Ok. There is *NO* record of this anywhere on the net that I have found. I fear I'm one of the first victims.

Today I came back from a 4 day business trip and got an unfamiliar window when I started my machine up. It looks very similar to an official Microsoft window with a blue background and white lettering. I tried control-alt-deleting into Task Manager only to find it had been "disabled by your administrator." Here is a transcript of everything:

"Microsoft piracy control.

Your copy of Windows was activated by another user.

To help reduce software piracy, please re-activate your copy of Windows now.

We will ask for you(sic) billing details, but your credit card will NOT be charged.

You must activate Windows before you can continue to use it.

Microsoft is committed to your privacy. For more information, www.microsoft.com/piracy (note: link does not work)

Do you want to activate Windows now?

() Yes, activate Windows over the Internet now
() No, I will do it later

To continue, click Next"

When you click next, it brings you to the next step:

"Activation of Windows.

Just 3 steps and you're done...

Step 1: [Select your location]

Step 2: Enter your contact information

Email [ ] Phone number [ ]

Step 3: Enter your billing information

Name on card: [ ]

Credit card number: [ ]

ATM PIN: [ ]

Important: your card will NOT be charged

Expiry date [Select Month] [Year]

CW2 code [ ]

To aid in the prevention of fraudulent credit
card use, we now require the 3 or 4 digit
code on the back of your credit card.

To continue, click Next."

Any ideas? I'm new to this "get a virus, go online and get help" thing, so I'm not really sure where to start. I could probably be better about using firewalls and the like... they seem to always mess up my ability to share files so I disable them. I know...stupid. So there you have it. Any and all help is greatly appreciated.

Thanks,

-Dave

Some quizs ...

1. Before you left, the PC was working well, right?

2. Did anyone have access to the PC during your absence?

In any case what you described above certainly isn't from M$. It's a scam, a ransomware. I would be very suspicious because it ask for your billing info, etc. M$ or any other legitimnate business does not do that.

i_XpUser

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.

Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:51 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17BF8265-182C-ACC7-E148-035E7812F862} - C:\WINDOWS\system32\nxyrckn.dll
O2 - BHO: (no name) - {1AF171AE-BF57-16F1-1E98-029E0A637B4B} - C:\WINDOWS\system32\pszcksc.dll
O2 - BHO: (no name) - {306FD9C9-02FA-E96B-FB4D-03BEF7248387} - C:\WINDOWS\system32\rnuubyh.dll (file missing)
O2 - BHO: (no name) - {3370977D-04C5-6609-1400-05E9A107769D} - C:\WINDOWS\system32\niyjzml.dll
O2 - BHO: (no name) - {35359AF1-776B-187A-704D-051A47AE3CA3} - C:\WINDOWS\system32\sabpcni.dll
O2 - BHO: (no name) - {36A03F58-048D-0CED-EF99-00E7BD51FE79} - C:\WINDOWS\system32\czpqitl.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {51F398D1-B5CD-F473-7F9F-0B7FD54B87AE} - C:\WINDOWS\system32\sofzadm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54B28AA4-61C6-0044-6293-003D3FF07768} - C:\WINDOWS\system32\livtmng.dll
O2 - BHO: (no name) - {57CD3B52-F85B-912E-E029-0324EF8E1CE9} - C:\WINDOWS\system32\btxcrth.dll
O2 - BHO: (no name) - {57D29FA1-1D44-7FE5-3D6D-0488299A898F} - C:\WINDOWS\system32\yqnlgpn.dll
O2 - BHO: (no name) - {71AB6E1D-F6BC-0FEE-C637-0169C8856252} - C:\WINDOWS\system32\bwuppni.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SysTray] C:\Program Files\syeqpqq.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
O4 - HKLM\..\Run: [hmijrxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hmijrxm.dll,lqyndxd
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [sgepkl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sgepkl.dll,ouyasdg
O4 - HKLM\..\Run: [nprwxpd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nprwxpd.dll,xtblzo
O4 - HKLM\..\Run: [ylyiasi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ylyiasi.dll,tpzzoqd
O4 - HKLM\..\Run: [yvfskwc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvfskwc.dll,kakuvjb
O4 - HKLM\..\Run: [idarlmi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\idarlmi.dll,kxtabbb
O4 - HKLM\..\Run: [yvizyre.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvizyre.dll,fpspspf
O4 - HKLM\..\Run: [rfrucym.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rfrucym.dll,rjlphze
O4 - HKLM\..\Run: [bsofrfk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bsofrfk.dll,jcczond
O4 - HKLM\..\Run: [ayuulpl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ayuulpl.dll,myniube
O4 - HKLM\..\Run: [tteootl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tteootl.dll,nuoyan
O4 - HKLM\..\Run: [soft2] C:\WINDOWS\86529671.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Locate32 Autorun.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MacName.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O21 - SSODL: nrczwhAHVgZ - {D4B4C901-7E1E-63AB-F574-E4D2B3F06752} - C:\WINDOWS\system32\fcfe.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe

--

thanks,

-dp-

we need both of these scans.

Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post the log located at C:Vundofix.txt.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Ok. Vundo stuff:

--

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:44:42 PM 4/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\hmijrxm.dll
C:\WINDOWS\system32\yqnlgpn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hmijrxm.dll
C:\WINDOWS\system32\hmijrxm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqnlgpn.dll
C:\WINDOWS\system32\yqnlgpn.dll Has been deleted!

Performing Repairs to the registry.
Done!

--

and now Combo:

--

"Administrator" - 07-04-26 22:54:44 Service Pack 2 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "C:\Program Files\Mozilla Firefox\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\1079859.exe
C:\WINDOWS\82916203.exe
C:\WINDOWS\84128093.exe
C:\WINDOWS\85329062.exe
C:\WINDOWS\86529671.exe
C:\WINDOWS\87730312.exe
C:\WINDOWS\88930937.exe
C:\WINDOWS\90131562.exe
C:\WINDOWS\91332171.exe
C:\WINDOWS\92532796.exe
C:\WINDOWS\93733421.exe
C:\WINDOWS\94934046.exe
C:\WINDOWS\96134671.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft\classes.dat
C:\WINDOWS\system32\imas3r
C:\uniq

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((((((((( Files Created from 2007-03-26 to 2007-04-26 ))))))))))))))))))))))))))))))))))

2007-04-26 22:44 <DIR> d-------- C:\VundoFix Backups
2007-04-26 19:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-24 15:11 3,072 --a------ C:\DOCUME~1\ADMINI~1\keylog.dll
2007-04-05 14:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-05 14:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-05 14:11 <DIR> d-------- C:\442509097ff6a2439b00f9a4b2
2007-04-05 11:39 <DIR> d-------- C:\spoolerlogs
2007-03-28 18:03 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Juniper Networks
2007-03-28 18:02 <DIR> d-------- C:\Program Files\Juniper Networks
2007-03-28 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Juniper Networks
2007-03-27 10:05 87,552 --a------ C:\WINDOWS\system32\tteootl.dll
2007-03-27 10:05 64,000 --a------ C:\WINDOWS\system32\nxyrckn.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-03 10:27 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-04-03 10:27 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-16 11:42 -------- d-------- C:\Program Files\mixmeister bpm analyzer
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-06 13:20 71680 --a------ C:\WINDOWS\system32\niyjzml.dll
2007-02-06 13:20 58880 --a------ C:\WINDOWS\system32\ayuulpl.dll
2007-02-06 08:58 71680 --a------ C:\WINDOWS\system32\livtmng.dll
2007-02-06 08:58 58880 --a------ C:\WINDOWS\system32\bsofrfk.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-05 09:53 71680 --a------ C:\WINDOWS\system32\czpqitl.dll
2007-02-05 09:53 58880 --a------ C:\WINDOWS\system32\rfrucym.dll
2007-02-02 17:06 71168 --a------ C:\WINDOWS\system32\sabpcni.dll
2007-02-02 17:06 58880 --a------ C:\WINDOWS\system32\yvizyre.dll
2007-02-02 14:37 71168 --a------ C:\WINDOWS\system32\pszcksc.dll
2007-02-02 14:37 58368 --a------ C:\WINDOWS\system32\yvfskwc.dll
2007-02-02 09:44 71680 --a------ C:\WINDOWS\system32\btxcrth.dll
2007-02-02 09:44 58880 --a------ C:\WINDOWS\system32\ylyiasi.dll
2007-02-01 18:05 70656 --a------ C:\WINDOWS\system32\sofzadm.dll
2007-02-01 18:05 58368 --a------ C:\WINDOWS\system32\nprwxpd.dll
2007-02-01 10:22 54272 --a------ C:\WINDOWS\system32\tmpwisc1.exe
2007-02-01 10:01 71168 --a------ C:\WINDOWS\system32\bwuppni.dll
2007-02-01 10:01 58880 --a------ C:\WINDOWS\system32\sgepkl.dll
2007-01-31 10:43 96256 --a------ C:\WINDOWS\system32\ucpphxd.dll
2007-01-30 12:22 96256 --a------ C:\WINDOWS\system32\xqahirf.dll
2007-01-29 15:15 96256 --a------ C:\WINDOWS\system32\gctydyh.dll
2007-01-29 10:31 96256 --a------ C:\WINDOWS\system32\gmsmujj.dll
2007-01-26 15:55 95744 --a------ C:\WINDOWS\system32\kmkcmkm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{17BF8265-182C-ACC7-E148-035E7812F862} C:\WINDOWS\system32\nxyrckn.dll
{1AF171AE-BF57-16F1-1E98-029E0A637B4B} C:\WINDOWS\system32\pszcksc.dll
{306FD9C9-02FA-E96B-FB4D-03BEF7248387} C:\WINDOWS\system32\rnuubyh.dll [x]
{3370977D-04C5-6609-1400-05E9A107769D} C:\WINDOWS\system32\niyjzml.dll
{35359AF1-776B-187A-704D-051A47AE3CA3} C:\WINDOWS\system32\sabpcni.dll
{36A03F58-048D-0CED-EF99-00E7BD51FE79} C:\WINDOWS\system32\czpqitl.dll
{45AD732C-2CE2-4666-B366-B2214AD57A49} C:\Program Files\Desktop Sidebar\sbhelp.dll
{51F398D1-B5CD-F473-7F9F-0B7FD54B87AE} C:\WINDOWS\system32\sofzadm.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{54B28AA4-61C6-0044-6293-003D3FF07768} C:\WINDOWS\system32\livtmng.dll
{57CD3B52-F85B-912E-E029-0324EF8E1CE9} C:\WINDOWS\system32\btxcrth.dll
{57D29FA1-1D44-7FE5-3D6D-0488299A898F} C:\WINDOWS\system32\yqnlgpn.dll [x]
{71AB6E1D-F6BC-0FEE-C637-0169C8856252} C:\WINDOWS\system32\bwuppni.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Miramar Systems, Inc."="C:\\Program Files\\Miramar\\PC MACLAN\\atmsg.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MacLicense"="\"C:\\Program Files\\MacOpener\\MacLic.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ControlPanel"="C:\\WINDOWS\\system32\\per.exe internat.dll,LoadKeyboardProfile"
"SysTray"="C:\\Program Files\\syeqpqq.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
@=""
"Iomega ImIconXP"="C:\\Program Files\\Iomega\\REV System Software\\imiconxp.exe"
"hmijrxm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\hmijrxm.dll,lqyndxd"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"sgepkl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\sgepkl.dll,ouyasdg"
"nprwxpd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\nprwxpd.dll,xtblzo"
"ylyiasi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ylyiasi.dll,tpzzoqd"
"yvfskwc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yvfskwc.dll,kakuvjb"
"idarlmi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\idarlmi.dll,kxtabbb"
"yvizyre.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yvizyre.dll,fpspspf"
"rfrucym.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\rfrucym.dll,rjlphze"
"bsofrfk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\bsofrfk.dll,jcczond"
"ayuulpl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ayuulpl.dll,myniube"
"tteootl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\tteootl.dll,nuoyan"
"soft2"="C:\\WINDOWS\\86529671.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"nrczwhAHVgZ"="{D4B4C901-7E1E-63AB-F574-E4D2B3F06752}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060602-095322-978
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
backup-20060602-095322-247
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-26 22:59:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-26 22:59:14
C:\ComboFix-quarantined-files.txt ... 07-04-26 22:59

