iexplore.exe virus/spyware? help

Good Afternoon all,


I have a virus/spyware that calls itself iexplore.exe . What this virus/spyware does is everytime i open an instance of mozilla firefox i get a internet explorer pop up.

My adaware and free avg trial and spybot search and destroy isn't removing this problem

Ive checked my Task manager and found an IEXPLORE.exe running.. so i ended the task and a second later it reappears.

I ran a hijackthis scan and here is what i got
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:19 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
O2 - BHO: (no name) - {36B5B879-B652-41E2-B37C-161E15053D60} - C:\WINDOWS\system32\gebywutq.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AE78D8AD-5C6B-48D2-AAB5-FE36D34A8421} - C:\WINDOWS\system32\pmnkijhh.dll (file missing)
O2 - BHO: (no name) - {D3D241F4-26F2-4EB6-B94B-D935CCD601FD} - C:\WINDOWS\system32\efcayvsq.dll (file missing)
O2 - BHO: nextads browser optimizer - {e62dfb21-839c-7977-e95d-fb9fbe1fc3c2} - C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll" DllInit
O4 - HKLM\..\Run: [98bc4352] rundll32.exe "C:\WINDOWS\system32\mrqfyqfk.dll ",b
O4 - HKLM\..\Run: [BM9b8f70ce] Rundll32.exe "C:\WINDOWS\system32\adjdrnbd.dll ",s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gebywutq - C:\WINDOWS\SYSTEM32\gebywutq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7546 bytes

any idea on how to fix?

 

Hi andydozntcare
Welcome to Windowsbbs.

Do you use this as a ProxyServer, wwwgate0.mot.com ?


I see you have P2P software ([color= "Red"] Limewire, BitTorrent uTorrent etc… [/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.


Plesae do this.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix Log.

Thanks
Geri

 

sorry, i'm not that great with computer. what does using this as a proxyserver mean?

i uninstalled limewire/bitcomet

here is the combofix log
ComboFix 08-04-20.5 - Andrew Kim 2008-04-21 22:18:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\Andrew Kim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\atmepvcc.sys
C:\WINDOWS\system32\efcbayaw.dll
C:\WINDOWS\system32\hhjiknmp.ini
C:\WINDOWS\system32\hhjiknmp.ini2
C:\WINDOWS\system32\nnnnmmnk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qsvyacfe.ini
C:\WINDOWS\system32\qsvyacfe.ini2
C:\WINDOWS\system32\ssqqrpon.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_atmepvcc
-------\Legacy_atmepvcc
-------\Service_atmepvcc


