Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Please help me remove Winself.exe and Ntnut32


  • This topic is locked This topic is locked
11 replies to this topic

#1 Ricky7

Ricky7

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 07 May 2008 - 11:03 PM

First i started to get pop-ups about a spyware remover and also my desktop changed to another type of ad. Asking me to click there and download a spyware remover. Some other messages were coming up in the bottom right hand corner of my screen about how my computer was running slow and i needed a spyware remover. I Downloaded AVG Anti-spyware and Anti-virus and got it deleted. But after a little while it popped up on my screen and seemed to get back on my computer. From reading other forums im sure what i have is Winself.exe. I also noticed a ntnut32.exe in my system32 folder and through a google search it seems this is also a virus/malware/worm. I am a true noob at this stuff so i need all the help i can get. Please tell me what to do.

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 08 May 2008 - 06:20 AM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


___________________________________
  • Create a folder called HJT either in C: or My documents or some place convienient.
  • Download Hijackthis from here.

    Place it in the folder you just created

    This will ensure we have back ups made and it doesn't get deleted.

  • Open HJT choose scan and save a log file.
  • copy the contents of that log for me in your next reply.


Do not attempt to fix anything with HJT it shows both good and bad entries and files.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 Ricky7

Ricky7

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 08 May 2008 - 10:19 AM

ok here is my log

Logfile of HijackThis v1.99.1
Scan saved at 9:18:02 AM, on 5/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\nnyp.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\Explorer.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,C:\WINDOWS\System32\wmsdkns.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: etlrlws - {65F4F8C1-B31F-40B7-9D34-98CA11EAC387} - C:\WINDOWS\etlrlws.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM9f475508] Rundll32.exe "C:\WINDOWS\System32\nbhjbiyq.dll",s
O4 - HKLM\..\Run: [9c746694] rundll32.exe "C:\WINDOWS\System32\butaxixc.dll",b
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Imrbcwm] "C:\Program Files\Common Files\?racle\s?oolsv.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O21 - SSODL: altvxvm - {FA7DBEA7-D37E-4B6C-ABF7-C38DA65042BF} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: bokpkov - {FC6D72CC-9E4D-4261-8438-47B8E6792FAD} - C:\WINDOWS\bokpkov.dll (file missing)
O21 - SSODL: WinRom - {b2832e4c-b999-4dc5-b90c-a8cca30e1a03} - C:\WINDOWS\Installer\{b2832e4c-b999-4dc5-b90c-a8cca30e1a03}\WinRom.dll (file missing)
O21 - SSODL: zip - {8f5c3c67-e1a9-4b0d-914b-a330fd8de340} - C:\WINDOWS\Installer\{8f5c3c67-e1a9-4b0d-914b-a330fd8de340}\zip.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity (MsSecurity1.203.2) - Unknown owner - C:\WINDOWS\nnyp.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\winsysse.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 Ricky7

Ricky7

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 09 May 2008 - 01:52 AM

Not to be pushy but have i been forgoten? I was just curious. I dont know how long this is supposed to take so.

#5 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 09 May 2008 - 02:25 PM

Nope... you haven't been forgotten. We are volunteers here, with paying jobs. They have to come first. :popcorn: I am looking at your log now. At times you could wait a day or so.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 09 May 2008 - 02:56 PM

PLease follow these directions in the order given. :thumbup:

________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

Web Hancer

______________________________



____________________________
Open Notepad, copy and paste the following text (in bold) into the new Notepad window.


sc stop MsSecurity1.203.2
sc delete MsSecurity1.203.2

sc stop MsSecurity1.209.4
sc delete MsSecurity1.209.4



Save it to your Desktop, as type "all files", as fixservice.bat


It should now look like this icon now.
Posted Image
Now double click this file, won't see much happen.
A quick flash is about all.
Then delete the file we just made.



_________________________________
1. Download Combo fix from one of these locations. ( Please save it to your desktop )
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

DO NOT RUN IT YET




________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Killall::

File:: 
C:\WINDOWS\nnyp.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\winsysse.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\Installer\{8f5c3c67-e1a9-4b0d-914b-a330fd8de340}\zip.dll
C:\WINDOWS\Installer\{b2832e4c-b999-4dc5-b90c-a8cca30e1a03}\WinRom.dll


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.




***************************


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combo Fix

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 Ricky7

Ricky7

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 10 May 2008 - 10:06 AM

There was no Web Hancer to remove in my program list. Should i still move on to the other steps?

