I'm trying to clean up my girfriend's 18 yr. old son's pc. I keep getting some nasty little buggers showing up when I run Hijack This (lg attached) Any help resolving this would be much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:13 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0dff2b8d-38b9-47ea-96de-6243d478d32b} - C:\WINDOWS\system32\jivazona.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [98c15e92] rundll32.exe "C:\WINDOWS\system32\bunuzeka.dll",b
O4 - HKLM\..\Run: [CPM9bf26d0e] Rundll32.exe "c:\windows\system32\kuziyado.dll",a
O4 - HKLM\..\Run: [lebahohoje] Rundll32.exe "C:\WINDOWS\system32\jitodujo.dll",s
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\66.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\66.tmp.exe (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://192.168.1.2/xplugLite.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\kuziyado.dll,C:\WINDOWS\system32\dufizige.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: awtustSM - awtustSM.dll (file missing)
O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing)
O20 - Winlogon Notify: qoMghfEt - qoMghfEt.dll (file missing)
O20 - Winlogon Notify: urqpmlj - urqpmlj.dll (file missing)
O20 - Winlogon Notify: __c003A344 - C:\WINDOWS\system32\__c003A344.dat
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kuziyado.dll
O22 - SharedTaskScheduler: awash - {e3623691-f85d-48d8-8e4d-abe79077f841} - C:\WINDOWS\system32\bcxjqr.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kuziyado.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 5303 bytes

This post has been edited by protoweenie: Jun 26 2009, 04:13 PM

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to take a look at your log.
Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I will be back to you shortly with instructions.

Hi protoweenie, welcome to the WTT Forums. My username is Raktor, and I would be glad to take a look at your log. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• If you don't know or understand something, please don't hesitate to say or ask! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Please do not use any tools such as Combofix, Vundofix, or HijackThis fixes without instruction to do so!
• Finally, stay with this topic until I give you the final 'All clear' post!

Please download ComboFix to your desktop from one of these locations:
Link 1
Link 2
Link 3

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Raktor,

Thanks for the reply and the help.
Combofix scan completed. Log attached.

No problem protoweenie.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  http://forums.whatthetech.com/Baseline_t104560.html
  
  Collect::
  C:\x345.bat
  C:\d45.bat
  c:\windows\system32\drivers\yecimuecbqhxnmbf.sys
  c:\windows\bf23567.dat
  c:\windows\010112010146118114.dat
  c:\windows\104116116112584747.dat
  c:\windows\0101120101465452.dat
  c:\windows\system32\jifakade.dll
  c:\windows\system32\kuziyado.dll
  c:\windows\system32\zorihali.dll
  c:\windows\system32\jitodujo.dll
  c:\windows\system32\jivazona.dll
  c:\windows\system32\rlscsqmg.tmp
  c:\docume~1\Owner\LOCALS~1\Temp\66.tmp.exe
  c:\program files\Applications\wcs.exe
  
  Folder::
  c:\documents and settings\Owner\Application Data\ptidl
  c:\documents and settings\All Users\Application Data\91653746
  c:\documents and settings\All Users\Application Data\11643754
  c:\documents and settings\Owner\Application Data\Twain
  
  Reg::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0dff2b8d-38b9-47ea-96de-6243d478d32b}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "lebahohoje"=-
  "CPM9bf26d0e"=-
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
  "Cognac"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
  "smile"=-
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
  "8085:TCP"=-
  
  DirLook::
  c:\windows\ShellNew
  
  Driver::
  wowsystem
  
  NetSvc::
  wowsystem
  
  DelDomains::
  
  AWF::
  c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
  c:\program files\Digital Media Reader\bak\shwiconem.exe
  c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
  c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\bak\hphupd05.exe
  c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe
  c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
  c:\program files\NVIDIA Corporation\NvMixer\bak\NVMixerTray.exe
  c:\windows\SMINST\bak\RECGUARD.EXE
  c:\windows\system32\bak\hphmon05.exe
  c:\windows\system32\bak\NeroCheck.exe
  c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Raktor,

No worries about using my using ComboFix on my own. I'm slow, not stupid. I will insure that any programs you have me install will be removed before I turn the machine over to the, no longer administrator, knucklehead who infected this system. In 20 years with DOS and Windows machines I've never had this type of issue on any of my systems.
Once again, thank you for your efforts.
ComboFix log is attached

Please do not attach any logs unless requested to do so by the helper, just copy and paste them in.