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 22:17 . 2008-04-21 22:17 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-21 19:59 . 2008-04-21 20:00 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 19:45 . 2008-04-21 19:45 <DIR> d-------- C:\!KillBox
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:53 . 2008-04-21 18:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-21 18:40 . 2008-04-21 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 17:47 . 2008-04-21 17:47 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-21 16:14 . 2008-04-21 16:14 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-21 16:14 . 2008-04-21 16:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-21 16:14 . 2008-04-21 16:14 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-21 16:14 . 2008-04-21 16:14 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-21 16:04 . 2008-04-21 16:12 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-04-21 16:04 . 2008-04-21 16:12 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-04-21 14:44 . 2008-04-21 16:09 1,540,737 --ahs---- C:\WINDOWS\system32\kfqyfqrm.ini
2008-04-20 23:49 . 2008-04-20 23:49 <DIR> d-------- C:\Documents and Settings\Andrew Kim\Application Data\Uniblue
2008-04-19 21:26 . 2008-04-19 23:57 <DIR> d-------- C:\Documents and Settings\Andrew Kim\.housecall6.6
2008-04-19 21:18 . 2008-04-21 17:44 577 --a------ C:\WINDOWS\wininit.ini
2008-04-19 21:00 . 2008-04-19 21:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-19 21:00 . 2008-04-20 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 20:25 . 2008-04-19 20:32 1,540,644 --ahs---- C:\WINDOWS\system32\opjrlmjl.ini
2008-04-19 20:23 . 2008-04-21 15:05 109,785 --a------ C:\WINDOWS\BM9b8f70ce.xml
2008-04-19 20:19 . 2008-04-19 20:19 <DIR> d-------- C:\Program Files\MARS
2008-04-16 21:34 . 2008-04-21 16:14 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-16 21:32 . 2008-04-16 21:32 <DIR> d-------- C:\Program Files\AVG
2008-04-16 21:32 . 2008-04-21 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-16 19:48 . 2008-04-16 19:48 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-04-16 12:13 . 2008-04-16 12:13 330,240 --a------ C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
2008-04-15 22:58 . 2008-04-15 22:58 <DIR> d-------- C:\WINDOWS\system32\sFi
2008-04-15 22:58 . 2008-04-19 23:54 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-15 22:58 . 2008-04-15 22:58 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-15 22:58 . 2008-04-16 21:01 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-15 22:58 . 2008-04-17 22:43 <DIR> d-------- C:\WINDOWS\system32\bharebio05
2008-04-15 22:58 . 2008-04-19 20:22 <DIR> d--hs---- C:\WINDOWS\QW5kcmV3
2008-04-15 22:58 . 2008-04-15 22:58 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2008-04-15 22:58 . 2008-04-15 22:58 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2008-04-15 22:58 . 2008-04-15 22:58 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2008-04-15 22:58 . 2008-04-21 11:54 63,890 --a------ C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll-uninst.exe
2008-04-15 22:57 . 2008-04-15 22:57 30,720 --a------ C:\WINDOWS\system32\gebywutq.dll
2008-04-15 17:16 . 2008-04-20 15:13 <DIR> d-------- C:\Documents and Settings\Andrew Kim\Incomplete
2008-04-14 21:48 . 2008-04-21 22:05 <DIR> d-------- C:\Program Files\LimeWire
2008-04-14 21:48 . 2008-04-20 15:06 <DIR> d-------- C:\Documents and Settings\Andrew Kim\Application Data\LimeWire
2008-03-25 11:27 . 2008-03-25 11:27 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 03:24 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-04-22 03:08 --------- d-----w C:\Program Files\Trillian
2008-04-22 03:05 --------- d-----w C:\Program Files\BitComet
2008-04-21 22:54 --------- d-----w C:\Program Files\Steam
2008-04-20 05:15 --------- d-----w C:\Program Files\World of Warcraft
2008-04-01 15:20 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-01 22:16 21,032 ---ha-w C:\Documents and Settings\Andrew Kim\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QW5kcmV3\kqc4wApa.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B5B879-B652-41E2-B37C-161E15053D60}]
2008-04-15 22:57 30720 --a------ C:\WINDOWS\system32\gebywutq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE78D8AD-5C6B-48D2-AAB5-FE36D34A8421}]
C:\WINDOWS\system32\pmnkijhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3D241F4-26F2-4EB6-B94B-D935CCD601FD}]
C:\WINDOWS\system32\efcayvsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e62dfb21-839c-7977-e95d-fb9fbe1fc3c2}]
2008-04-16 12:13 330240 --a------ C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI "= "C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2006-05-01 17:46 7561216]
"nwiz "= "nwiz.exe" [2006-05-01 17:46 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2006-05-01 17:46 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-08-24 07:42 393216 C:\WINDOWS\stsystra.exe]
"LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 15:32 225280]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32 455168]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"98bc4352 "= "C:\WINDOWS\system32\mrqfyqfk.dll" [ ]
"BM9b8f70ce "= "C:\WINDOWS\system32\adjdrnbd.dll" [ ]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-21 16:13 1177368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{36B5B879-B652-41E2-B37C-161E15053D60} "= C:\WINDOWS\system32\gebywutq.dll [2008-04-15 22:57 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywutq]
gebywutq.dll 2008-04-15 22:57 30720 C:\WINDOWS\system32\gebywutq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32 "= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98bc4352]
C:\WINDOWS\system32\ljmlrjpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 15:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9b8f70ce]
C:\WINDOWS\system32\bamymrfv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 08:54 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-05-14 14:23 1191936 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 15:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
--a------ 2008-04-16 12:13 330240 C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-30 17:11 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{C4-43-3F-FD-DW}]
C:\WINDOWS\system32\pinz1\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc "=2 (0x2)
"aawservice "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26209:TCP "= 26209:TCP:BitComet 26209 TCP
"26209:UDP "= 26209:UDP:BitComet 26209 UDP

