Plz help my computer is being really slow and there are 100s of POS. tmp files in my C drive and the icon is a big red X

Download the "HijackThis" Installer from this link:

http://www.trendsecure.com/portal/e...

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Post Hijackthis Log in your next reply.

*Do Safe Computing*

thanx for reply Adii this is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:22 AM, on 6/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uwa.edu.au:8888
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;sinaplusserver;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C3D44C5F-3D8F-4FD6-951E-525C14CD3A21} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: {76756bfd-1d31-859b-eaa4-5a6c293b4efc} - {cfe4b392-c6a5-4aae-b958-13d1dfb65767} - C:\WINDOWS\system32\mrhbblby.dll (file missing)
O2 - BHO: (no name) - {E9939AA2-7D9E-4ABD-9F62-AB08D6FC4FEb} - C:\WINDOWS\system32\opmuciwk.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel Audio] D:\software\Drivers\Audio\setup.exe -postqfe /s
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RwOneKeyToInternet] C:\Program Files\SinaPlus\rw1k2i.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e8567907] rundll32.exe "C:\WINDOWS\system32\ikhykqho.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMeb654a9b] Rundll32.exe "C:\WINDOWS\system32\owbvwnru.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Xfire.lnk = C:\Documents and Settings\ywu\Desktop\Xfire\Xfire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: econsprinter.vbs
O4 - Global Startup: MyNetFone.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: PowerSettings.bat
O4 - Global Startup: RegCurrentPower.bat
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = staff.biz.uwa.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A66EF995-ECCE-4E8B-88DE-99CA10770E54}: NameServer = 130.95.4.21,130.95.4.28
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: mapmap - mapmap.dll (file missing)
O20 - Winlogon Notify: mqr597 - mqr597.dll (file missing)
O20 - Winlogon Notify: nfspmbge - nfspmbge.dll (file missing)
O20 - Winlogon Notify: rqxpyrrf - rqxpyrrf.dll (file missing)
O20 - Winlogon Notify: wlourkth - wlourkth.dll (file missing)
O20 - Winlogon Notify: wrbcremd - wrbcremd.dll (file missing)
O20 - Winlogon Notify: __c0028327 - C:\WINDOWS\SYSTEM32\__c0028327.dat
O20 - Winlogon Notify: __c003A40 - C:\WINDOWS\SYSTEM32\__c003A40.dat
O20 - Winlogon Notify: __c003ECE4 - C:\WINDOWS\SYSTEM32\__c003ECE4.dat
O20 - Winlogon Notify: __c0054ED4 - C:\WINDOWS\SYSTEM32\__c0054ED4.dat
O20 - Winlogon Notify: __c00670C8 - C:\WINDOWS\SYSTEM32\__c00670C8.dat
O20 - Winlogon Notify: __c0082614 - C:\WINDOWS\SYSTEM32\__c0082614.dat
O20 - Winlogon Notify: __c00843D2 - C:\WINDOWS\SYSTEM32\__c00843D2.dat
O20 - Winlogon Notify: __c008BA23 - C:\WINDOWS\SYSTEM32\__c008BA23.dat
O20 - Winlogon Notify: __c008E8F1 - C:\WINDOWS\SYSTEM32\__c008E8F1.dat
O20 - Winlogon Notify: __c00AD298 - C:\WINDOWS\SYSTEM32\__c00AD298.dat
O20 - Winlogon Notify: __c00BFF70 - C:\WINDOWS\SYSTEM32\__c00BFF70.dat
O20 - Winlogon Notify: __c00CEB80 - C:\WINDOWS\SYSTEM32\__c00CEB80.dat
O20 - Winlogon Notify: __c00CF457 - C:\WINDOWS\SYSTEM32\__c00CF457.dat
O20 - Winlogon Notify: __c00F4310 - C:\WINDOWS\SYSTEM32\__c00F4310.dat
O20 - Winlogon Notify: __c00F6B99 - C:\WINDOWS\SYSTEM32\__c00F6B99.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)

--
End of file - 10573 bytes

Please Disable all real time monitoring programs like Antiviruses and Antispyware and Firewalls to avoid conflicts, you can enable them later. Click here to see how to Disable: http://spywaredetail.com/forum/show...

Do not install more than one Antivirus on your computer. Symantec strongly recommends that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. Your best defense against computer viruses and malicious programs is to keep your virus definitions up to date.