ComboFix 09-06-29.07 - Admin 06/30/2009 18:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.250 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: C:\d45.bat
file zipped: c:\windows\010112010146118114.dat
file zipped: c:\windows\0101120101465452.dat
file zipped: c:\windows\104116116112584747.dat
file zipped: c:\windows\bf23567.dat
file zipped: c:\windows\system32\drivers\yecimuecbqhxnmbf.sys
file zipped: c:\windows\system32\jifakade.dll
file zipped: c:\windows\system32\jitodujo.dll
file zipped: c:\windows\system32\jivazona.dll
file zipped: c:\windows\system32\kuziyado.dll
file zipped: c:\windows\system32\rlscsqmg.tmp
file zipped: c:\windows\system32\zorihali.dll
file zipped: C:\x345.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d45.bat
c:\documents and settings\All Users\Application Data\11643754
c:\documents and settings\All Users\Application Data\11643754\pc11643754ins
c:\documents and settings\All Users\Application Data\91653746
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\010112010146118114.dat
c:\windows\0101120101465452.dat
c:\windows\104116116112584747.dat
c:\windows\bf23567.dat
c:\windows\system32\ahanalum.ini
c:\windows\system32\bazujege.dll
c:\windows\system32\drivers\yecimuecbqhxnmbf.sys
c:\windows\system32\ibeyabip.ini
c:\windows\system32\jifakade.dll
c:\windows\system32\jitodujo.dll
c:\windows\system32\jivazona.dll
c:\windows\system32\kuziyado.dll
c:\windows\system32\mulanaha.dll
c:\windows\system32\ogewiboy.ini
c:\windows\system32\pibayebi.dll
c:\windows\system32\rlscsqmg.tmp
c:\windows\system32\yipabojo.exe
c:\windows\system32\yobiwego.dll
c:\windows\system32\zorihali.dll
C:\x345.bat

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WOWSYSTEM
-------\Service_wowsystem


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-26 22:42 . 2009-06-26 22:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-26 22:39 . 2009-06-26 22:41 -------- d-----w- c:\windows\ShellNew
2009-06-26 22:39 . 2009-06-26 22:39 -------- d-----w- c:\program files\Common Files\L&H
2009-06-26 22:10 . 2009-06-26 22:10 -------- d-----w- c:\program files\Trend Micro
2009-06-26 19:16 . 2009-06-26 21:29 1922848 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-26 19:16 . 2009-06-26 21:29 16928 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-06-26 18:45 . 2009-06-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-06-26 18:43 . 2009-06-26 18:43 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Downloaded Installations
2009-06-18 23:08 . 2009-06-18 23:08 -------- d-----w- c:\windows\Favorites
2009-06-18 20:18 . 2009-06-21 23:03 -------- d-----w- c:\program files\driver
2009-06-04 12:57 . 2009-06-04 12:57 -------- d-----w- c:\program files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 22:44 . 2008-11-15 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-30 22:38 . 2007-07-30 07:29 -------- d-----w- c:\program files\Digital Media Reader
2009-06-30 18:42 . 2009-03-30 18:42 83968 --sha-w- c:\windows\system32\zobesohe.dll
2009-06-30 04:43 . 2007-10-13 17:36 -------- d-----w- c:\program files\LogMeIn
2009-06-29 00:41 . 2009-03-29 00:41 83456 --sha-w- c:\windows\system32\zasezara.dll
2009-06-26 21:29 . 2009-06-26 19:16 3632 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-26 21:29 . 2009-06-26 19:16 28892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-26 18:45 . 2008-06-29 18:47 31088 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 15:10 . 2007-08-31 00:22 -------- d-----w- c:\documents and settings\LSG\Application Data\LimeWire
2009-06-25 23:34 . 2009-04-26 16:41 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 23:34 . 2009-04-26 16:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 20:49 . 2009-04-26 16:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 20:49 . 2009-04-26 16:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\ComcastUI
2009-05-08 01:06 . 2007-08-31 00:16 -------- d-----w- c:\program files\LimeWire
2009-04-25 12:24 . 2008-08-25 04:11 31088 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\ShellNew ----

2000-04-06 20:49 . 2000-04-06 20:49 98304 ----a-w- c:\windows\ShellNew\ACCESS9.MDB
2000-02-06 17:26 . 2000-02-06 17:26 11776 ----a-w- c:\windows\ShellNew\EXCEL9.XLS
1999-03-10 12:41 . 1999-03-10 12:41 11264 ----a-w- c:\windows\ShellNew\PWRPNT10.POT
1997-08-01 04:37 . 1997-08-01 04:37 10752 ----a-w- c:\windows\ShellNew\WINWORD8.DOC


