Hey guys. I would really appreciate your help. My avast always prompts me of a rootkit problem (?) and I'm not sure what's wrong. I've tried to fix (?) it using avast but it's still there when I boot up.
What do I need to do to fix this? I don't know if this is a trojan so I just placed it here.

Below is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:03 PM, on 9/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AhnRpta.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3BE3AF9E-49FA-48CF-84B6-73D9A294364B} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C1712C3-9C13-41EF-97E2-48C8E5848781} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\herss.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [cdoosoft] C:\WINDOWS\TEMP\herss.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cdoosoft] C:\WINDOWS\TEMP\herss.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224181774406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: awtTMCRj - awtTMCRj.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bb6830ea80fc) (gupdate1c9bb6830ea80fc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11421 bytes


Would really appreciate any help.

Thank you!

Hi Wuzzie

Yup, you got baddies. Since this is a holiday here in the US, and Ironbender and HKEY Ed and in foreign countries (different time zones), have some patience. Here is something to do that will save some time when one of them posts in.

Take your Hijack This file and rename it - 123Wuzzie will work nicely - and rescan and post a fresh log. The reason is that these malware are seriously sophisticated now, and can recognize the name Hijack This and actually shut down or even prevent it from running. In fact, this is a good policy for every utility you will be asked to download and run, even including Malwarebytes-change the name of the file first.

Someone will be along to help you.

It's hollyday here... september 7, our Independence day.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: (no name) - {3BE3AF9E-49FA-48CF-84B6-73D9A294364B} - (no file)

O2 - BHO: (no name) - {6C1712C3-9C13-41EF-97E2-48C8E5848781} - (no file)

O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\herss.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [cdoosoft] C:\WINDOWS\TEMP\herss.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [cdoosoft] C:\WINDOWS\TEMP\herss.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O20 - Winlogon Notify: awtTMCRj - awtTMCRj.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

- Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours".

- Download Malwarebytes Anti-Malware from http://www.majorgeeks.com/Malwarebyte'...ware_d5756.html to the desktop.

- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both these checked:
- Update Malwarebytes Anti-Malware
- Launch Malwarebytes Anti-Malware
- Then click Finish.

- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply along with a fresh HijackThis log and exit MBAM.

NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Post the mbam report along with a fresh HJT log.

Chris

Hi ironbender. thanks for the reply. will have to do this on a weekend since scanning would probably take a long time.

will repost logs next week.

thanks

Don't take too long... things may get worse.

Chris

Hi Ironbender, was able to finally do the mbam scan...took about 5 hours...

HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:52 PM, on 9/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224181774406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bb6830ea80fc) (gupdate1c9bb6830ea80fc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9674 bytes


MBAM LOG
Malwarebytes' Anti-Malware 1.41
Database version: 2788
Windows 5.1.2600 Service Pack 3

9/19/2009 9:48:39 PM
mbam-log-2009-09-19 (21-48-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 274537
Time elapsed: 4 hour(s), 53 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 81

Memory Processes Infected:
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\e8main0.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\e8main0.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\22yj2fy1.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\6rxt26.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\8dtyjjf.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\9u.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\aphqg.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\hm1bfpuj.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\hx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\ktly.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\lcw.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\m.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\m1eqos3.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\mb9x.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\mt2.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\q1alx.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\rx.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\u0riu2.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\ukfbi3aw.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\w9hw8.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\wbj.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\y8.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\nmdfgds0.dll (Worm.Magania) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\nmdfgds1.dll (Worm.Magania) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\olhrwef.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052345.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052363.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052506.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052394.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052600.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052649.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP110\A0052765.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP110\A0052789.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP111\A0052832.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP112\A0052980.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP112\A0053022.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP113\A0053026.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP113\A0053064.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\22yj2fy1.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
D:\6rxt26.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\8dtyjjf.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\9u.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\aphqg.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\rx.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\hm1bfpuj.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\hx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\ktly.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\lcw.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\m.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\m1eqos3.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\mb9x.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\mt2.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\u0riu2.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\ukfbi3aw.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\w9hw8.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\wbj.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\y8.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052347.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052365.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052396.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052508.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052602.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052651.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP109\A0052713.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP110\A0052767.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP110\A0052791.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP111\A0052834.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP112\A0052982.exe (Worm.Magania) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP112\A0052993.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP112\A0053024.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP113\A0053028.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{3E818600-D1C7-47EE-AF67-718522E341ED}\RP113\A0053066.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\mqhnawe.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\autorun.inf (SuspectAutorun.Rootdrive.H) -> Quarantined and deleted successfully.
C:\xs6kpr0.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cvasds0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

