.tt3.tmp.vbs virus removal - assistance needed - please help

Hello All-

If anyone can assist me with removing this virus, it would be greatly appreciated. I seem to have the same symptoms as described in this post.

I've copied the basic info from the post here:
It seems i picked up a virus on my PC. AVG alerted me to a trojen and then dealt with it, or so i thought. Now it seems i have lost some of my display properties and screen saver etc. I have run 2 full AVG scan and it says i'm clean, but when i reboot i get the file missing warning .tt3.tmp.vbs My custom wallpaper is missing and it seems they have loaded a screen saver which looks like a fatal error blue screen which appears to be re-booting my PC, but its not, because if i hit the ESC it goes and i get a desktop again.

I've followed the instructions from this post:
(1.) Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.

I use both IE and FireFox. I ran ATF-Cleaner for each.

(2.) Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.

I did this. See log below:

Here's my log:
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

2:44:22 PM 8/24/2008
mbam-log-08-24-2008 (14-44-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172575
Time elapsed: 1 hour(s), 35 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphcrw6j0e151.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcrw6j0e151 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-4156857669-923499974-4265891711-1003\Dc4.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP3\A0000017.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcrw6j0e151.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\lphcrw6j0e151.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\phcrw6j0e151.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.tt15.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\.ttF.tmp (Trojan.Downloader) -> Delete on reboot.

Here is my ComboFix Log:

ComboFix 08-08-23.01 - Owner 2008-08-24 11:54:14.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 11:45 . 2008-08-24 11:45 61,440 --a------ C:\WINDOWS\system32\drivers\nsgrtj.sys
2008-08-24 11:32 . 2008-08-24 11:32 90,112 --a------ C:\WINDOWS\system32\ajcjsxst.exe
2008-08-24 11:13 . 2008-08-24 11:13 90,112 --a------ C:\WINDOWS\system32\ylmnuvwb.exe
2008-08-24 09:33 . 2008-08-24 09:33 195,584 --a------ C:\WINDOWS\system32\tydwjodg.exe
2008-08-24 09:33 . 2008-08-24 09:33 90,112 --a------ C:\WINDOWS\system32\bgvkdcfo.exe
2008-08-24 08:33 . 2008-08-24 08:33 195,584 --a------ C:\WINDOWS\system32\twzunozg.exe
2008-08-24 08:33 . 2008-08-24 08:33 94,208 --a------ C:\WINDOWS\system32\fcpwvkne.exe
2008-08-24 08:03 . 2008-08-24 08:03 94,208 --a------ C:\WINDOWS\system32\delsrmzy.exe
2008-08-23 21:51 . 2008-08-23 21:51 195,584 --a------ C:\WINDOWS\system32\snodsfwd.exe
2008-08-23 21:51 . 2008-08-23 21:51 86,016 --a------ C:\WINDOWS\system32\gvupcnot.exe
2008-08-23 13:43 . 2008-08-23 13:43 98,304 --a------ C:\WINDOWS\system32\fwxszwvk.exe
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 13:21 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 06:55 . 2008-08-21 06:55 <DIR> d-------- C:\Program Files\vnhzchd
2008-08-21 06:54 . 2008-08-21 06:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfavwpwb
2008-08-21 06:54 . 2008-08-21 06:54 81,920 --a------ C:\WINDOWS\system32\klqdedqh.exe
2008-08-14 20:44 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 20:40 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-04 09:42 . 2008-08-04 09:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 09:02 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-02 09:01 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-02 09:01 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-02 09:00 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-02 09:00 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-08-02 09:00 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-02 09:00 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-02 09:00 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-02 09:00 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-02 09:00 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-02 09:00 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-02 09:00 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-02 08:59 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-02 08:59 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-02 08:59 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-02 08:59 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-02 08:59 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-02 08:59 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-02 08:59 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-02 08:57 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-07-28 16:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 13:32 --------- d-----w C:\Program Files\Quicken
2008-08-04 17:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 14:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-28 21:12 --------- d-----w C:\Program Files\Google
2008-07-28 21:11 --------- d-----w C:\Program Files\Java
2008-07-15 13:04 313,856 ----a-w C:\WINDOWS\system32\nsw25E.dll
2008-07-15 12:53 313,856 ----a-w C:\WINDOWS\system32\nsz341.dll
2008-07-15 12:26 313,856 ----a-w C:\WINDOWS\system32\nso43E.dll
2008-07-15 12:04 313,856 ----a-w C:\WINDOWS\system32\nsfD.dll
2008-07-15 11:34 313,856 ----a-w C:\WINDOWS\system32\nsj1A.dll
2008-07-15 11:21 313,856 ----a-w C:\WINDOWS\system32\nsb18.dll
2008-07-15 11:12 313,856 ----a-w C:\WINDOWS\system32\nsf676.dll
2008-07-12 15:57 --------- d-----w C:\Program Files\Computerbrains
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2004-10-09 01:17 56 --sha-w C:\WINDOWS\system32\4E131A8EE9.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce}]
2008-07-15 08:04 313856 --a------ C:\WINDOWS\system32\nsw25E.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"WebCfgInfo"="C:\WINDOWS\system32\klqdedqh.exe" [2008-08-21 06:54 81920]
"DbDscApl"="C:\WINDOWS\system32\fwxszwvk.exe" [2008-08-23 13:43 98304]
"SysHlpInfo"="C:\WINDOWS\system32\gvupcnot.exe" [2008-08-23 21:51 86016]
"aplmonsmart"="C:\WINDOWS\system32\delsrmzy.exe" [2008-08-24 08:03 94208]
"endsc"="C:\WINDOWS\system32\fcpwvkne.exe" [2008-08-24 08:33 94208]
"AppUiUtil"="C:\WINDOWS\system32\bgvkdcfo.exe" [2008-08-24 09:33 90112]
"WebAdm"="C:\WINDOWS\system32\ylmnuvwb.exe" [2008-08-24 11:13 90112]
"comgen"="C:\WINDOWS\system32\ajcjsxst.exe" [2008-08-24 11:32 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 06:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 06:15 483328]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-27 04:34 172032]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 03:52 393216]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-18 11:14 180269]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE" [2003-09-09 15:00 99840]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-08-17 15:04 1195640]
"VTTimer"="VTTimer.exe" [2004-01-16 06:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"hC25nNZALn"="C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe" [2008-08-21 06:54 57344]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-09-18 15:55:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 10:02:38 568176]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-01-30 08:30:18 200704]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinGenDsc"= {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll [2008-08-21 06:55 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2wSysTray]
--a------ 2004-09-15 03:52 393216 C:\Program Files\2Wire\2PortalMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 14:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 02:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 c:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3150:UDP"= 3150:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3151:UDP"= 3151:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3152:UDP"= 3152:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 21:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 21:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-16 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-13 19:12]