((((((((((((((((((((((((((((( SnapShot@2009-06-28_14.19.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 16:12 . 2009-06-30 00:46 52764 c:\windows\system32\perfc009.dat
- 2004-08-26 16:12 . 2009-06-27 11:42 52764 c:\windows\system32\perfc009.dat
+ 2007-09-17 19:48 . 2005-07-08 04:55 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
+ 2004-08-26 16:12 . 2009-06-30 00:46 380350 c:\windows\system32\perfh009.dat
- 2004-08-26 16:12 . 2009-06-27 11:42 380350 c:\windows\system32\perfh009.dat
+ 2007-07-30 07:25 . 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe
+ 2007-09-17 19:41 . 2005-07-08 04:55 491520 c:\windows\system32\hphmon05.exe
+ 2004-09-09 04:10 . 2002-09-13 20:42 212992 c:\windows\SMINST\RECGUARD.EXE
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 07:54 . 2007-07-30 07:54 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-08-20 23:19 . 2007-09-14 00:47 421888 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2007-09-26 18:42 . 2007-09-26 18:42 267064 c:\program files\iTunes\bak\iTunesHelper.exe
2008-11-20 18:20 . 2008-11-20 18:20 290088 c:\program files\iTunes\iTunesHelper.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\qttask.exe
2008-11-04 15:30 . 2008-11-04 15:30 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"lebahohoje"="c:\windows\system32\jitodujo.dll" [N/A]
"98c15e92"="c:\windows\system32\yobiwego.dll" [N/A]
"CPM9bf26d0e"="c:\windows\system32\zobesohe.dll" [2009-06-30 83968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Cognac"="c:\docume~1\Owner\LOCALS~1\Temp\66.tmp.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"smile"="c:\program files\Applications\wcs.exe" [N/A]

c:\documents and settings\LSG\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\zobesohe.dll" [2009-06-30 83968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zobesohe.dll [2009-06-30 83968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 20:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=c:\windows\pss\run_startmenu.cmdCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"SNDSrvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"DomainService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:driver

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 12:41 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 12:41 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 7:34 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/13/2007 1:36 PM 47640]
R3 WlanUIG;NB 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [8/19/2007 5:17 PM 379456]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [9/12/2007 10:20 AM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-30 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2007-09-17 04:55]

2007-07-30 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0dff2b8d-38b9-47ea-96de-6243d478d32b} - c:\windows\system32\jivazona.dll
ShellExecuteHooks-{EAE8A482-0DE5-4488-9DBF-C8FE0B1D0497} - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.2/xplugLite.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\zobesohe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2009-06-30 18:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 22:50
ComboFix2.txt 2009-06-28 14:24

Pre-Run: 28,110,082,048 bytes free
Post-Run: 28,249,690,112 bytes free

263 --- E O F --- 2009-05-22 07:04

We're getting closer.

I have another CFScript for you, run it in the same way as the last one.

Raktor,

Here's the latest.