Hope my pc's ok...

Thanks!

Seems OK to me, but, you had a can of worms in there, so, I'll ask you to run Combofix...

Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.

You can safely ignore warnings about not having the recovery console installed. Run it only once !

Post the Combofix report along with a fresh HJT log.

Chris

Hello...already ran Combo fix

Combofix log
ComboFix 09-09-18.02 - Administrator 09/20/2009 15:53.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.221 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\9vlgaqms.cmd
C:\g8k.exe
C:\ph.exe
C:\Pkkwng.exe
c:\windows\Installer\1e4f85.msi
c:\windows\Installer\1e4f86.msp
c:\windows\Installer\1e4f87.msp
c:\windows\Installer\1e4f88.msp
c:\windows\Installer\1e4f89.msp
c:\windows\Installer\1e4f8a.msp
c:\windows\Installer\1e4f8b.msp
c:\windows\Installer\1e4f8c.msp
c:\windows\Installer\1e4f8d.msp
c:\windows\Installer\1e4f8e.msp
c:\windows\Installer\1e4f8f.msp
c:\windows\Installer\28871f.msi
c:\windows\Installer\288720.msp
c:\windows\Installer\288721.msp
c:\windows\Installer\288722.msp
c:\windows\Installer\288723.msp
c:\windows\Installer\288724.msp
c:\windows\Installer\288725.msp
c:\windows\Installer\288726.msp
c:\windows\Installer\288727.msp
c:\windows\Installer\288728.msp
c:\windows\Installer\288729.msp
c:\windows\Installer\7398c.msp
c:\windows\Installer\c2112c.msp
c:\windows\Installer\db835.msi
c:\windows\Installer\db836.msp
c:\windows\Installer\db837.msp
c:\windows\Installer\db838.msp
c:\windows\Installer\db839.msp
c:\windows\Installer\db83a.msp
c:\windows\Installer\db83b.msp
c:\windows\Installer\db83c.msp
c:\windows\Installer\db83d.msp
c:\windows\Installer\db83e.msp
c:\windows\Installer\db83f.msp
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\bjppypol.ini
c:\windows\system32\enrpgyyw.ini
c:\windows\system32\ggstoz.dll
c:\windows\system32\gxeococo.ini
c:\windows\system32\huuknhia.ini
c:\windows\system32\mtlwqqhv.ini
c:\windows\system32\mvtbcbpc.ini
c:\windows\system32\NVFhQXbc.ini
c:\windows\system32\NVFhQXbc.ini2
c:\windows\system32\qisvdmrx.ini
c:\windows\system32\YbaGNnpo.ini
c:\windows\system32\YbaGNnpo.ini2
c:\windows\system32\ycdxawkr.dll
c:\windows\system32\yenltaav.ini
C:\wrsf.exe
D:\9vlgaqms.cmd
D:\autorun.inf
D:\g8k.exe
D:\mqhnawe.bat
D:\p.exe
D:\ph.exe
D:\pkkwng.exe
D:\q1alx.exe
D:\wrsf.exe
D:\xs6kpr0.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-13 12:18 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 12:18 . 2009-09-13 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 12:18 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 07:27 . 2009-04-12 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 11:38 . 2008-10-16 18:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-13 11:36 . 2008-10-16 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 13:58 . 2008-10-26 02:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent
2009-09-07 11:29 . 2008-10-19 12:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\FrostWire
2009-08-18 13:02 . 2008-10-17 14:39 90224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 14:13 . 2009-08-15 14:13 -------- d-----w- c:\program files\Linksys
2009-08-15 14:10 . 2009-08-15 14:10 -------- d-----w- c:\program files\Pure Networks
2009-08-15 14:09 . 2009-08-15 14:09 -------- d-----w- c:\program files\WebEx
2009-08-15 14:09 . 2009-08-15 14:09 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-08-15 14:08 . 2009-08-15 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-08-15 14:07 . 2009-08-15 14:07 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-08-05 09:01 . 2008-04-14 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-22 15:29 . 2009-07-22 14:58 117549 ----a-w- c:\windows\hpoins11.dat
2009-07-22 15:18 . 2009-07-22 15:16 -------- d-----w- c:\program files\Common Files\HP
2009-07-22 15:14 . 2009-07-22 15:12 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-17 19:01 . 2008-04-14 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:43 . 2008-07-12 19:25 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-23 00:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2009-06-25 08:25 56832 ----a-w- c:\windows\system32\SET24B.tmp
2009-06-25 08:25 . 2009-06-25 08:25 54272 ----a-w- c:\windows\system32\SET24A.tmp
2009-06-25 08:25 . 2009-06-25 08:25 301568 ----a-w- c:\windows\system32\SET24E.tmp
2009-06-25 08:25 . 2009-06-25 08:25 147456 ----a-w- c:\windows\system32\SET24C.tmp
2009-06-25 08:25 . 2009-06-25 08:25 136192 ----a-w- c:\windows\system32\SET24D.tmp
2009-06-25 08:25 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2008-04-14 08:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-04-27 04:41 . 2009-04-27 04:41 1398061 --sha-w- c:\windows\system32\huuknhia.tmp
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-09 65024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\H:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/17/2008 12:44 AM 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/17/2008 12:44 AM 20560]
S2 gupdate1c9bb6830ea80fc;Google Update Service (gupdate1c9bb6830ea80fc);c:\program files\Google\Update\GoogleUpdate.exe [4/12/2009 8:13 PM 133104]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-12 12:10]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-12 12:13]

