I am running XP and was not practicing safe computer sex. Now windows explorer won't stay open for more than a few seconds and I cannot search for malware. I can open Task Manager and occasionally I have enough time to start up some programs like Eset NOD 32. I can also get to the C prompt but don't know enough DOS to search for malware files. Can someone give me hand solving this problem?

Sounds like fun... but your computer will work just fine without explorer.exe, it's just a little harder to control it without that nice user interface.
And none of us are young enough to search for trojans from the C:\ prompt. What follows assumes that you got to Daniweb from another machine. Fine, but back to yours now.
Let's avoid using explorer for a while. Task manager has nothing to do with it so you can use it to launch pgms, you just go File > New Task(Run) and enter: iexplore.exe
From your C prompt [you mean a black cmd window?] it would be [paste this in]:
C:\"Program Files\Internet Explorer\iexplore.exe"
And either way an IE browser window should pop open. Now the neat thing is the quite large amount of interchangeability between IE and Windows Explorer - you can surf from WE and you can navigate about your folders from IE. So...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder in your Program Files. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Select the Cleaner icon, press Run Cleaner.
::: To use IE as a file explorer just type C:\ in the address bar and then check the dropdown menu [from the lil blue down arrow], choose Pgm Files. A bunch of pgm icons will appear in IE, dclick Program Files icon, dclick CCleaner icon, dclick CCleaner.exe
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Who needs WE?
Btw, in TM you don't get New Task (Run) if you are on Networking tab. Dunno why...

Gerbil,

Thanks for your reply and offer to help. I was able to follow all of your instructions with the exception of the Panda Active Scan which would not work on two different computers. I will post the Highjack This! file below but I have learned a bit more. My NOD 32 scan reports Win32/Adware.Virtumonde application and two files in System32 folder: ddccyvu.dll and rqolj.dll as threats which should be deleted. As soon as I delete these files they come back almost immediately and are picked up as a threat by NOD32 again. In addition, after deleting these two files the first time, windows explorer and my desktop icons have returned and seem to be stable. However, my computer is running extremely slowly now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:38 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\The Weather Channel FW\Desktop

Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common

files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP

Scheduler.exe
C:\Program Files\Common Files\AOL\1109130448\EE\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IEPro\MiniDM.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Trend Micro\HijackThis\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL

= http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL =

about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr

.exe
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF}

- C:\Program Files\IEPro\iepro.dll
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SeekNewLive Bar -

{0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program

Files\SNLBar\SNLBar.dll
O2 - BHO: (no name) - {32F05659-3AF7-48BB-B161-1D78F3152BED} -

C:\WINDOWS\system32\ddccyvu.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO -

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program

Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D05A1A55-48BD-44FE-9B7B-05943ADCF12F} -

C:\WINDOWS\system32\rqolj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar -

{DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program

Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper

Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer]

KHALMNPR.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic]

"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1109130448\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"

/WAITSERVICE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt

Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network

Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer]

KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM

FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI

Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel

FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [H/PC Connection Agent] "C:\PROGRAM

FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [H/PC Connection Agent] "C:\PROGRAM

FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\PROGRAM

FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe

C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\PROGRAM

FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'Default

user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe

C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

(User 'Default user')
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common

Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk =

C:\Program Files\CU VPN\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program

Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and

Settings\All Users\Application

Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences -

{0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences -

{0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ATI TV -

{44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI

Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.demonoid.com
O15 - Trusted Zone: http://www.mininova.org
O15 - Trusted Zone: http://www.passportimages.com
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C}

(VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9}

(asusTek_sysctrl Class) -

http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro

ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/a

ctivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL

Content Update) -

http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/bor

ris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -

http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu

web_site.cab?1121317761572
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec

RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -

https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/m

uweb_site.cab?1150254016292
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial

cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}

(ActiveDataInfo Class) -

https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}

(get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 -

HKLM\System\CCS\Services\Tcpip\..\{5E36A1DF-48F6-4EC1-BDB2-5F

CF01A6B56E}: Domain = listenup.com
O18 - Protocol: bwfile-8876480 -

{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ddccyvu - C:\WINDOWS\SYSTEM32\ddccyvu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown

owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries

Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco

Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program

Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) -

SEIKO EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure

Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure

Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program

Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt

Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink

Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 15371 bytes

Hifi... could you please post that hijackthis log with Format Unwrapped in notepad, please?