--

and here's the contents of "ComboFix-quarantined-files.txt":

--

[code]
06-06-02 11:03 0 --a------ C:\Qoobox\Quarantine\C\uniq.vir
06-06-02 11:10 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ImaS3r.vir
06-06-02 15:59 24453 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft\classes.dat.vir
06-10-29 00:03 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\1079859.exe.vir
07-04-24 15:11 962048 --a------ C:\Qoobox\Quarantine\C\WINDOWS\82916203.exe.vir
07-04-24 15:31 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\84128093.exe.vir
07-04-24 15:51 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\85329062.exe.vir
07-04-24 16:11 962048 --a------ C:\Qoobox\Quarantine\C\WINDOWS\86529671.exe.vir
07-04-24 16:31 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\87730312.exe.vir
07-04-24 16:51 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\88930937.exe.vir
07-04-24 17:11 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\90131562.exe.vir
07-04-24 17:31 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\91332171.exe.vir
07-04-24 17:51 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\92532796.exe.vir
07-04-24 18:11 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\93733421.exe.vir
07-04-24 18:31 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\94934046.exe.vir
07-04-24 18:52 1536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\96134671.exe.vir
07-04-26 22:58 360 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf

Folder PATH listing
Volume serial number is D4B4-C900
C:\QOOBOX
\---Quarantine
+---C
| | uniq.vir
| |
| +---DOCUME~1
| | \---ADMINI~1
| | \---APPLIC~1
| | \---Microsoft
| | classes.dat.vir
| |
| \---WINDOWS
| | 1079859.exe.vir
| | 82916203.exe.vir
| | 84128093.exe.vir
| | 85329062.exe.vir
| | 86529671.exe.vir
| | 87730312.exe.vir
| | 88930937.exe.vir
| | 90131562.exe.vir
| | 91332171.exe.vir
| | 92532796.exe.vir
| | 93733421.exe.vir
| | 94934046.exe.vir
| | 96134671.exe.vir
| |
| \---system32
| ImaS3r.vir
|
\---Registry_backups
services_nm.reg.cf

[/code]

--

Hopefully we are getting somewhere... thanks for all your help, jabuck.