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 10 May 2008 - 04:11 PM

Yes continue on.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 Ricky7

Ricky7

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 10 May 2008 - 09:26 PM

Okay here is my Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 8:24:17 PM, on 5/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {0D504883-70CA-48BD-A282-639753D3B0CE} - C:\WINDOWS\drnpfdxwlv.dll (file missing)
O2 - BHO: (no name) - {20E3DC97-9C63-4399-83F9-A813BF9CE814} - C:\WINDOWS\System32\pmnnl.dll (file missing)
O2 - BHO: (no name) - {2BFACC75-6A10-4B01-9806-62BEA92A4D61} - C:\WINDOWS\System32\gebyv.dll (file missing)
O2 - BHO: (no name) - {3331BDED-5357-76DC-5115-2B00B6C58FCD} - C:\WINDOWS\System32\uxeaxr.dll (file missing)
O2 - BHO: (no name) - {5A519EDB-B9A3-471F-BDB9-CB0FF3CD25BA} - C:\WINDOWS\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {69292029-BF2F-4419-B2AF-3629430AF7DC} - C:\WINDOWS\System32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {6B8CF65E-AF19-42C0-ADB6-82AE625A0A4B} - C:\WINDOWS\System32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {C9781858-C951-4620-A24E-D2C7196E13A0} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: (no name) - {D0FD2BE0-052D-45E4-96C7-DABA8EDFEA53} - C:\WINDOWS\System32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {E7826D07-780B-4157-BD69-41A08D7750B3} - C:\WINDOWS\System32\awvvu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: etlrlws - {65F4F8C1-B31F-40B7-9D34-98CA11EAC387} - C:\WINDOWS\etlrlws.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM9f475508] Rundll32.exe "C:\WINDOWS\System32\nbhjbiyq.dll",s
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Imrbcwm] "C:\Program Files\Common Files\?racle\s?oolsv.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: nnnmlif - nnnmlif.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O21 - SSODL: altvxvm - {FA7DBEA7-D37E-4B6C-ABF7-C38DA65042BF} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: bokpkov - {FC6D72CC-9E4D-4261-8438-47B8E6792FAD} - C:\WINDOWS\bokpkov.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\winsysse.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And my Combofix log

ComboFix 08-05-09.1 - Owner 2008-05-10 20:10:12.1 - NTFSx86

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\Installer\{8f5c3c67-e1a9-4b0d-914b-a330fd8de340}\zip.dll
C:\WINDOWS\Installer\{b2832e4c-b999-4dc5-b90c-a8cca30e1a03}\WinRom.dll
C:\WINDOWS\nnyp.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\winsysse.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Owner\Application Data\SSTEM~1
C:\Documents and Settings\Owner\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\racle~1
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\default.htm
C:\WINDOWS\Installer\{8f5c3c67-e1a9-4b0d-914b-a330fd8de340}\zip.dll
C:\WINDOWS\Installer\{b2832e4c-b999-4dc5-b90c-a8cca30e1a03}\WinRom.dll
C:\WINDOWS\Installer\id53.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\nnyp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\7620\14672.dll
C:\WINDOWS\system32\7620\23068.dll
C:\WINDOWS\system32\afnsojvt.ini
C:\WINDOWS\system32\bbepgvyq.ini
C:\WINDOWS\system32\bjcihjry.dll
C:\WINDOWS\system32\brsrnhhy.ini
C:\WINDOWS\system32\butaxixc.dll
C:\WINDOWS\system32\cxixatub.ini
C:\WINDOWS\system32\dlcbggsn.ini
C:\WINDOWS\system32\dsembidb.ini
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\eklvpywh.ini
C:\WINDOWS\system32\fawhocpu.dll
C:\WINDOWS\system32\fwgopsnq.ini
C:\WINDOWS\system32\ghsxbsax.ini
C:\WINDOWS\system32\hwypvlke.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\jujebxsk.dll
C:\WINDOWS\system32\limnuxpm.ini
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\najltrem.dll
C:\WINDOWS\system32\nkhenljg.dll
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\opyijiah.dll
C:\WINDOWS\system32\pjsrivpp.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\ppvirsjp.ini
C:\WINDOWS\system32\pynhxvbp.dll
C:\WINDOWS\system32\qmekubfd.ini
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini2
C:\WINDOWS\system32\rvpnjxop.dll
C:\WINDOWS\system32\smpgwqqs.dll
C:\WINDOWS\system32\tuvhxgxp.ini
C:\WINDOWS\system32\ujcayfsc.dll
C:\WINDOWS\system32\upcohwaf.ini
C:\WINDOWS\system32\usvhyvre.dll
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\uwdwwjbl.ini
C:\WINDOWS\system32\vslqxyjj.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\wheuvodw.dll
C:\WINDOWS\system32\yowhkndj.ini
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\winself.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MsSecurity1.203.2