Don't worry about reposting the hijackthis log, Hifi, just keep that formatting in mind for future notepad posts.
It appears that you have a vundo infection, or traces of one, so...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\combofix.txt plus a new HijackThis log run in normal mode.

Hi Gerbil,

Thanks for the help. Seems to have fixed the problem. Here is Combofix and HJT logfiles.

ComboFix 08-04-08.7 - CEZ 2008-04-09 9:00:30.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -6:00]
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\ddccyvu.dll
C:\WINDOWS\SYSTEM32\jloqr.ini
C:\WINDOWS\SYSTEM32\jloqr.ini2
C:\WINDOWS\system32\rqolj.dll
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 07:49 . 2008-04-09 07:49 <DIR> d--hs---- C:\FOUND.000
2008-04-08 22:04 . 2008-04-08 22:04 8 --a------ C:\WINDOWS\SYSTEM32\3d3dcc52
2008-04-06 20:15 . 2008-04-06 20:15 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 19:22 . 2008-04-06 19:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 18:11 . 2008-04-06 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 17:22 . 2008-04-06 17:22 <DIR> d-------- C:\Program Files\CCleaner
2008-03-28 11:37 . 2008-04-09 09:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 11:37 . 2008-03-28 11:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 10:18 . 2008-03-28 10:18 <DIR> d-------- C:\Program Files\Swf2Avi
2008-03-28 10:16 . 2008-03-28 10:16 <DIR> d-------- C:\Documents and Settings\CEZ\Application Data\MiniDm
2008-03-24 21:38 . 2008-03-24 21:38 <DIR> d-------- C:\Documents and Settings\CEZ\Application Data\Downloaded Installations
2008-03-17 07:20 . 2008-03-17 07:20 <DIR> d-------- C:\Documents and Settings\CEZ\Application Data\SlySoft
2008-03-17 07:10 . 2008-03-17 07:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-03-17 07:00 . 2008-03-17 07:00 24 ---hs---- C:\WINDOWS\SB7CC85B5.tmp
2008-03-11 22:00 . 2008-03-11 22:00 <DIR> d-------- C:\Documents and Settings\CEZ\Application Data\IEPro
2008-03-11 21:59 . 2008-03-11 21:59 <DIR> d-------- C:\Program Files\IEPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 16:13 --------- d-----w C:\Program Files\iPod
2008-02-26 16:12 --------- d-----w C:\Program Files\iTunes
2008-02-16 05:49 284,944 ----a-w C:\Documents and Settings\CEZ\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 03:52 --------- d-----w C:\Program Files\Bonjour
2008-02-16 03:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
2008-01-09 16:19 966,656 ----a-w C:\WINDOWS\SYSTEM32\btrez.dll
2007-05-08 04:31 92,064 ----a-w C:\Documents and Settings\CEZ\mqdmmdm.sys
2007-05-08 04:31 9,232 ----a-w C:\Documents and Settings\CEZ\mqdmmdfl.sys
2007-05-08 04:31 79,328 ----a-w C:\Documents and Settings\CEZ\mqdmserd.sys
2007-05-08 04:31 66,656 ----a-w C:\Documents and Settings\CEZ\mqdmbus.sys
2007-05-08 04:31 6,208 ----a-w C:\Documents and Settings\CEZ\mqdmcmnt.sys
2007-05-08 04:31 5,936 ----a-w C:\Documents and Settings\CEZ\mqdmwhnt.sys
2007-05-08 04:31 4,048 ----a-w C:\Documents and Settings\CEZ\mqdmcr.sys
2007-05-08 04:31 25,600 ----a-w C:\Documents and Settings\CEZ\usbsermptxp.sys
2007-05-08 04:31 22,768 ----a-w C:\Documents and Settings\CEZ\usbsermpt.sys
2007-01-19 14:39 87,608 ----a-w C:\Documents and Settings\CEZ\Application Data\ezpinst.exe
2007-01-19 14:39 47,360 ----a-w C:\Documents and Settings\CEZ\Application Data\pcouffin.sys
2006-04-14 02:35 111 ----a-w C:\Documents and Settings\CEZ\Application Data\fusioncache.dat
2004-10-09 06:49 271 --sh--w C:\Program Files\desktop.ini
2004-10-09 06:49 23,357 ---h--w C:\Program Files\folder.htt
2004-08-19 22:13 64,512 ---ha-w C:\Documents and Settings\CEZ\Application Data\rbap450.dll
2003-08-30 07:41 431 ----a-w C:\Program Files\Microsoft Publisher 98.lnk
2002-12-02 16:35 81,920 ----a-w C:\Program Files\CALENDAR CREATOR 7.mdb
2003-03-03 06:08 32 --sha-w C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat
2003-03-03 06:08 32 --sha-w C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat
2006-12-05 02:43 5,642 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-09-26 06:29 88 --sh--r C:\WINDOWS\SYSTEM32\E2A317C6E3.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78F0212}]
2007-04-20 08:27 49152 --a------ C:\Program Files\SNLBar\SNLBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-07-29 21:54 69705]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-03-07 10:00 724080]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 06:23 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 09:19 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2002-12-04 14:16 1194496]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 14:33 99480]
"HostManager"="C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe" [2007-10-08 14:50 41824]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-21 19:59 949376]
"atwtusb"="atwtusb.exe" [2001-08-20 18:48 167936 C:\WINDOWS\SYSTEM32\Atwtusb.exe]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17 699120]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"AolAcsDaemon1"="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE" [2007-10-11 04:20 42368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" [2004-02-03 13:42 401491]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 12:00 30208]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\CEZ\Start Menu\Programs\Startup\