-dp-

If for some reason Avenger will not process all the files, delete half of them then delete the second half.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\Documents and Settings\Administrator\keylog.dll
C:\WINDOWS\system32\tteootl.dll
C:\WINDOWS\system32\nxyrckn.dll
C:\WINDOWS\system32\pszcksc.dll
C:\WINDOWS\system32\rnuubyh.dll
C:\WINDOWS\system32\niyjzml.dll
C:\WINDOWS\system32\sabpcni.dll
C:\WINDOWS\system32\czpqitl.dll
C:\WINDOWS\system32\sofzadm.dll
C:\WINDOWS\system32\livtmng.dll
C:\WINDOWS\system32\btxcrth.dll
C:\WINDOWS\system32\yqnlgpn.dll
C:\WINDOWS\system32\bwuppni.dll
C:\WINDOWS\system32\per.exe
C:\WINDOWS\system32\internat.dll
C:\Program Files\syeqpqq.exe
C:\WINDOWS\system32\lqyndxd.dll
C:\WINDOWS\system32\hmijrxm.dll
C:\WINDOWS\system32\ouyasdg.dll
C:\WINDOWS\system32\sgepkl.dll
C:\WINDOWS\system32\xtblzo.dll
C:\WINDOWS\system32\nprwxpd.dll
C:\WINDOWS\system32\tpzzoqd.dll
C:\WINDOWS\system32\ylyiasi.dll
C:\WINDOWS\system32\kakuvjb.dll
C:\WINDOWS\system32\yvfskwc.dll
C:\WINDOWS\system32\kxtabbb.dll
C:\WINDOWS\system32\idarlmi.dll
C:\WINDOWS\system32\fpspspf.dll
C:\WINDOWS\system32\yvizyre.dll
C:\WINDOWS\system32\rjlphze.dll
C:\WINDOWS\system32\rfrucym.dll
C:\WINDOWS\system32\jcczond.dll
C:\WINDOWS\system32\bsofrfk.dll
C:\WINDOWS\system32\myniube.dll
C:\WINDOWS\system32\ayuulpl.dll
C:\WINDOWS\system32\nuoyan.dll
C:\WINDOWS\86529671.exe
C:\WINDOWS\system32\fcfe.dll
C:\WINDOWS\system32\ucpphxd.dll
C:\WINDOWS\system32\xqahirf.dll
C:\WINDOWS\system32\gctydyh.dll
C:\WINDOWS\system32\gmsmujj.dll
C:\WINDOWS\system32\kmkcmkm.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply and post a new Hijack This log.

navigate to and delete these folders:

C:\Qoobox

C:\442509097ff6a2439b00f9a4b2

post a new combofix log please.

Hello,daveparm.I think you met Trojan.Kardphisher(Symantec).The following file is dropped by this trojan.
"C:\Documents and Settings\Administrator\keylog.dll"
More details,you can visit: http://www.symantec.com/enterprise/...

Blog:http://enblog.cisrt.org
E-mail:kinghe@walla.com

kinghe,

Excellent find! So it all began when one clicked on a hyperlink in e-mail! By clicking on a hyperlink you allowed the Trojan to infect the machine.

This is a lesson that no one should ever open e-mail from strangers and more importantly never click on hyperlinks.

i_XpUser

kinghe: great find. thanks for the link.

XpUser: I had meant to reply to your post earlier.. I dont think anyone jumped on my machine while I was gone, but I've definitely been having dificulties lately. I kinda figured something screwy was happening with my machine (I was getting BSODs daily) but I never had time to fix it...just kinda lived with it. Stupid, I know.

jabuck: here are the latest logfiles:

avenger stuff:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uxcwrnqc

*******************

Script file located at: \??\C:\WINDOWS\system32\qnebw^hg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\Administrator\keylog.dll deleted successfully.
File C:\WINDOWS\system32\tteootl.dll deleted successfully.
File C:\WINDOWS\system32\nxyrckn.dll deleted successfully.
File C:\WINDOWS\system32\pszcksc.dll deleted successfully.

File C:\WINDOWS\system32\rnuubyh.dll not found!
Deletion of file C:\WINDOWS\system32\rnuubyh.dll failed!

Could not process line:
C:\WINDOWS\system32\rnuubyh.dll
Status: 0xc0000034

File C:\WINDOWS\system32\niyjzml.dll deleted successfully.
File C:\WINDOWS\system32\sabpcni.dll deleted successfully.
File C:\WINDOWS\system32\czpqitl.dll deleted successfully.
File C:\WINDOWS\system32\sofzadm.dll deleted successfully.
File C:\WINDOWS\system32\livtmng.dll deleted successfully.
File C:\WINDOWS\system32\btxcrth.dll deleted successfully.

File C:\WINDOWS\system32\yqnlgpn.dll not found!
Deletion of file C:\WINDOWS\system32\yqnlgpn.dll failed!

Could not process line:
C:\WINDOWS\system32\yqnlgpn.dll
Status: 0xc0000034

File C:\WINDOWS\system32\bwuppni.dll deleted successfully.

