:28 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-01 11:56:50 345376 --ahs---- C:\WINDOWS\system32\gfOrCMoq.ini2
2008-04-01 11:43:40 0 --a------ C:\WINDOWS\system32\taskkill.exe
2008-04-01 11:43:35 0 d--hs---- C:\Documents and Settings\Owner\!
2008-04-01 11:43:34 60301 -----n--- C:\Documents and Settings\Owner\zz.dat
2008-04-01 11:43:30 1006080 ---hs---- C:\Documents and Settings\Owner\svchost.exe
2008-04-01 11:43:26 1006080 --a------ C:\winlogon.exe
2008-04-01 11:43:04 0 d-------- C:\WINDOWS\system32\aqVreo05
2008-03-19 20:24:22 0 d-------- C:\Program Files\Safari


-- Find3M Report ---------------------------------------------------------------

2008-04-09 18:30:40 0 d-------- C:\Program Files\Yahoo!
2008-04-09 18:23:57 0 d-------- C:\Program Files\AOL Deskbar
2008-04-07 21:25:45 0 d-------- C:\Program Files\LimeWire
2008-04-03 17:02:27 0 d-------- C:\Program Files\McAfee
2008-04-01 15:16:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-01 15:16:51 0 d-------- C:\Program Files\Common Files
2008-03-13 11:51:08 0 d-------- C:\Program Files\Java
2008-02-27 16:56:20 0 d-------- C:\Program Files\iTunes
2008-02-27 16:56:10 0 d-------- C:\Program Files\iPod
2008-02-27 16:54:25 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

Unable to run batchfile; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- End of Deckard's System Scanner: finished at 2008-04-15 16:04:11 ------------

 

P2P - I see you have P2P software ([color= "Red"]Limewire[/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.


That said, lets get your system cleaned up. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

grits teeth

okay... I tried to uninstall limewire, but there are still components of it residing on my 'BOYFRIEND'S' computer.. lol I will include the files here..... . .
LimeWire C:\Program Files type: file folder
LimeWire.exe C:\Program Files\LimeWire Size: 144kb Type: Application
LIMEWIRE.EXE-1944953E.pf C:\WINDOWS\Prefetch Size: 32 KB Type: PF File
LimeWire.jar C:\Program Files\LimeWire\lib Size: 11,629 KB Type: Executable Jar File

then I followed your directions to a 't' and this is the message I rec'd after 'running' combofix.exe
'Windows cannot find "'C:\WINDOWS\regedit.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the START button, and then click SEARCH.'

Thar ya have it.. will await further instructions... <bows n exits room> lol.. thanks so much..

 

Those Limewire files/folders should be easily deleted after a reboot.

Did you get that message whilst ComboFix was running?

 

and still we go...

I did reboot, a few times.. and those limewire files are not budging... I am of the mind that, is where he contracted the virus...etc... and yes the error message came up after/during running the combofix.exe


thank you for your tolerance!

 

Before we try anything else, lets check on regedit. The following will search the drive for all copies of regedit.exe and echo the location to a text file it creates on the desktop.

Please click Start>Run and type cmd then hit enter to open a command window. Now highlight and copy all of the bolded blue text below, then right click in the command window and select paste.


@echo off
dir %Systemdrive%\regedit.exe /a h /s > "%userprofile%\desktop\check.txt "
start notepad "%userprofile%\desktop\check.txt "
exit
cls


Once the search is complete, the command window will close and check.txt will open. Please post the contents of check.txt here.

 

when i type cmd and hit enter this message comes up:

Another program is currently using this file... a big red circle, white X in the middle..

 

Please click here and select Run. A log named running.txt will open. Please post it's contents.

 

to noahdfear

okay.. clicked on it... entered on run... it loads..etc.. the icon on the toolbar named "whats_running.bat" flashes a few times to show it's running, then freezes, then nothing.. when I click on the icon I get this message.. "Another program is currently using this file" and again thank you for your help.

 

Copy the instructions in this post to a blank notepad, then save it on the desktop. Reboot to safe mode and logon to your user account, then do as suggested. You can post the contents of check.txt on the desktop once you're back in normal mode.

While in safe mode, see if those Limewire files/folder can be deleted.

To enter Safe mode, restart the computer and begin tapping the F8 key to enable the Advanced Start Menu. Select Safe Mode from the list of options using the up/down arrow keys, then hitting Enter.

 

got it!!! yeah!

Volume in drive C has no label.
Volume Serial Number is 9C39-3113

Directory of C:\WINDOWS

08/04/2004 12:00 PM 146,432 regedit.exe
1 File(s) 146,432 bytes

Directory of C:\WINDOWS\I386

08/04/2004 12:00 PM 146,432 REGEDIT.EXE
1 File(s) 146,432 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 12:00 PM 146,432 regedit.exe
1 File(s) 146,432 bytes

 

Please try those instructions in post #5 above again, making sure to download a fresh copy of ComboFix first.

 

and who's on third...

did as you said and was at this point again..

"then I followed your directions to a 't' and this is the message I rec'd after 'running' combofix.exe
'Windows cannot find "'C:\WINDOWS\regedit.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the START button, and then click SEARCH.' "

This is after I 'ran' the program, that is the only thing that pops up....

again, thanks

 

well at least I'm learning alot...

Okay did all of that..... downloaded a fresh copy of combofix and rec'd the same error message.... see step five and the error message about the regenerit file...

what to do next sensai????


asks lowly grasshoppah

 

Please reboot to safe mode and try to run ComboFix.

 

thank you

for your patience.. I have learned much from this experience..here is the log....