AOL Desktop.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [2007-05-25 10:16:09 42032]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-12-09 09:12:42 135680]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-07-24 15:45:57 110592]
University of Colorado at Boulder VPN Client.lnk - C:\Program Files\CU VPN\vpngui.exe [2007-09-24 13:48:22 1528880]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-09 09:19:03 784912]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-11 12:26:12 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 09:19 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccyvu]
ddccyvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"MSACM.CEGSM"= mobilev.acm
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^File-Ex.lnk]
backup=C:\WINDOWS\pss\File-Ex.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SYSTEMSUITE.LNK]
backup=C:\WINDOWS\pss\SYSTEMSUITE.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\CEZ\Start Menu\Programs\Red Chair Software\Anapod Explorer\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^WinFax Application Port Starter.lnk]
backup=C:\WINDOWS\pss\WinFax Application Port Starter.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^CEZ^Start Menu^Programs^Startup^WinFax PRO Controller.lnk]
backup=C:\WINDOWS\pss\WinFax PRO Controller.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-r------- 2006-10-23 05:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 13:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide-The-IP]
C:\Program Files\Hide The IP\HideTheIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-06-14 10:05 6856704 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
--a------ 2007-03-28 19:52 617576 C:\Program Files\RFA Platinum\rfagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2004-08-04 00:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"GBPoll"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"Speed Disk service"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MDM"=2 (0x2)
"Fax"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"NBService"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"InCDsrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor5.0"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"NProtectService"=2 (0x2)
"SCardSvr"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"RemoteCenter"=C:\Program Files\Creative\SBLive\RemoteCenter\Rc\RcMan.EXE
"Creative Launcher"=C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"ALiUSBfix"=C:\WINDOWS\SYSTEM32\GREENMK.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"PaperPort PTD"=c:\paprport\pptd40nt.exe
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"Adobe Version Cue CS2"="c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
"Logitech Utility"=Logi_MwX.Exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"AtiPTA"=atiptaxx.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"DU Meter"=C:\PROGRAM FILES\DU METER\DUMETER.EXE
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"SchedulingAgent"=mstask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\WINDOWS\\System32\\fxsclnt.exe"=
"C:\\Program Files\\LapLink Gold\\laplink.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\CU VPN\\vpnclient.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\1109130448\\ee\\AOLDesktop.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2007-09-15 08:41]
R1 tsircmir;LapLink Mirror Driver Miniport;C:\WINDOWS\system32\Drivers\tsircmir.sys [2004-09-29 15:19]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 00:53]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 TSISER;TSISER;C:\WINDOWS\system32\drivers\TSISER.sys [2004-09-29 16:23]
R2 TSISTRMX;Traveling Software Stream Driver;C:\WINDOWS\system32\drivers\TSISTRMX.sys [2004-09-29 15:18]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;C:\WINDOWS\system32\drivers\TSIKBF5.sys [2004-09-29 15:17]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;C:\WINDOWS\system32\drivers\TSIMSF5.sys [2004-09-29 15:18]
S1 TSIRCINK;Traveling Software Install Driver;C:\WINDOWS\system32\drivers\TSIRCINK.sys [2004-09-29 15:18]
S3 LLUSBFLT;LLUSBFLT;C:\WINDOWS\system32\drivers\llusbflt.sys [2004-09-29 16:23]
S3 PLUsbbc2;Laplink USB Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2004-06-03 00:51]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 utblfilt;utblfilt;C:\WINDOWS\system32\drivers\utblfilt.sys [2001-05-23 02:42]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 18:53]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 15:58:58 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-01 00:36:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 09:08:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
.
**************************************************************************
.
Completion time: 2008-04-09 9:21:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 15:20:56
Pre-Run: 186,894,876,672 bytes free
Post-Run: 187,471,429,632 bytes free
.
2008-03-19 15:37:58 --- E O F ---