File C:\WINDOWS\system32\per.exe not found!
Deletion of file C:\WINDOWS\system32\per.exe failed!

Could not process line:
C:\WINDOWS\system32\per.exe
Status: 0xc0000034

File C:\WINDOWS\system32\internat.dll not found!
Deletion of file C:\WINDOWS\system32\internat.dll failed!

Could not process line:
C:\WINDOWS\system32\internat.dll
Status: 0xc0000034

File C:\Program Files\syeqpqq.exe not found!
Deletion of file C:\Program Files\syeqpqq.exe failed!

Could not process line:
C:\Program Files\syeqpqq.exe
Status: 0xc0000034

File C:\WINDOWS\system32\lqyndxd.dll not found!
Deletion of file C:\WINDOWS\system32\lqyndxd.dll failed!

Could not process line:
C:\WINDOWS\system32\lqyndxd.dll
Status: 0xc0000034

File C:\WINDOWS\system32\hmijrxm.dll not found!
Deletion of file C:\WINDOWS\system32\hmijrxm.dll failed!

Could not process line:
C:\WINDOWS\system32\hmijrxm.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ouyasdg.dll not found!
Deletion of file C:\WINDOWS\system32\ouyasdg.dll failed!

Could not process line:
C:\WINDOWS\system32\ouyasdg.dll
Status: 0xc0000034

File C:\WINDOWS\system32\sgepkl.dll deleted successfully.

File C:\WINDOWS\system32\xtblzo.dll not found!
Deletion of file C:\WINDOWS\system32\xtblzo.dll failed!

Could not process line:
C:\WINDOWS\system32\xtblzo.dll
Status: 0xc0000034

File C:\WINDOWS\system32\nprwxpd.dll deleted successfully.

File C:\WINDOWS\system32\tpzzoqd.dll not found!
Deletion of file C:\WINDOWS\system32\tpzzoqd.dll failed!

Could not process line:
C:\WINDOWS\system32\tpzzoqd.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ylyiasi.dll deleted successfully.

File C:\WINDOWS\system32\kakuvjb.dll not found!
Deletion of file C:\WINDOWS\system32\kakuvjb.dll failed!

Could not process line:
C:\WINDOWS\system32\kakuvjb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\yvfskwc.dll deleted successfully.

File C:\WINDOWS\system32\kxtabbb.dll not found!
Deletion of file C:\WINDOWS\system32\kxtabbb.dll failed!

Could not process line:
C:\WINDOWS\system32\kxtabbb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\idarlmi.dll not found!
Deletion of file C:\WINDOWS\system32\idarlmi.dll failed!

Could not process line:
C:\WINDOWS\system32\idarlmi.dll
Status: 0xc0000034

File C:\WINDOWS\system32\fpspspf.dll not found!
Deletion of file C:\WINDOWS\system32\fpspspf.dll failed!

Could not process line:
C:\WINDOWS\system32\fpspspf.dll
Status: 0xc0000034

File C:\WINDOWS\system32\yvizyre.dll deleted successfully.

File C:\WINDOWS\system32\rjlphze.dll not found!
Deletion of file C:\WINDOWS\system32\rjlphze.dll failed!

Could not process line:
C:\WINDOWS\system32\rjlphze.dll
Status: 0xc0000034

File C:\WINDOWS\system32\rfrucym.dll deleted successfully.

File C:\WINDOWS\system32\jcczond.dll not found!
Deletion of file C:\WINDOWS\system32\jcczond.dll failed!

Could not process line:
C:\WINDOWS\system32\jcczond.dll
Status: 0xc0000034

File C:\WINDOWS\system32\bsofrfk.dll deleted successfully.

File C:\WINDOWS\system32\myniube.dll not found!
Deletion of file C:\WINDOWS\system32\myniube.dll failed!

Could not process line:
C:\WINDOWS\system32\myniube.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ayuulpl.dll deleted successfully.

File C:\WINDOWS\system32\nuoyan.dll not found!
Deletion of file C:\WINDOWS\system32\nuoyan.dll failed!

Could not process line:
C:\WINDOWS\system32\nuoyan.dll
Status: 0xc0000034

File C:\WINDOWS\86529671.exe not found!
Deletion of file C:\WINDOWS\86529671.exe failed!

Could not process line:
C:\WINDOWS\86529671.exe
Status: 0xc0000034

File C:\WINDOWS\system32\fcfe.dll not found!
Deletion of file C:\WINDOWS\system32\fcfe.dll failed!