2008-08-24 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vtpphjho.Default User2\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 11:58:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-08-24 12:01:11
ComboFix-quarantined-files.txt 2008-08-24 17:00:54
ComboFix2.txt 2008-08-24 13:08:12

Pre-Run: 124,807,090,176 bytes free
Post-Run: 124,787,707,904 bytes free

218 --- E O F --- 2008-08-15 22:58:57

Here is my HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:24:59 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\klqdedqh.exe
C:\WINDOWS\system32\mnavclaz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: dcads - {54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce} - C:\WINDOWS\system32\nsw25E.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [lphcrw6j0e151] C:\WINDOWS\system32\lphcrw6j0e151.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebCfgInfo] C:\WINDOWS\system32\klqdedqh.exe
O4 - HKCU\..\Run: [DbDscApl] C:\WINDOWS\system32\fwxszwvk.exe
O4 - HKCU\..\Run: [SysHlpInfo] C:\WINDOWS\system32\gvupcnot.exe
O4 - HKCU\..\Run: [aplmonsmart] C:\WINDOWS\system32\delsrmzy.exe
O4 - HKCU\..\Run: [endsc] C:\WINDOWS\system32\fcpwvkne.exe
O4 - HKCU\..\Run: [AppUiUtil] C:\WINDOWS\system32\bgvkdcfo.exe
O4 - HKCU\..\Run: [WebAdm] C:\WINDOWS\system32\ylmnuvwb.exe
O4 - HKCU\..\Run: [comgen] C:\WINDOWS\system32\ajcjsxst.exe
O4 - HKCU\..\Run: [ChkWebCmd] C:\WINDOWS\system32\efybqvkz.exe
O4 - HKCU\..\Run: [DbSet] C:\WINDOWS\system32\pgdctkfw.exe
O4 - HKCU\..\Run: [SmartDscProc] C:\WINDOWS\system32\ylydypmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [hC25nNZALn] C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: WinGenDsc - {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe

--
End of file - 10074 bytes

 

@laynegray,

Is this a corporate machine in a network??