((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-09 23:57 . 2008-05-09 23:57 90,112 --a------ C:\WINDOWS\swinsecur.exe
2008-05-09 23:57 . 2008-05-09 23:57 64,000 --a------ C:\WINDOWS\system32\winsconfg.dll
2008-05-07 19:21 . 2008-05-09 23:57 12 -r-hs---- C:\WINDOWS\winxd.xc
2008-05-07 18:58 . 2003-10-10 22:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-07 18:58 . 2003-10-13 22:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-07 18:58 . 2003-10-10 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-05-07 18:58 . 2003-10-10 22:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-05-07 18:58 . 2003-10-13 22:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-05-07 18:58 . 2008-05-07 18:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-07 18:58 . 2008-05-10 20:09 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-06 10:33 . 2008-05-06 10:33 389 --a------ C:\Shortcut to WINDOWS.lnk
2008-05-06 09:45 . 2008-05-07 19:28 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-01 19:53 . 2008-05-10 20:14 <DIR> d-------- C:\WINDOWS\system32\7620
2008-05-01 19:53 . 2008-05-01 19:53 29,696 --a------ C:\nnyp.exe
2008-05-01 19:53 . 2008-05-09 23:57 317 -r-hs---- C:\WINDOWS\mscon.vga
2008-05-01 19:53 . 2008-05-09 23:57 33 -r-hs---- C:\WINDOWS\conlex.eom
2008-05-01 18:50 . 2008-05-01 18:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony Setup
2008-05-01 18:49 . 2008-05-01 18:49 <DIR> d-------- C:\Program Files\Sony Setup
2008-04-29 19:53 . 2008-04-29 19:53 <DIR> d-------- C:\Program Files\TechSmith
2008-04-29 19:53 . 2008-04-29 19:53 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-29 19:47 . 2008-04-29 19:47 <DIR> d-------- C:\Program Files\Common Files\Vbox
2008-04-29 19:45 . 2008-04-29 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-29 19:44 . 2008-04-29 19:44 <DIR> d-------- C:\Program Files\Roxio
2008-04-29 19:44 . 2008-04-29 19:44 <DIR> d-------- C:\Program Files\directx
2008-04-29 19:44 . 2008-04-29 19:44 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-29 19:44 . 2008-04-29 19:44 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2008-04-29 19:44 . 2008-04-29 19:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Roxio
2008-04-29 19:44 . 2008-04-29 19:44 61,424 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-29 19:44 . 2008-04-29 19:44 57,344 --a------ C:\WINDOWS\uneng.exe
2008-04-29 19:44 . 2008-04-29 19:44 49,152 --a------ C:\WINDOWS\system32\cdrtc.dll
2008-04-29 19:44 . 2008-04-29 19:44 45,056 --a------ C:\WINDOWS\system32\cdral.dll
2008-04-29 19:44 . 2008-04-29 19:44 23,420 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 15:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-08 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-28 15:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 23:03 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-30 22:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-30 22:56 --------- d-----w C:\Program Files\Symantec
2008-03-30 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-18 14:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-18 14:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-15 23:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-15 09:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-15 07:50 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-14 18:34 --------- d-----w C:\Program Files\Gravity
2008-03-13 03:27 50,520 ----a-w C:\WINDOWS\system32\csvidcap.dll
2008-03-12 09:37 107,864 ----a-w C:\WINDOWS\system32\tsccvid.dll
2005-02-26 23:15 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D504883-70CA-48BD-A282-639753D3B0CE}]
C:\WINDOWS\drnpfdxwlv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20E3DC97-9C63-4399-83F9-A813BF9CE814}]
C:\WINDOWS\System32\pmnnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BFACC75-6A10-4B01-9806-62BEA92A4D61}]
C:\WINDOWS\System32\gebyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3331BDED-5357-76DC-5115-2B00B6C58FCD}]
C:\WINDOWS\System32\uxeaxr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A519EDB-B9A3-471F-BDB9-CB0FF3CD25BA}]
C:\WINDOWS\System32\jkhfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69292029-BF2F-4419-B2AF-3629430AF7DC}]
C:\WINDOWS\System32\jkkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B8CF65E-AF19-42C0-ADB6-82AE625A0A4B}]
C:\WINDOWS\System32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9781858-C951-4620-A24E-D2C7196E13A0}]
C:\WINDOWS\System32\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0FD2BE0-052D-45E4-96C7-DABA8EDFEA53}]
C:\WINDOWS\System32\vtsqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7826D07-780B-4157-BD69-41A08D7750B3}]
C:\WINDOWS\System32\awvvu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{65F4F8C1-B31F-40B7-9D34-98CA11EAC387}"= "C:\WINDOWS\etlrlws.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{65f4f8c1-b31f-40b7-9d34-98ca11eac387}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{0588B0D8-A150-41F8-8990-AC5DFE0905E5}]
[HKEY_CLASSES_ROOT\etlrlws]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 02:56 852038 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 21:25 24576]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08 1511453]
"Imrbcwm"="C:\Program Files\Common Files\?racle\s?oolsv.exe" [ ]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 21:58 151597]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 19:19 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 02:56 4841472]
"nwiz"="nwiz.exe" [2003-08-19 02:56 323584 C:\WINDOWS\system32\nwiz.exe]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 13:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11 139264]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 16:37 53248]
"kmw_run.exe"="kmw_run.exe" [2002-12-23 11:02 102400 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:59 579584]
"BM9f475508"="C:\WINDOWS\System32\nbhjbiyq.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-15 12:11 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-06-18 19:19:08 53248]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-03-28 13:46:09 36953]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 22:26:40 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"altvxvm"= {FA7DBEA7-D37E-4B6C-ABF7-C38DA65042BF} - C:\WINDOWS\altvxvm.dll [ ]
"bokpkov"= {FC6D72CC-9E4D-4261-8438-47B8E6792FAD} - C:\WINDOWS\bokpkov.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmlif]
nnnmlif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys [2002-12-09 18:19]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\winsysse.exe service []
S2 UDNT;UDNT;C:\WINDOWS\System32\drivers\UDNT.sys [1998-09-18 16:18]
S3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys [2002-12-09 18:20]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys [2002-12-09 18:19]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 23:45:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-03-26 21:28:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 20:16:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP.NEW 468 bytes
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW 2672 bytes
C:\WINDOWS\system32\wbem\Repository\FS\ROLL_FORWARD 0 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-10 20:23:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-11 03:23:04