Could not process line:
C:\WINDOWS\system32\fcfe.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ucpphxd.dll deleted successfully.
File C:\WINDOWS\system32\xqahirf.dll deleted successfully.
File C:\WINDOWS\system32\gctydyh.dll deleted successfully.
File C:\WINDOWS\system32\gmsmujj.dll deleted successfully.
File C:\WINDOWS\system32\kmkcmkm.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

--

here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:51 AM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MacOpener\MacName.exe
C:\Program Files\Locate\Locate32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17BF8265-182C-ACC7-E148-035E7812F862} - C:\WINDOWS\system32\nxyrckn.dll (file missing)
O2 - BHO: (no name) - {1AF171AE-BF57-16F1-1E98-029E0A637B4B} - C:\WINDOWS\system32\pszcksc.dll (file missing)
O2 - BHO: (no name) - {306FD9C9-02FA-E96B-FB4D-03BEF7248387} - C:\WINDOWS\system32\rnuubyh.dll (file missing)
O2 - BHO: (no name) - {3370977D-04C5-6609-1400-05E9A107769D} - C:\WINDOWS\system32\niyjzml.dll (file missing)
O2 - BHO: (no name) - {35359AF1-776B-187A-704D-051A47AE3CA3} - C:\WINDOWS\system32\sabpcni.dll (file missing)
O2 - BHO: (no name) - {36A03F58-048D-0CED-EF99-00E7BD51FE79} - C:\WINDOWS\system32\czpqitl.dll (file missing)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {51F398D1-B5CD-F473-7F9F-0B7FD54B87AE} - C:\WINDOWS\system32\sofzadm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54B28AA4-61C6-0044-6293-003D3FF07768} - C:\WINDOWS\system32\livtmng.dll (file missing)
O2 - BHO: (no name) - {57CD3B52-F85B-912E-E029-0324EF8E1CE9} - C:\WINDOWS\system32\btxcrth.dll (file missing)
O2 - BHO: (no name) - {57D29FA1-1D44-7FE5-3D6D-0488299A898F} - C:\WINDOWS\system32\yqnlgpn.dll (file missing)
O2 - BHO: (no name) - {71AB6E1D-F6BC-0FEE-C637-0169C8856252} - C:\WINDOWS\system32\bwuppni.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SysTray] C:\Program Files\syeqpqq.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
O4 - HKLM\..\Run: [hmijrxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hmijrxm.dll,lqyndxd
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [sgepkl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sgepkl.dll,ouyasdg
O4 - HKLM\..\Run: [nprwxpd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nprwxpd.dll,xtblzo
O4 - HKLM\..\Run: [ylyiasi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ylyiasi.dll,tpzzoqd
O4 - HKLM\..\Run: [yvfskwc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvfskwc.dll,kakuvjb
O4 - HKLM\..\Run: [idarlmi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\idarlmi.dll,kxtabbb
O4 - HKLM\..\Run: [yvizyre.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvizyre.dll,fpspspf
O4 - HKLM\..\Run: [rfrucym.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rfrucym.dll,rjlphze
O4 - HKLM\..\Run: [bsofrfk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bsofrfk.dll,jcczond
O4 - HKLM\..\Run: [ayuulpl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ayuulpl.dll,myniube
O4 - HKLM\..\Run: [tteootl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tteootl.dll,nuoyan
O4 - HKLM\..\Run: [soft2] C:\WINDOWS\86529671.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Locate32 Autorun.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MacName.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O21 - SSODL: nrczwhAHVgZ - {D4B4C901-7E1E-63AB-F574-E4D2B3F06752} - C:\WINDOWS\system32\fcfe.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe

--

And now the combofix log:

"Administrator" - 07-04-27 9:22:11 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Program Files\Mozilla Firefox\"

((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))

2007-04-27 09:13 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Juniper Networks
2007-04-27 09:13 <DIR> d-------- C:\avenger
2007-04-26 22:59 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-26 22:44 <DIR> d-------- C:\VundoFix Backups
2007-04-26 19:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-05 14:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-05 14:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-05 11:39 <DIR> d-------- C:\spoolerlogs
2007-03-28 18:03 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Juniper Networks
2007-03-28 18:02 <DIR> d-------- C:\Program Files\Juniper Networks
2007-03-28 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Juniper Networks