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:57 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CU VPN\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\common files\aol\1109130448\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1109130448\EE\aolsoftware.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\AOL\1109130448\EE\AOLDesktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SeekNewLive Bar - {0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program Files\SNLBar\SNLBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109130448\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: University of Colorado at Boulder VPN Client.lnk = C:\Program Files\CU VPN\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.demonoid.com
O15 - Trusted Zone: http://www.mininova.org
O15 - Trusted Zone: http://www.passportimages.com
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121317761572
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150254016292
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E36A1DF-48F6-4EC1-BDB2-5FCF01A6B56E}: Domain = listenup.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ddccyvu - ddccyvu.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CU VPN\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14963 bytes

Vundofix did not find anything?

=C:\FOUND.000 - these are remnants from running chkdsk - you must have had a crash, chkdsk found file scraps and put them here. You can delete this folder.
=Delete:
C:\WINDOWS\SB7CC85B5.tmp
=Check the properties of these files for the owner:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat
C:\WINDOWS\SYSTEM32\E2A317C6E3.sys
=What is in this folder?:
C:\WINDOWS\SYSTEM32\3d3dcc52

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O20 - Winlogon Notify: ddccyvu - ddccyvu.dll (file missing)

While doing this, you should also fix those three O15 entries - there is no need to have any sites as Trusted, if they are safe they will pass all your IE security protocols anyway; they may as well be subject to the same checks as any other site.

Fix this one also:
O2 - BHO: SeekNewLive Bar - {0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program Files\SNLBar\SNLBar.dll
... and delete this folder:
C:\Program Files\SNLBar\

Good Morning Gerbil,
The dat and sys files show "everyone" as the owner. I couldn't find Windows\System32\3d3dcc52. I fixed HJT entries you mentioned. I couldn't delete Program Files\SNLBar\. I found the Vundofix logfile which is shown below. And, thank-you, thank-you, thank-you.

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:48:41 AM 3/30/2007

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\cbxus.dll
C:\WINDOWS\SYSTEM32\fnhrkwhe.dll
C:\WINDOWS\SYSTEM32\suxbc.ini2
C:\WINDOWS\SYSTEM32\wvurqol.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\cbxus.dll
C:\WINDOWS\SYSTEM32\cbxus.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fnhrkwhe.dll
C:\WINDOWS\SYSTEM32\fnhrkwhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\suxbc.ini2
C:\WINDOWS\SYSTEM32\suxbc.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wvurqol.dll
C:\WINDOWS\SYSTEM32\wvurqol.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 8:12:04 AM 4/9/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

VundoFix V7.0.3

Scan started at 6:36:16 PM 4/9/2008

Listing files found while scanning....

No infected files were found.

Hello, Hifi.
Rename these files:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat > C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat.old
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat > C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat.old

=C:\WINDOWS\SYSTEM32\3d3dcc52 - did you use the search function when trying to find this? That way you would see hidden folders... if you can't find it, don't worry about it.

=Deleting C:\Program Files\SNLBar\... Sorry , I was a bit brief on the instruction for this one; go CP, Add/Remove pgms and remove it from there, then you will be able to delete the folder.
You may have to delete the file in it first.
=Delete this file, you may have to do it from safe mode...
C:\WINDOWS\SYSTEM32\wvurqol.dll
-now please run Vundofix again; CHECK the log, if it cannot delete any files it finds rerun it until it does the job.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.