This machine still has a lot of infection and a possible backdoor Trojan with a Rootkit.

What does the IT Guy think about it?

 

2oldGeek-

This is my home computer. It is on my home network. Unfortunately, I guess that makes me the IT guy (oh, no)...I'm really out of my element with the issues I've been having with this computer. This is the main computer on our home network and I do have 3-4 laptops connecting to the internet. I'll do what ever it takes to get it back running again, but I don't have the slightest idea of where to start. Any ideas would be greatly appreciated.

Thanks,
Layne

 

@laynegray,

You have a LOT of infection and it would be really nice to have an IT Guy that you could turn it over to…


It may take several posts to get rid of all the infection, so if you’re up to it, I’ll do my best to clean you up.

You have signs in your logs that point to the possibility of a rootkit that gave me a whooppin' the last time I encountered it. This time we’ll start with some things that I ended up using the last time, and it worked.

First:

Download and install: Comodo BOClean

After installation Boot your machine and BOClean will start and scan, allow it to delete anything it finds.

Then:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.


Next:

Right click the BOClean tray icon and choose shut down BOClean.
Attempt to shut down your McAfee if you can.. I don’t know if it will hinder us or not but it needs to be shut down, if you can.


Now:

Rerun MBAM and Combofix from the instructions you followed to get this far

Post a new MBAM Log, ComboFix Log and a fresh HJT Log.

It will take me some time to work up a Fix for you so please bare with me….

2OG

 

2OG-

I'll definately bare with you I'm back at work now and won't have a chance to try anything until this evening and I'll post the logs/info you requested then. Thank you so much for you help.

 

Just when you can and if you run into anything you don't understand, ask.

 

2OG-

Here are the logs you requested. I'm wiped out...long day and early morning. I'll check back tomorrow after lunch. Thanks!

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:37:13 PM, on 8/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\klqdedqh.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dstepcpg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: dcads - {54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce} - C:\WINDOWS\system32\nsw25E.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [lphcrw6j0e151] C:\WINDOWS\system32\lphcrw6j0e151.exe
O4 - HKLM\..\Run: [inrhcvw6j0e151] C:\Documents and Settings\Owner\Local Settings\temp\.ttA.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebCfgInfo] C:\WINDOWS\system32\klqdedqh.exe
O4 - HKCU\..\Run: [DbDscApl] C:\WINDOWS\system32\fwxszwvk.exe
O4 - HKCU\..\Run: [SysHlpInfo] C:\WINDOWS\system32\gvupcnot.exe
O4 - HKCU\..\Run: [aplmonsmart] C:\WINDOWS\system32\delsrmzy.exe
O4 - HKCU\..\Run: [endsc] C:\WINDOWS\system32\fcpwvkne.exe
O4 - HKCU\..\Run: [AppUiUtil] C:\WINDOWS\system32\bgvkdcfo.exe
O4 - HKCU\..\Run: [WebAdm] C:\WINDOWS\system32\ylmnuvwb.exe
O4 - HKCU\..\Run: [comgen] C:\WINDOWS\system32\ajcjsxst.exe
O4 - HKCU\..\Run: [ChkWebCmd] C:\WINDOWS\system32\efybqvkz.exe
O4 - HKCU\..\Run: [DbSet] C:\WINDOWS\system32\pgdctkfw.exe
O4 - HKCU\..\Run: [SmartDscProc] C:\WINDOWS\system32\ylydypmr.exe
O4 - HKCU\..\Run: [ensrvapp] C:\WINDOWS\system32\jwnqfgtm.exe
O4 - HKCU\..\Run: [admapl] C:\WINDOWS\system32\ralapcjs.exe
O4 - HKLM\..\Policies\Explorer\Run: [hC25nNZALn] C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: WinGenDsc - {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe

--
End of file - 10050 bytes

Here is my new ComboFix log:

ComboFix 08-08-24.03 - Owner 2008-08-25 22:07:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.141 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lphcrw6j0e151.exe
C:\WINDOWS\system32\phcrw6j0e151.bmp