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-03 10:27 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-04-03 10:27 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-16 11:42 -------- d-------- C:\Program Files\mixmeister bpm analyzer
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-01 10:22 54272 --a------ C:\WINDOWS\system32\tmpwisc1.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{17BF8265-182C-ACC7-E148-035E7812F862} C:\WINDOWS\system32\nxyrckn.dll [x]
{1AF171AE-BF57-16F1-1E98-029E0A637B4B} C:\WINDOWS\system32\pszcksc.dll [x]
{306FD9C9-02FA-E96B-FB4D-03BEF7248387} C:\WINDOWS\system32\rnuubyh.dll [x]
{3370977D-04C5-6609-1400-05E9A107769D} C:\WINDOWS\system32\niyjzml.dll [x]
{35359AF1-776B-187A-704D-051A47AE3CA3} C:\WINDOWS\system32\sabpcni.dll [x]
{36A03F58-048D-0CED-EF99-00E7BD51FE79} C:\WINDOWS\system32\czpqitl.dll [x]
{45AD732C-2CE2-4666-B366-B2214AD57A49} C:\Program Files\Desktop Sidebar\sbhelp.dll
{51F398D1-B5CD-F473-7F9F-0B7FD54B87AE} C:\WINDOWS\system32\sofzadm.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{54B28AA4-61C6-0044-6293-003D3FF07768} C:\WINDOWS\system32\livtmng.dll [x]
{57CD3B52-F85B-912E-E029-0324EF8E1CE9} C:\WINDOWS\system32\btxcrth.dll [x]
{57D29FA1-1D44-7FE5-3D6D-0488299A898F} C:\WINDOWS\system32\yqnlgpn.dll [x]
{71AB6E1D-F6BC-0FEE-C637-0169C8856252} C:\WINDOWS\system32\bwuppni.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Miramar Systems, Inc."="C:\\Program Files\\Miramar\\PC MACLAN\\atmsg.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MacLicense"="\"C:\\Program Files\\MacOpener\\MacLic.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ControlPanel"="C:\\WINDOWS\\system32\\per.exe internat.dll,LoadKeyboardProfile"
"SysTray"="C:\\Program Files\\syeqpqq.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
@=""
"Iomega ImIconXP"="C:\\Program Files\\Iomega\\REV System Software\\imiconxp.exe"
"hmijrxm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\hmijrxm.dll,lqyndxd"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"sgepkl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\sgepkl.dll,ouyasdg"
"nprwxpd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\nprwxpd.dll,xtblzo"
"ylyiasi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ylyiasi.dll,tpzzoqd"
"yvfskwc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yvfskwc.dll,kakuvjb"
"idarlmi.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\idarlmi.dll,kxtabbb"
"yvizyre.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yvizyre.dll,fpspspf"
"rfrucym.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\rfrucym.dll,rjlphze"
"bsofrfk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\bsofrfk.dll,jcczond"
"ayuulpl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ayuulpl.dll,myniube"
"tteootl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\tteootl.dll,nuoyan"
"soft2"="C:\\WINDOWS\\86529671.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"nrczwhAHVgZ"="{D4B4C901-7E1E-63AB-F574-E4D2B3F06752}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 09:26:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-27 9:26:36
C:\ComboFix-quarantined-files.txt ... 07-04-27 09:26
C:\ComboFix2.txt ... 07-04-26 22:59

--

here's the combofix quarantine folder...not much to read:

[code]

Folder PATH listing
Volume serial number is D4B4-C900
C:\QOOBOX
\---Quarantine
\---Registry_backups
[/code]

--

OK... do your stuff. Thanks again everyone!

-Dave

Some other observations:

I had been working in safe mode throughout all of the steps except this last one with Avenger. I was able to get into XP without encountering the "Microsoft piracy control" window, but I am now having some odd problems.

I went to use Photoshop CS2 and I got this error:

"An error has been detected with a required application library and the product cannot continue. Please reinstall the application."

So I went to put the DVD-ROM in to reinstall and I crash Explorer every time I try to start the reinstallation process. Along with this, when I try to browse around directories in Windows Explorer it will eventually crash. I need to go to Task Manager > Run and type "Explorer" to get back into the OS.

Also, I had a ton of RunDLL "cannot find file" errors when I started XP.

Should I be working exclusively in safe mode?

Thanks,

-Dave

If you work exclusively in safe mode you will not be able to run high-end applications because only a minimum numbers of drivers are loaded for diagnostic purposes. Hence the name "Safe Mode."

i_XpUser

heh... I wrote that wrong. what I meant to say was "should I be doing all of this troubleshooting exclusively in Safe Mode." Yeah... if I had to wait for the screen to redraw once a second on a regular basis I'd throw myself out the window. ;)

-Dave

I wish I could be more of help. Did you read the Recommendations at the Symantec link? I think you need to do that in order to prevent recurrence of this incident in the future.

i_XpUser

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

O2 - BHO: (no name) - {17BF8265-182C-ACC7-E148-035E7812F862} - C:\WINDOWS\system32\nxyrckn.dll (file missing)

O2 - BHO: (no name) - {1AF171AE-BF57-16F1-1E98-029E0A637B4B} - C:\WINDOWS\system32\pszcksc.dll (file missing)

O2 - BHO: (no name) - {306FD9C9-02FA-E96B-FB4D-03BEF7248387} - C:\WINDOWS\system32\rnuubyh.dll (file missing)

O2 - BHO: (no name) - {3370977D-04C5-6609-1400-05E9A107769D} - C:\WINDOWS\system32\niyjzml.dll (file missing)

O2 - BHO: (no name) - {35359AF1-776B-187A-704D-051A47AE3CA3} - C:\WINDOWS\system32\sabpcni.dll (file missing)

O2 - BHO: (no name) - {36A03F58-048D-0CED-EF99-00E7BD51FE79} - C:\WINDOWS\system32\czpqitl.dll (file missing)

O2 - BHO: (no name) - {51F398D1-B5CD-F473-7F9F-0B7FD54B87AE} - C:\WINDOWS\system32\sofzadm.dll (file missing)