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-21 16:14]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-21 16:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-21 16:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-21 16:13]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-04-21 16:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-21 16:14]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 02:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-21 16:12]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-03-27 17:02]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-21 16:12]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 15:37]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 02:39:55 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1193189081.job "
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 22:26:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\95e6a293-c4d8-45a0-ac31-14c613b426fe.tmp 0 bytes
C:\WINDOWS\TEMP\e4979cde-15a8-45ed-965a-c68a103ee7fd.tmp 0 bytes
C:\WINDOWS\TEMP\f7885ac5-8d08-4dd0-8615-0a344746d5f5.tmp 0 bytes

scan completed successfully
hidden files: 5

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\gebywutq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-04-21 22:30:16 - machine was rebooted [Andrew Kim]
ComboFix-quarantined-files.txt 2008-04-22 03:30:09

Pre-Run: 23,119,286,272 bytes free
Post-Run: 25,053,028,352 bytes free

236 --- E O F --- 2008-01-07 05:11:11


and here is the hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:22 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
O2 - BHO: (no name) - {36B5B879-B652-41E2-B37C-161E15053D60} - C:\WINDOWS\system32\gebywutq.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AE78D8AD-5C6B-48D2-AAB5-FE36D34A8421} - C:\WINDOWS\system32\pmnkijhh.dll (file missing)
O2 - BHO: (no name) - {D3D241F4-26F2-4EB6-B94B-D935CCD601FD} - C:\WINDOWS\system32\efcayvsq.dll (file missing)
O2 - BHO: nextads browser optimizer - {e62dfb21-839c-7977-e95d-fb9fbe1fc3c2} - C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [98bc4352] rundll32.exe "C:\WINDOWS\system32\mrqfyqfk.dll ",b
O4 - HKLM\..\Run: [BM9b8f70ce] Rundll32.exe "C:\WINDOWS\system32\adjdrnbd.dll ",s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\pinz1\cegmgr76.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gebywutq - C:\WINDOWS\SYSTEM32\gebywutq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7112 bytes

 

Hi andydozntcare

See here.
http://www.webopedia.com/TERM/p/proxy_server.html
It also can be used by malware.
Is this your personal computer or a work computer?


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\kfqyfqrm.ini
C:\WINDOWS\system32\opjrlmjl.ini
C:\WINDOWS\BM9b8f70ce.xml
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll-uninst.exe
C:\WINDOWS\system32\gebywutq.dll
C:\WINDOWS\system32\drivers\lvuvc.hs

Folder::
C:\!KillBox
C:\WINDOWS\system32\sFi
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio05
C:\WINDOWS\QW5kcmV3
C:\Program Files\LimeWire
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire
C:\Program Files\BitComet

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B5B879-B652-41E2-B37C-161E15053D60}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE78D8AD-5C6B-48D2-AAB5-FE36D34A8421}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3D241F4-26F2-4EB6-B94B-D935CCD601FD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e62dfb21-839c-7977-e95d-fb9fbe1fc3c2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "98bc4352 "=-
 "BM9b8f70ce "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] 
 "{36B5B879-B652-41E2-B37C-161E15053D60} "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywutq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98bc4352]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9b8f70ce]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{C4-43-3F-FD-DW}] 

Please post the CFScript log.

Thanks
Geri

 

i don't believe i'm using this as a proxy server
and this is my personal computer