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 21:51 . 2008-08-25 21:51 98,304 --a------ C:\WINDOWS\system32\jwnqfgtm.exe
2008-08-25 18:25 . 2008-04-13 19:12 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-08-25 18:24 . 2008-08-25 18:24 <DIR> d-------- C:\Program Files\Comodo
2008-08-25 18:24 . 2008-08-25 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-08-25 18:24 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-08-25 18:24 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-08-25 18:24 . 2008-08-25 22:05 10,749 --a------ C:\WINDOWS\BOC427.INI
2008-08-24 14:51 . 2008-08-24 14:51 86,016 --a------ C:\WINDOWS\system32\ylydypmr.exe
2008-08-24 12:37 . 2008-08-24 12:37 86,016 --a------ C:\WINDOWS\system32\pgdctkfw.exe
2008-08-24 12:03 . 2008-08-24 12:03 90,112 --a------ C:\WINDOWS\system32\efybqvkz.exe
2008-08-24 11:32 . 2008-08-24 11:32 90,112 --a------ C:\WINDOWS\system32\ajcjsxst.exe
2008-08-24 11:13 . 2008-08-24 11:13 90,112 --a------ C:\WINDOWS\system32\ylmnuvwb.exe
2008-08-24 09:33 . 2008-08-24 09:33 195,584 --a------ C:\WINDOWS\system32\tydwjodg.exe
2008-08-24 09:33 . 2008-08-24 09:33 90,112 --a------ C:\WINDOWS\system32\bgvkdcfo.exe
2008-08-24 08:33 . 2008-08-24 08:33 195,584 --a------ C:\WINDOWS\system32\twzunozg.exe
2008-08-24 08:33 . 2008-08-24 08:33 94,208 --a------ C:\WINDOWS\system32\fcpwvkne.exe
2008-08-24 08:03 . 2008-08-24 08:03 94,208 --a------ C:\WINDOWS\system32\delsrmzy.exe
2008-08-23 21:51 . 2008-08-23 21:51 195,584 --a------ C:\WINDOWS\system32\snodsfwd.exe
2008-08-23 21:51 . 2008-08-23 21:51 86,016 --a------ C:\WINDOWS\system32\gvupcnot.exe
2008-08-23 13:43 . 2008-08-23 13:43 98,304 --a------ C:\WINDOWS\system32\fwxszwvk.exe
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-23 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 13:21 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 13:21 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 06:55 . 2008-08-21 06:55 <DIR> d-------- C:\Program Files\vnhzchd
2008-08-21 06:54 . 2008-08-21 06:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfavwpwb
2008-08-21 06:54 . 2008-08-21 06:54 81,920 --a------ C:\WINDOWS\system32\klqdedqh.exe
2008-08-14 20:44 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 20:40 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-04 09:42 . 2008-08-04 09:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-04 09:02 . 2008-08-04 09:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-02 09:02 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-02 09:01 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-02 09:01 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-02 09:00 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-02 09:00 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-08-02 09:00 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-02 09:00 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-02 09:00 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-02 09:00 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-02 09:00 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-02 09:00 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-02 09:00 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-02 08:59 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-02 08:59 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-02 08:59 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-02 08:59 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-02 08:59 . 2008-04-13 12:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-02 08:59 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-02 08:59 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-02 08:57 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-07-28 16:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 13:32 --------- d-----w C:\Program Files\Quicken
2008-08-04 17:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 14:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-07-28 21:12 --------- d-----w C:\Program Files\Google
2008-07-28 21:11 --------- d-----w C:\Program Files\Java
2008-07-15 13:04 313,856 ----a-w C:\WINDOWS\system32\nsw25E.dll
2008-07-15 12:53 313,856 ----a-w C:\WINDOWS\system32\nsz341.dll
2008-07-15 12:26 313,856 ----a-w C:\WINDOWS\system32\nso43E.dll
2008-07-15 12:04 313,856 ----a-w C:\WINDOWS\system32\nsfD.dll
2008-07-15 11:34 313,856 ----a-w C:\WINDOWS\system32\nsj1A.dll
2008-07-15 11:21 313,856 ----a-w C:\WINDOWS\system32\nsb18.dll
2008-07-15 11:12 313,856 ----a-w C:\WINDOWS\system32\nsf676.dll
2008-07-12 15:57 --------- d-----w C:\Program Files\Computerbrains
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2004-10-09 01:17 56 --sha-w C:\WINDOWS\system32\4E131A8EE9.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54d1c7af-ee3e-0c79-e96e-87a1ec3ff4ce}]
2008-07-15 08:04 313856 --a------ C:\WINDOWS\system32\nsw25E.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"WebCfgInfo"="C:\WINDOWS\system32\klqdedqh.exe" [2008-08-21 06:54 81920]
"DbDscApl"="C:\WINDOWS\system32\fwxszwvk.exe" [2008-08-23 13:43 98304]
"SysHlpInfo"="C:\WINDOWS\system32\gvupcnot.exe" [2008-08-23 21:51 86016]
"aplmonsmart"="C:\WINDOWS\system32\delsrmzy.exe" [2008-08-24 08:03 94208]
"endsc"="C:\WINDOWS\system32\fcpwvkne.exe" [2008-08-24 08:33 94208]
"AppUiUtil"="C:\WINDOWS\system32\bgvkdcfo.exe" [2008-08-24 09:33 90112]
"WebAdm"="C:\WINDOWS\system32\ylmnuvwb.exe" [2008-08-24 11:13 90112]
"comgen"="C:\WINDOWS\system32\ajcjsxst.exe" [2008-08-24 11:32 90112]
"ChkWebCmd"="C:\WINDOWS\system32\efybqvkz.exe" [2008-08-24 12:03 90112]
"DbSet"="C:\WINDOWS\system32\pgdctkfw.exe" [2008-08-24 12:37 86016]
"SmartDscProc"="C:\WINDOWS\system32\ylydypmr.exe" [2008-08-24 14:51 86016]
"ensrvapp"="C:\WINDOWS\system32\jwnqfgtm.exe" [2008-08-25 21:51 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 06:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 06:15 483328]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 15:43 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-27 04:34 172032]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-09-15 03:52 393216]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-18 11:14 180269]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 05:09 351480]
"VTTimer"="VTTimer.exe" [2004-01-16 06:33 49152 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"hC25nNZALn"="C:\Documents and Settings\All Users\Application Data\yfavwpwb\krixyxqn.exe" [2008-08-21 06:54 57344]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-09-18 15:55:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 10:02:38 568176]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-01-30 08:30:18 200704]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinGenDsc"= {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll [2008-08-21 06:55 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2wSysTray]
--a------ 2004-09-15 03:52 393216 C:\Program Files\2Wire\2PortalMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 14:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 02:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 11:42 69632 c:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 17:19 129536 C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3150:UDP"= 3150:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3151:UDP"= 3151:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"3152:UDP"= 3152:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 21:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 21:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-16 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-13 19:12]