ComboFix 09-07-01.01 - Admin 07/01/2009 18:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.314 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\zasezara.dll
file zipped: c:\windows\system32\zobesohe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Grisoft\AVG7\bak
c:\program files\Grisoft\AVG7\bak\avgcc.exe
c:\program files\iTunes\bak
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\zasezara.dll
c:\windows\system32\zobesohe.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-26 22:42 . 2009-06-26 22:42 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-26 22:39 . 2009-06-26 22:41 -------- d-----w- c:\windows\ShellNew
2009-06-26 22:39 . 2009-06-26 22:39 -------- d-----w- c:\program files\Common Files\L&H
2009-06-26 22:10 . 2009-06-26 22:10 -------- d-----w- c:\program files\Trend Micro
2009-06-26 19:16 . 2009-06-26 21:29 1922848 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-26 19:16 . 2009-06-26 21:29 16928 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-26 18:45 . 2009-06-26 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-06-26 18:45 . 2009-06-26 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-06-26 18:43 . 2009-06-26 18:43 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Downloaded Installations
2009-06-18 23:08 . 2009-06-18 23:08 -------- d-----w- c:\windows\Favorites
2009-06-18 20:18 . 2009-06-21 23:03 -------- d-----w- c:\program files\driver
2009-06-04 12:57 . 2009-06-04 12:57 -------- d-----w- c:\program files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 22:38 . 2007-10-03 12:28 -------- d-----w- c:\program files\iTunes
2009-07-01 22:38 . 2007-07-30 06:59 -------- d-----w- c:\program files\QuickTime
2009-07-01 04:05 . 2007-10-13 17:36 -------- d-----w- c:\program files\LogMeIn
2009-06-30 22:46 . 2007-07-30 07:29 -------- d-----w- c:\program files\Digital Media Reader
2009-06-30 22:44 . 2008-11-15 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-26 21:29 . 2009-06-26 19:16 3632 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-26 21:29 . 2009-06-26 19:16 28892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-26 18:45 . 2008-06-29 18:47 31088 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 15:10 . 2007-08-31 00:22 -------- d-----w- c:\documents and settings\LSG\Application Data\LimeWire
2009-06-25 23:34 . 2009-04-26 16:41 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 23:34 . 2009-04-26 16:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 20:49 . 2009-04-26 16:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-19 20:49 . 2009-04-26 16:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-05-19 19:41 . 2009-05-19 19:41 -------- d-----w- c:\program files\ComcastUI
2009-05-08 01:06 . 2007-08-31 00:16 -------- d-----w- c:\program files\LimeWire
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-08-26 16:12 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 12:24 . 2008-08-25 04:11 31088 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-17 12:26 . 2004-08-26 16:12 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-26 16:12 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-28_14.19.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-31 18:56 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2007-07-31 18:56 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2004-08-26 16:12 . 2009-06-27 11:42 52764 c:\windows\system32\perfc009.dat
+ 2004-08-26 16:12 . 2009-07-01 00:12 52764 c:\windows\system32\perfc009.dat
- 2004-08-26 16:11 . 2009-02-20 08:10 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-26 16:11 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-26 16:12 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2007-09-17 19:48 . 2005-07-08 04:55 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
+ 2004-08-26 16:12 . 2009-07-01 00:12 380350 c:\windows\system32\perfh009.dat
- 2004-08-26 16:12 . 2009-06-27 11:42 380350 c:\windows\system32\perfh009.dat
+ 2007-07-30 07:25 . 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe
+ 2007-09-17 19:41 . 2005-07-08 04:55 491520 c:\windows\system32\hphmon05.exe
+ 2004-08-26 10:54 . 2009-07-01 00:07 160344 c:\windows\system32\FNTCACHE.DAT
- 2004-08-26 10:54 . 2009-06-27 11:34 160344 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-21 06:44 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
+ 2008-06-26 08:15 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2004-09-09 04:10 . 2002-09-13 20:42 212992 c:\windows\SMINST\RECGUARD.EXE
+ 2004-08-26 16:12 . 2009-04-29 04:46 1499136 c:\windows\system32\shdocvw.dll
- 2004-08-26 16:12 . 2009-03-02 23:04 1499136 c:\windows\system32\shdocvw.dll
+ 2004-08-26 16:12 . 2009-04-29 04:46 3068928 c:\windows\system32\mshtml.dll
+ 2008-10-15 11:54 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-26 08:15 . 2009-04-29 04:46 1499136 c:\windows\system32\dllcache\shdocvw.dll
- 2008-06-26 08:15 . 2009-03-02 23:04 1499136 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-04-21 06:44 . 2009-04-29 04:46 3068928 c:\windows\system32\dllcache\mshtml.dll
+ 2009-07-01 00:05 . 2009-06-01 13:51 23635392 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\LSG\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-2-8 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - f:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-19 20:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=c:\windows\pss\run_startmenu.cmdCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"SNDSrvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"DomainService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 12:41 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 12:41 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 7:34 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/13/2007 1:36 PM 47640]
R3 WlanUIG;NB 802.11g Wireless LAN USB Adapter Driver;c:\windows\system32\drivers\WlanUIG.sys [8/19/2007 5:17 PM 379456]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [9/12/2007 10:20 AM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-01 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2007-09-17 04:55]

2007-07-30 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0dff2b8d-38b9-47ea-96de-6243d478d32b} - (no file)
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
ShellExecuteHooks-{EAE8A482-0DE5-4488-9DBF-C8FE0B1D0497} - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.2/xplugLite.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2009-07-01 18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 22:45
ComboFix2.txt 2009-06-30 22:50
ComboFix3.txt 2009-06-28 14:24

Pre-Run: 28,144,144,384 bytes free
Post-Run: 28,129,886,208 bytes free

224 --- E O F --- 2009-07-01 00:06

Brilliant job protoweenie.