Pre-Run: 96,749,494,272 bytes free
Post-Run: 98,790,445,056 bytes free

291

#10 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 19 May 2008 - 04:53 AM

I am sorry. This time you were forgotten as I didn't recieve an Email that you had replied. Accept my apology.
____________________________
Open Notepad, copy and paste the following text (in bold) into the new Notepad window.


sc stop PlugPlayRPC

sc delete PlugPlayRPC


Save it to your Desktop, as type "all files", as fixservice.bat


It should now look like this icon now.
Posted Image
Now double click this file, won't see much happen.
A quick flash is about all.
Then you may delete the file we just made.


________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Killall::
File:: 
C:\WINDOWS\winsysse.exe
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\swinsecur.exe
C:\WINDOWS\system32\winsconfg.dll
C:\nnyp.exe

DirLook:: 
 C:\WINDOWS\system32\7620

Registry:: 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D504883-70CA-48BD-A282-639753D3B0CE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20E3DC97-9C63-4399-83F9-A813BF9CE814}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BFACC75-6A10-4B01-9806-62BEA92A4D61}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3331BDED-5357-76DC-5115-2B00B6C58FCD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A519EDB-B9A3-471F-BDB9-CB0FF3CD25BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69292029-BF2F-4419-B2AF-3629430AF7DC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B8CF65E-AF19-42C0-ADB6-82AE625A0A4B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9781858-C951-4620-A24E-D2C7196E13A0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0FD2BE0-052D-45E4-96C7-DABA8EDFEA53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7826D07-780B-4157-BD69-41A08D7750B3}]
[-HKEY_CLASSES_ROOT\clsid\{65f4f8c1-b31f-40b7-9d34-98ca11eac387}]
[-HKEY_CLASSES_ROOT\etlrlws.1]
[-HKEY_CLASSES_ROOT\TypeLib\{0588B0D8-A150-41F8-8990-AC5DFE0905E5}]
[-HKEY_CLASSES_ROOT\etlrlws]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Imrbcwm"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{65F4F8C1-B31F-40B7-9D34-98CA11EAC387}"= -
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM9f475508"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"altvxvm"=-
"bokpkov"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmlif]


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.



_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\mscon.vga
C:\WINDOWS\winxd.xc
C:\WINDOWS\conlex.eom



Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

____________________________________________________



Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidently close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs




    _________________________
    In your next reply I would like to see: [list]
  • A new HJT log
  • The report fromComboFix
  • The report from Malwarebytes

Edited by bob4, 19 May 2008 - 05:57 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#11 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 22 May 2008 - 02:11 PM

still needing help ?
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#12 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 24 May 2008 - 05:18 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users