2008-08-26 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcrw6j0e151 - C:\WINDOWS\system32\lphcrw6j0e151.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vtpphjho.Default User2\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.
.
------- File Associations (Beta) -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 22:11:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-08-25 22:15:06
ComboFix-quarantined-files.txt 2008-08-26 03:14:45
ComboFix2.txt 2008-08-24 17:01:12
ComboFix3.txt 2008-08-24 13:08:12

Pre-Run: 124,706,717,696 bytes free
Post-Run: 124,688,142,336 bytes free

244 --- E O F --- 2008-08-15 22:58:57

Here is my new MBAM log:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3

9:40:25 PM 8/25/2008
mbam-log-08-25-2008 (21-40-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172756
Time elapsed: 56 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcvw6j0e151 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP4\A0000024.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcrw6j0e151.scr.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcrw6j0e151.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

@laynegray,

You've got a lot of infection and it will take me a good while to go through your logs so I can work up a fix.

Hopefully late tomorrow.

 

@laynegray,

This should just about do it but there may be a few stragglers we have to pick up.
Be sure to run the ComboFix FIRST and then get a fresh HJT Log afterward.

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop




Referring to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




2OG

 

2OG-

I created the file "CFScript.txt" (including the quotes) and dragged CFScript into ComboFix.exe

ComboFix did start again, but it seems to be stuck. It popped up a status box when I dragged CFScript into it and then it popped up a DOS window titled AutoScan. It has been sitting here for I'd say the better part of 2 hours. Here is what is currently being displayed:

Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

I didn't want to do anything until I'd checked with you. BTW-I checked my task manager and it shows AutoScan running under the Applicatons tab, but I don't see any CPU usage for it when I look under Processes tab - I only see System Idle Process CPU 99 and taskmgr.exe will grab a little CPU from time to time.

 

@laynegray,


You do have a LOT of infection but that seems a little too much time.

Go ahead and stop ComboFix and reboot.

Then goto System Restore and Restore to the last entry that ComboFix set as a restore point.

Let me know and we can just byte a little of the infection off at a time instead of trying to get it all at once.

 

2OG-

I have ended ComboFix, rebooted, and running system restore now.

 

@laynegray,


I hate it, but sometimes unexpected "STUFF" happens.....