here's the combatfix log
ComboFix 08-04-20.5 - Andrew Kim 2008-04-22 15:49:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
Running from: C:\Documents and Settings\Andrew Kim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew Kim\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM9b8f70ce.xml
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll-uninst.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\gebywutq.dll
C:\WINDOWS\system32\kfqyfqrm.ini
C:\WINDOWS\system32\opjrlmjl.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\filters.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\installation.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\library.dat
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\questions.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\tables.props
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\version.xml
C:\Documents and Settings\Andrew Kim\Application Data\LimeWire\xml\data\audio.sxml
C:\Documents and Settings\Andrew Kim\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\BitComet
C:\Program Files\BitComet\BitComet.xml
C:\Program Files\BitComet\Downloads.xml
C:\Program Files\BitComet\Favourite.xml
C:\Program Files\BitComet\rules\dhtnodes.dat
C:\Program Files\BitComet\torrents\Syndigast.tk - Kate's Playground STORA.torrent
C:\Program Files\BitComet\torrents\Syndigast.tk - Kate's Playground STORA.xml
C:\Program Files\LimeWire
C:\Program Files\LimeWire\Incomplete\downloads.bak
C:\Program Files\LimeWire\Incomplete\downloads.dat
C:\WINDOWS\BM9b8f70ce.xml
C:\WINDOWS\QW5kcmV3
C:\WINDOWS\QW5kcmV3\kqc4wApa.vbs
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll-uninst.exe
C:\WINDOWS\system32\{cc1fac0f-ca47-9ff3-a9f1-6b8696aab1e8}.dll
C:\WINDOWS\system32\bharebio05
C:\WINDOWS\system32\bharebio05\bharebio051080.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\gebywutq.dll
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\jkkhifcd.dll
C:\WINDOWS\system32\kfqyfqrm.ini
C:\WINDOWS\system32\opjrlmjl.ini
C:\WINDOWS\system32\opnmjhfd.dll
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\sFi
C:\WINDOWS\system32\sFi\cSEE145.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 22:17 . 2008-04-21 22:17 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-21 19:59 . 2008-04-21 20:00 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:53 . 2008-04-21 18:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-21 18:40 . 2008-04-21 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 16:14 . 2008-04-21 16:14 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-21 16:14 . 2008-04-21 16:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-21 16:14 . 2008-04-21 16:14 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-21 16:14 . 2008-04-21 16:14 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-21 16:04 . 2008-04-21 16:12 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-04-21 16:04 . 2008-04-21 16:12 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-04-20 23:49 . 2008-04-20 23:49 <DIR> d-------- C:\Documents and Settings\Andrew Kim\Application Data\Uniblue
2008-04-19 21:26 . 2008-04-19 23:57 <DIR> d-------- C:\Documents and Settings\Andrew Kim\.housecall6.6
2008-04-19 21:18 . 2008-04-21 17:44 577 --a------ C:\WINDOWS\wininit.ini
2008-04-19 21:00 . 2008-04-19 21:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-19 21:00 . 2008-04-20 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 20:19 . 2008-04-19 20:19 <DIR> d-------- C:\Program Files\MARS
2008-04-16 21:34 . 2008-04-21 16:14 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-16 21:32 . 2008-04-16 21:32 <DIR> d-------- C:\Program Files\AVG
2008-04-16 21:32 . 2008-04-21 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-16 19:48 . 2008-04-16 19:48 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-04-15 17:16 . 2008-04-20 15:13 <DIR> d-------- C:\Documents and Settings\Andrew Kim\Incomplete
2008-03-25 11:27 . 2008-03-25 11:27 <DIR> d-------- C:\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 04:18 --------- d-----w C:\Program Files\Trillian
2008-04-21 22:54 --------- d-----w C:\Program Files\Steam
2008-04-20 05:15 --------- d-----w C:\Program Files\World of Warcraft
2008-04-01 15:20 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-01 22:16 21,032 ---ha-w C:\Documents and Settings\Andrew Kim\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-21_22.29.33.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 03:24:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 20:56:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-22 03:25:29 222,999 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-04-22 20:56:45 223,004 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-04-22 20:56:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_408.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI "= "C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 19:10 1392640]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2006-05-01 17:46 7561216]
"nwiz "= "nwiz.exe" [2006-05-01 17:46 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2006-05-01 17:46 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-08-24 07:42 393216 C:\WINDOWS\stsystra.exe]
"LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 15:32 225280]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:31 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32 455168]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-21 16:13 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32 "= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 15:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 08:54 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-05-14 14:23 1191936 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 15:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-30 17:11 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc "=2 (0x2)
"aawservice "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26209:TCP "= 26209:TCP:BitComet 26209 TCP
"26209:UDP "= 26209:UDP:BitComet 26209 UDP

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-21 16:14]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-21 16:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-21 16:13]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-21 16:13]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-04-21 16:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-21 16:14]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 02:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-21 16:12]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-03-27 17:02]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-21 16:12]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 15:37]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 02:39:55 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1193189081.job "
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 15:56:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-04-22 15:59:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 20:59:43
ComboFix2.txt 2008-04-22 03:30:18

Pre-Run: 25,028,247,552 bytes free
Post-Run: 25,010,864,128 bytes free

268 --- E O F --- 2008-01-07 05:11:11


and here is the hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:47 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6116 bytes

 

Hi andydozntcare
OK Things are looking good.

We'll leave the proxy alone, don't believe it's hurting anything and I think it's pointing to Motrola and may have something to do with your ISP.

Now we need to get a on-line scan, so please do this.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Let me know how things are running.