ComboFix 08-04-20.2 - Owner 2008-04-22 2:56:07.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.375 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\svchost.exe
C:\WINDOWS\system32\taskkill.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-15 15:43 . 2008-04-15 15:43 <DIR> d-------- C:\Deckard
2008-04-15 15:41 . 2008-04-15 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 18:22 . 2008-04-09 18:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-09 16:44 . 2008-04-22 02:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 16:44 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-09 16:44 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-09 16:44 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-09 16:44 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-09 16:43 . 2008-04-17 05:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-09 16:43 . 2008-04-09 16:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-04-09 09:41 . 2008-04-09 09:41 <DIR> d-------- C:\Program Files\Panda Security
2008-04-09 09:30 . 2008-04-09 09:30 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 09:22 . 2008-04-09 16:41 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-07 21:52 . 2008-04-09 18:35 <DIR> d-------- C:\VundoFix Backups
2008-04-02 09:26 . 2008-04-02 09:26 <DIR> d-------- C:\Program Files\Napster
2008-04-02 09:26 . 2008-04-02 09:26 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-02 09:26 . 2008-04-02 09:26 <DIR> d-------- C:\Program Files\Common Files\Napster Shared
2008-04-02 09:26 . 2008-04-02 09:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-01 16:25 . 2008-04-22 02:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-01 11:43 . 2008-04-01 11:43 <DIR> d-------- C:\WINDOWS\system32\aqVreo05
2008-04-01 11:43 . 2008-04-09 18:01 <DIR> d--hs---- C:\Documents and Settings\Owner\!
2008-04-01 11:43 . 2008-04-22 02:19 60,301 --------- C:\Documents and Settings\Owner\zz.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 01:30 --------- d-----w C:\Program Files\Yahoo!
2008-04-10 01:23 --------- d-----w C:\Program Files\AOL Deskbar
2008-04-08 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-04 00:02 --------- d-----w C:\Program Files\McAfee
2008-04-02 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-04-02 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-01 22:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 03:24 --------- d-----w C:\Program Files\Safari
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 18:51 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 23:56 --------- d-----w C:\Program Files\iTunes
2008-02-27 23:56 --------- d-----w C:\Program Files\iPod
2008-02-27 23:54 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_ 2.37.42.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 09:31:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 09:54:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D03570B7-EEFE-4E92-8C51-EDACE2D7DB9C}]
C:\WINDOWS\system32\qoMCrOfg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86227D9C-0EFE-4F8A-AA55-30386A3F5686} "= "C:\Program Files\YourSiteBar\ysb.dll" [2006-08-01 18:57 90624]

[HKEY_CLASSES_ROOT\clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}]
[HKEY_CLASSES_ROOT\Ysb.YsbObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}]
[HKEY_CLASSES_ROOT\Ysb.YsbObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{86227D9C-0EFE-4F8A-AA55-30386A3F5686} "= C:\Program Files\YourSiteBar\ysb.dll [2006-08-01 18:57 90624]

[HKEY_CLASSES_ROOT\clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}]
[HKEY_CLASSES_ROOT\Ysb.YsbObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}]
[HKEY_CLASSES_ROOT\Ysb.YsbObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"WebCamRT.exe "=" " []
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 13:42 212992]
"SunKistEM "= "C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 15:04 135168]
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 15:55 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 15:51 118784]
"CHotkey "= "zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd "= "ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"HostManager "= "C:\Program Files\Common Files\AOL\1153616573\ee\AOLSoftware.exe" [2007-10-08 14:50 41824]
"AOLDialer "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216]
"AlcFDMonitor "= "C:\WINDOWS\ALCFDRTM.EXE" [2006-09-02 21:16 73728]
"SoundMan "= "SOUNDMAN.EXE" [2005-05-12 14:00 90112 C:\WINDOWS\SoundMan.exe]
"AlcWzrd "= "ALCWZRD.EXE" [2005-05-12 14:00 2805248 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LVCOMS "= "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39 98304]
"SurfAccuracy "= "C:\Program Files\SurfAccuracy\SAcc.exe" [ ]
"UserFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NapsterShell "= "C:\Program Files\Napster\napster.exe" [2007-10-05 20:04 323216]
"Lexmark 1200 Series "= "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 14:22 57344]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
"C:\\Program Files\\Common Files\\AOL\\1153616573\\EE\\AOLServiceHost.exe "=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Common Files\\AOL\\1153616573\\EE\\aolsoftware.exe "=
"C:\\Program Files\\AOL 9.1\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\1153616573\\EE\\AOLDesktop.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

S2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2001-08-01 15:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 19:08:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 08:00:01 C:\WINDOWS\Tasks\McDefragTask.job "
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 08:00:01 C:\WINDOWS\Tasks\McQcTask.job "
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 02:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 3:01:25
ComboFix-quarantined-files.txt 2008-04-22 10:01:12
ComboFix2.txt 2008-04-22 09:40:38

Pre-Run: 175,645,646,848 bytes free
Post-Run: 175,631,847,424 bytes free

163 --- E O F --- 2008-04-09 16:31:40

 

Good to see it ran for you! Lets get a look at a couple of files before we proceed. Please post both of the following logs.

C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt

Locate the following file.

C:\Documents and Settings\Owner\zz.dat

Rename it zz.txt then move it to your desktop. Now open it and see what it contains. There's a good chance it contains personal information, such as passwords. If so, you need to identify what those passwords are for and change them from another computer. If any are belonging to online bank accts, or credit card info is contained in the file, you need to keep a very close eye on those accts. Might not be a bad idea to contact those financial institutions and let them know your computer's security was compromised so they can be on guard for suspicious activity on the accts.