Let me know if you have a Recovery disc that came with that computer or a XP system disc or a Recovery partition on that HD, usually D:

We may have to restore some of the System Files that may have been corrupted by all these Trojans you acquired....

 

2OG-

I don't have a recovery disk or an XP system disk. I do have a secondary HD (D drive) on this PC that is for backup, but I don't think I've ever used it. I'm really not sure what's out there on it. I've restored the system to the restore point that ComboFix made this morning. I've got to leave now to get to work and will be home around 1700-1800HRS CT. I'll catch up then.

Thansk!!

 

have a good day. see ya.

 

@ laynegray,

I am under the impression that McAfee is still working and is hindering ComboFix and that is why it shut down during the “Fix”.

Let’s make sure McAfee is disabled:

Go to > Start > Run and type services.msc in the box then click OK

In the list of Services, scroll down and locate each of the following services, one at a time:

McAfee Framework Service

Network Associates McShield

Network Associates Task Manager

Click on the service and a window will open.
Click the Stop button.
In the drop down box for Startup type: select disable
Click the Apply button and repeat for each of the above listed Services.




Now let’s un-install ComboFix and download a fresh copy, it may have been corrupted.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.





The above procedure will:
• Delete ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.


Now Download ComboFix from Here
Do not run it yet.

Before running ComboFix again, let’s see if we can remove some of the Trojans by running SDFix. That way, combofix won’t have so much to remove.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to the drive that contains the Windows Directory, typically C:\SDFix

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer

• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

• Instead of Windows loading as normal, the Advanced Options Menu should appear;

• Select the first option, to run Windows in Safe Mode, then press Enter.

• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.

• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

• Press any Key and it will restart the PC.

• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

• Finally paste the contents of the Report.txt back on the forum with a new Hijack This log



2OG

 

2OG-

Thank you for following up! By the time I got home from work last night, I didn't have the heart to try anything. I may have a chance to run home at lunch (somewhere between 1100-1300HRS CT to try the latest instructions. Otherwise, I'll have to try again this evening. I'll post the request information.

Thanks again,
Layne

 

Just take your time and we'll get it correct.

 

2OG-

Here is the SDFix Report.txt:

SDFix: Version 1.219
Run by Owner on 2008-08-27 at 20:41

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\phcrw6j0e151.bmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 21:03:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*isabled:BackWeb-137903"
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"="C:\\Program Files\\Motorola\\Software Update\\msu.exe:*:Enabled:msu"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 6 Sep 2004 196 A.SHR --- "C:\BOOT.BAK"
Wed 28 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 1 May 2008 30,208 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1657.tmp"

Finished!

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:15, on 2008-08-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ralapcjs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [inrhcvw6j0e151] C:\Documents and Settings\Owner\Local Settings\temp\.ttC.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebCfgInfo] C:\WINDOWS\system32\klqdedqh.exe
O4 - HKCU\..\Run: [DbDscApl] C:\WINDOWS\system32\fwxszwvk.exe
O4 - HKCU\..\Run: [SysHlpInfo] C:\WINDOWS\system32\gvupcnot.exe
O4 - HKCU\..\Run: [aplmonsmart] C:\WINDOWS\system32\delsrmzy.exe
O4 - HKCU\..\Run: [endsc] C:\WINDOWS\system32\fcpwvkne.exe
O4 - HKCU\..\Run: [AppUiUtil] C:\WINDOWS\system32\bgvkdcfo.exe
O4 - HKCU\..\Run: [WebAdm] C:\WINDOWS\system32\ylmnuvwb.exe
O4 - HKCU\..\Run: [comgen] C:\WINDOWS\system32\ajcjsxst.exe
O4 - HKCU\..\Run: [ChkWebCmd] C:\WINDOWS\system32\efybqvkz.exe
O4 - HKCU\..\Run: [DbSet] C:\WINDOWS\system32\pgdctkfw.exe
O4 - HKCU\..\Run: [SmartDscProc] C:\WINDOWS\system32\ylydypmr.exe
O4 - HKCU\..\Run: [ensrvapp] C:\WINDOWS\system32\jwnqfgtm.exe
O4 - HKCU\..\Run: [admapl] C:\WINDOWS\system32\ralapcjs.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: WinGenDsc - {01844C71-753F-8CDD-D64C-0A51BE2DFC3D} - C:\Program Files\vnhzchd\WinGenDsc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe

--
End of file - 9186 bytes

 

@laynegray,

OK, that didn't get as much as I expected it to...

Now, please run ComboFix and post the Log..

2OG