O2 - BHO: (no name) - {54B28AA4-61C6-0044-6293-003D3FF07768} - C:\WINDOWS\system32\livtmng.dll (file missing)

O2 - BHO: (no name) - {57CD3B52-F85B-912E-E029-0324EF8E1CE9} - C:\WINDOWS\system32\btxcrth.dll (file missing)

O2 - BHO: (no name) - {57D29FA1-1D44-7FE5-3D6D-0488299A898F} - C:\WINDOWS\system32\yqnlgpn.dll (file missing)

O2 - BHO: (no name) - {71AB6E1D-F6BC-0FEE-C637-0169C8856252} - C:\WINDOWS\system32\bwuppni.dll (file missing)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [SysTray] C:\Program Files\syeqpqq.exe

O4 - HKLM\..\Run: [hmijrxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hmijrxm.dll,lqyndxd

O4 - HKLM\..\Run: [sgepkl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sgepkl.dll,ouyasdg

O4 - HKLM\..\Run: [nprwxpd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nprwxpd.dll,xtblzo

O4 - HKLM\..\Run: [ylyiasi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ylyiasi.dll,tpzzoqd

O4 - HKLM\..\Run: [yvfskwc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvfskwc.dll,kakuvjb

O4 - HKLM\..\Run: [idarlmi.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\idarlmi.dll,kxtabbb

O4 - HKLM\..\Run: [yvizyre.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yvizyre.dll,fpspspf

O4 - HKLM\..\Run: [rfrucym.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rfrucym.dll,rjlphze

O4 - HKLM\..\Run: [bsofrfk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bsofrfk.dll,jcczond

O4 - HKLM\..\Run: [ayuulpl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ayuulpl.dll,myniube

O4 - HKLM\..\Run: [tteootl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tteootl.dll,nuoyan

O4 - HKLM\..\Run: [soft2] C:\WINDOWS\86529671.exe

O4 - Startup: Locate32 Autorun.lnk = ?

O21 - SSODL: nrczwhAHVgZ - {D4B4C901-7E1E-63AB-F574-E4D2B3F06752} - C:\WINDOWS\system32\fcfe.dll (file missing)

Exit Hijack This but remain in safe mode.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Please post the Avg AntiSpyware report and a new Hijack This log.

Run Hijack This> click "open the misc. tool section"> click "open uninstall manager"> click "save list"> click "save"> click "yes"> post that log please.

Avg AntiSpyware report:

AVG Anti-Spyware - Scan Report

+ Created at: 2:47:54 PM 4/29/2007

+ Scan result:

:mozilla.143:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.120:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.121:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.122:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.123:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.124:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.125:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.126:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.115:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.119:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.147:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.148:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.149:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.150:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.163:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.111:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.112:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.109:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.139:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.140:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.141:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.142:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.90:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.91:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.93:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.127:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.128:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.131:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.82:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.84:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.85:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.86:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.87:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.88:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.89:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o0t7jl7i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

--

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:46 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MacOpener\MacName.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MacName.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

Uninstall List:

3DBOXX W7XXX
Ad-Aware SE Personal
Adobe Acrobat 7.0.8 Professional
Adobe After Effects 6.5
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Encore DVD 1.5
Adobe Encore DVD FC
Adobe ExtendScript Toolkit 1.0
Adobe ExtendScript Toolkit 1.0
Adobe Help Center 2.0
Adobe Illustrator CS2
Adobe Photoshop CS
Adobe Premiere Pro 1.5
Adobe Premiere Pro FC
Adobe Production Studio
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Video Suite Extras
Alias DirectConnect 2.0
AMD System Interrupt Controller
AnimIO 1.0.0.1
AppCore
AV
AVG Anti-Spyware 7.5
Azureus
BadCopy Pro
Beyond Compare Version 2.4.1
ccCommon
CDRoller version 6.30
CleanUp!
Color Finesse
Crown Print Monitor+
Cycore FX 1.0.1 for After Effects
Desktop Sidebar
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
eMule
ewido anti-malware
Final Rig 2.0.6.3
GearDrvs
GNU Ghostscript 7.05
GNU Ghostscript Fonts
Google Video Player
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Iomega Product Registration
Iomega REV System Software
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1
Juniper Networks Network Connect 5.3.0
Keylight 1.1v1 for After Effects 7.0
LightWave 3D 9
LiveUpdate 3.2 (Symantec Corporation)
Locate32
MacOpener 5.0
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic Bullet Editors Premiere
Magic Bullet Movie Looks
Magic Bullet Suite 2.0
Magic ISO Maker v5.3 (build 0229)
Maya 6.5
Maya 7.0
Maya Shader Library for Maya
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
MixMeister BPM Analyzer 1.0
Mozilla Firefox (1.0.7)
MSXML 4.0 SP2 (KB927978)
Nero Digital
Nero OEM
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
NvMixer
Panda ActiveScan
PC MACLAN
QuarkXPress 6.1
QuickTime
Riva FLV Encoder 2.0
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update fo