Just a few more steps to go, hopefully.

1) Upload Malware Files

• Go to Start >> My Computer > C:\
• Then Navigate to the C:\Qoobox\Quarantine folder.
• Find the archive zip file called "[4]-Submit_Date_Time.zip"
• Simply go to This Channel and upload the submit.zip archive file.
• Follow the instructions on that page to copy/paste/send the requested file, and repeat for all relevant files.

2) Kaspersky
Please do a scan with the Kaspersky Online Scanner

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a long time, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Once the scan is complete, click on View scan report

To obtain the report:

• Click on Save Report As
• In the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar
• In Save as type, click the drop arrow and select Text file [*.txt]
• Click Save

(Note for Internet Explorer users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75%. Once the license has been accepted, reset to 100%.)

3) What You Will Need To Post:

• Kaspersky log
• How the PC is doing now

Hello Raktor,

At the risk of appearing dense, I need to ask a couple of questions. The system is much more stable already and I don't want to mess it up now.
There are two submit .zip files. Do I use the latest, the first, or both?
If both, in what order?
Should I continue to disable the anti virus software as I execute these instructions?

Thank you for sharing your time and expertise.

Questions are fine.

Submit both of the zip files, it doesn't matter what order. They contain some bad files that we'll remove at the end - uploading them helps our experts analyse them and help stop other people getting into this predicament.

Keep the AV off for both of these - otherwise it will probably go nuts when you try to upload the zip files, and it will try to work against the Kaspersky online scanner when it scans. After Kaspersky, feel free to re-enable everything.

Hello Raktor,

The system is, of course, much better. From power switch to logged on and ready in less than 2.5 minutes. I'll look to improving that myself after we've handled this much larger issue.
I don't know if it makes any difference, but I have been disabling this computer's internet connection when not online with What The Tech.com.
Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 03, 2009 21:29:36
Records in database: 2422099
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 55525
Threat name: 9
Infected objects: 26
Suspicious objects: 0
Duration of the scan: 01:35:51


File name / Threat name / Threats count
C:\Program Files\Windows Media Player\profsycyrty.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Qoobox\Quarantine\C\Program Files\WinBudget\bin\carp**.1191731145.old.vir Infected: Trojan.Win32.Agent2.idd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bazujege.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fokitape.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hojutomu.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mulanaha.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sisifeme.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tasisura.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yobiwego.dll.vir Infected: Trojan.Win32.Monder.cmwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c008C0F5.dat.vir Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c003A344_.dat.zip Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-30_18.38.07.zip Infected: Trojan.Win32.Monder.cmwt 2
C:\Qoobox\Quarantine\[4]-Submit_2009-07-01_18.35.27.zip Infected: Trojan.Win32.Monder.cmwt 2
C:\System Volume Information\_restore{7851D717-39E1-434E-A3BE-DEB8E16E62C4}\RP648\A0023675.exe Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\System Volume Information\_restore{7851D717-39E1-434E-A3BE-DEB8E16E62C4}\RP648\A0023676.exe Infected: Trojan-Downloader.Win32.Clopack.a 1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP502\A0091899.exe Infected: Trojan.Win32.Small.byk 1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP504\A0092978.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP505\A0093169.old Infected: Trojan.Win32.Agent2.idd 1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP505\A0093223.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP507\A0095909.dll Infected: Trojan.Win32.Monder.cmwt 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\update[1] Infected: Trojan-Downloader.JS.LuckySploit.q 1
F:\Documents and Settings\Admin\My Documents\cleaners\Pareto_AV_Setup_RW.exe Infected: Trojan.Win32.FraudPack.oyl 1
F:\Documents and Settings\Nick\My Documents\LimeWire\Saved\greatest on earth shwayze [new album].au Infected: Trojan-Downloader.WMA.GetCodec.u 1
F:\Documents and Settings\Nick\My Documents\LimeWire\Saved\i get so high ice berg CD quality.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1

The selected area was scanned.

Final CFScript to remove the final little bits, then we're all done!



Run this in the normal way.

--------------------------------------------------

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

--------------------------------------------------

Speed up the performance by running a chkdsk.
Go to Start, Run and type cmd
Type in chkdsk /R, press enter, and agree to any prompts
Restart the computer, and it will run on boot.

--------------------------------------------------

1. Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

7. Finally, I strongly recommend that you read Miekiemoses' good advice - How to prevent Malware

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Raktor,

Final steps completed and issue resolved. Thank you for your help. I'm glad that I can finally get this unit off my bench.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.