Thanks
Geri

 

here's the report from the scan
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 5:43:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 723267
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 52956
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 2
Duration of the scan process: 01:00:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\Antispam\scoffset.bin.incr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwdsvc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu1188.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Andrew Kim\.housecall6.6\Quarantine\8k1u4gwf.exe.bac_a28628/data0001 Infected: Trojan-Downloader.Win32.Zlob.fjc skipped
C:\Documents and Settings\Andrew Kim\.housecall6.6\Quarantine\8k1u4gwf.exe.bac_a28628/data0007 Infected: Trojan-Downloader.Win32.Zlob.fgv skipped
C:\Documents and Settings\Andrew Kim\.housecall6.6\Quarantine\8k1u4gwf.exe.bac_a28628 NSIS: infected - 2 skipped
C:\Documents and Settings\Andrew Kim\.housecall6.6\Quarantine\8k1u4gwf.exe.bac_a28628 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Andrew Kim\.housecall6.6\Quarantine\cegmgr76.exe.bac_a28628 Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\Documents and Settings\Andrew Kim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andrew Kim\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bharebio05\bharebio051080.exe.vir Infected: Trojan-Downloader.Win32.VB.dsk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebywutq.dll.vir Infected: Trojan.Win32.AntiAV.n skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP176\A0021981.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP176\A0021981.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP209\A0028116.exe Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP209\A0028118.exe Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP210\A0028172.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP210\A0028173.exe Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP211\A0028303.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP213\A0029748.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP214\A0029833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP214\A0029834.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP214\A0029835.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP214\A0029851.exe Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP215\A0030373.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP215\A0030374.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP215\A0030376.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP215\A0030377.dll Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP218\A0031639.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP218\A0031648.dll Infected: Trojan.Win32.AntiAV.n skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP218\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_408.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP218\change.log Object is locked skipped

Scan process completed.


also, sometimes the avg antivirus thing says that i have a virus/malware thing called win32/heur - i looked it up on google and they said that it might be a fake or something...?

 

Hi andydozntcare

Does it give a file path? like C:\windows\system32\***

Lets do this and see if you still get it.

Open housecall6.6 Quarantine folder and delete eveything in it.

Open SpyBot S\D click on the Recovery tab at the top.
Put a check next to everything in there and click on "Purge selected items "
OK any prompts.
Close Spybot.


Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.


We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close.

Now please run Kaspersky again and post the new log.

Thanks
Geri

 

the window hasn't popped up today and i don't know any other way to see the file path..

i did everything you said and here is the report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 9:13:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/04/2008
Kaspersky Anti-Virus database records: 723770
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 44386
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:43:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\Antispam\scoffset.bin.incr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Microsoft\Templates\Normal.dotm Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\cert8.db Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\history.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\key3.db Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\parent.lock Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Andrew Kim\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Andrew Kim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntobmarl.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\History\History.IE5\MSHist012008042320080424\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temp\~DF74EC.tmp Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temporary Internet Files\Content.Word\~WRS{0772B1FD-626D-42A4-B9D0-82AE456DCD45}.tmp Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temporary Internet Files\Content.Word\~WRS{B2993CA1-3624-4CF5-98BC-79C2D1D0D6D0}.tmp Object is locked skipped
C:\Documents and Settings\Andrew Kim\Local Settings\Temporary Internet Files\Content.Word\~WRS{F2824222-61F4-455B-BA21-92E359B9485F}.tmp Object is locked skipped
C:\Documents and Settings\Andrew Kim\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andrew Kim\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc10.bac_a28628 Infected: not-a-virus:AdWare.Win32.Virtumonde.qot skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc8.bac_a28628/data0001 Infected: Trojan-Downloader.Win32.Zlob.fjc skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc8.bac_a28628/data0007 Infected: Trojan-Downloader.Win32.Zlob.fgv skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc8.bac_a28628 NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc8.bac_a28628 CryptFF.b: infected - 2 skipped
C:\RECYCLER\S-1-5-21-583907252-879983540-725345543-1003\Dc9.bac_a28628 Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{44A623D1-850D-4CD3-B0E4-A46845684DCC}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8b0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

 

Hi andydozntcare
The ones that Kaspersky is showing are in your recycle bin.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Give it a day or two let me know how things are running and if you get that message warning again.

If all is OK I'll mark this one resolved.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

Surf Safely
Geri