2009-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-12 12:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opyw2n4o.default\
FF - prefs.js: browser.search.selectedEngine - OneRiot Social Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opyw2n4o.default\extensions\{f0750210-f334-4522-836e-13915c4e8aa9}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 16:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-606747145-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,d4,6b,e5,24,26,1c,4c,b9,2e,8a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,d4,6b,e5,24,26,1c,4c,b9,2e,8a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-09-20 16:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 08:33

Pre-Run: 12,699,041,792 bytes free
Post-Run: 14,850,187,264 bytes free

258 --- E O F --- 2009-09-13 14:07

HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:56 PM, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224181774406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bb6830ea80fc) (gupdate1c9bb6830ea80fc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9540 bytes

Thanks!

Well done. Looks all clean to me.

How is your system running ? Is Avast still detecting ghosts ?

Chris

hey chris! pc's running smoothly, avast's pretty quiet now. Ü

Thanks a million for helping me!

You are welcome. Glad we could help.

You can now uninstall ComboFix.
<Start/Run> type in combofix /u (Enter)
This will remove quarantined files and folders, thus avoiding future antivirus alerts about them.

update java: Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 16' or higher and press the 'Download' button.
Reboot when installed.
Uninstall any previous JRE versions from Control Panel, add-remove programs afterward.

Disable/re-enable system restore to avoid future reinfections from restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html

Don't forget to create a new restore point just after.

Chris


This topic has been closed as the problem has been resolved. If there is a need to reopen this topic, please send a PM to a Moderator.