Please run HijackThis again! and click "Scan." Place checks next to the following entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C3D44C5F-3D8F-4FD6-951E-525C14CD3A21} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: {76756bfd-1d31-859b-eaa4-5a6c293b4efc} - {cfe4b392-c6a5-4aae-b958-13d1dfb65767} - C:\WINDOWS\system32\mrhbblby.dll (file missing)
O2 - BHO: (no name) - {E9939AA2-7D9E-4ABD-9F62-AB08D6FC4FEb} - C:\WINDOWS\system32\opmuciwk.dll (file missing)
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [e8567907] rundll32.exe "C:\WINDOWS\system32\ikhykqho.dll",b
O4 - HKLM\..\Run: [BMeb654a9b] Rundll32.exe "C:\WINDOWS\system32\owbvwnru.dll",s
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: econsprinter.vbs
O4 - Global Startup: MyNetFone.lnk = ?
O4 - Global Startup: RegCurrentPower.bat
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...
O20 - Winlogon Notify: mapmap - mapmap.dll (file missing)
O20 - Winlogon Notify: mqr597 - mqr597.dll (file missing)
O20 - Winlogon Notify: nfspmbge - nfspmbge.dll (file missing)
O20 - Winlogon Notify: rqxpyrrf - rqxpyrrf.dll (file missing)
O20 - Winlogon Notify: wlourkth - wlourkth.dll (file missing)
O20 - Winlogon Notify: wrbcremd - wrbcremd.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

--
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

Download: http://www.atribune.org/ccount/clic...

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser:

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
--

Please download Malwarebytes' Anti-Malware to your desktop. This is an Free Antimalware Application tool.

Download link: http://www.malwarebytes.org/mbam/pr...

>DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
>Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
>If an update is found, it will download and install the latest database updates.
>Once the program has loaded, select Perform full scan, then click Scan.
>When the scan is complete, click OK, then Show Results to view the results.
>Be sure that everything is checked, and click Remove Selected.
>When MBAM finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post its Log in your next reply.
----

Download Combofix by sUBs and save to your desktop.

(If you have previously downloaded ComboFix,please delete that version now.)

download link HERE:
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...

Note
It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log.

*Do Safe Computing*

here is the MBAM log

Malwarebytes' Anti-Malware 1.12
Database version: 723

Scan type: Full Scan (C:\|)
Objects scanned: 241786
Time elapsed: 28 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 15
Registry Keys Infected: 47
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c0028327.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c003A40.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c003ECE4.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c0054ED4.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00670C8.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c0082614.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00843D2.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c008BA23.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c008E8F1.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00AD298.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00BFF70.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00CEB80.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00CF457.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00F4310.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00F6B99.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\upmedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0028327 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c003a40 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c003ece4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0054ed4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00670c8 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0082614 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00843d2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c008ba23 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c008e8f1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00ad298 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00bff70 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00ceb80 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00cf457 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00f4310 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00f6b99 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP377\A0119458.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP377\A0119491.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP380\A0119689.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP384\A0123766.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123840.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123841.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123842.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123843.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123844.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123845.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123846.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123847.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123848.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123849.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123850.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123851.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123852.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123853.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123854.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123855.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123856.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123857.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123858.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123859.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123860.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123861.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123862.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123863.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123864.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123865.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123867.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123871.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123876.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123878.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123880.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123881.dll (Trojan.ConHook) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123882.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP386\A0123885.dll (Unknown.Malware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP387\A0125283.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126493.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126502.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126507.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126518.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126525.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126540.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126543.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126552.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D956C5DC-D045-458E-99BA-76763BB8E522}\RP388\A0126565.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\wykxevnv.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia\uninstallSE.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0028327.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c003A40.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c003ECE4.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0054ED4.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00670C8.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0082614.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00843D2.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c008BA23.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c008E8F1.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00AD298.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00BB6D2.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00BFF70.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00CEB80.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00CF457.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00F4310.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00F6B99.dat (Trojan.Agent) -> Delete on reboot.

and the combofix log

ComboFix 08-05-01.3 - ywu 2008-05-06 19:17:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1609 [GMT 8:00]
Running from: C:\Documents and Settings\ywu\Desktop\PC stuff\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\baidu
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\#SharedObjects\R58996YM\iforex.com
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\#SharedObjects\R58996YM\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\#SharedObjects\R58996YM\www.broadcaster.com
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\ywu\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\ywu\Local Settings\Application Data\baidu
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\adylnesu.ini
C:\WINDOWS\system32\alwhaldq.ini
C:\WINDOWS\system32\bayppisc.ini
C:\WINDOWS\system32\bficegjm.ini
C:\WINDOWS\system32\clipfdly.ini
C:\WINDOWS\system32\frfrxout.ini
C:\WINDOWS\system32\friwubxo.ini
C:\WINDOWS\system32\hflnpbiw.ini
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hsghnfym.ini
C:\WINDOWS\system32\hsmyobuq.ini
C:\WINDOWS\system32\htcrwotg.ini
C:\WINDOWS\system32\hujebajt.ini
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\ikuidnbn.ini
C:\WINDOWS\system32\ipnguicl.ini
C:\WINDOWS\system32\jhvwfmud.ini
C:\WINDOWS\system32\jqgqqcso.ini
C:\WINDOWS\system32\jrqmkofg.ini
C:\WINDOWS\system32\jrwfnnmk.ini
C:\WINDOWS\system32\jwtvysoy.ini
C:\WINDOWS\system32\kruaacgg.ini
C:\WINDOWS\system32\maewhcyi.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nswniihl.ini
C:\WINDOWS\system32\ohqkyhki.ini
C:\WINDOWS\system32\olfqiojn.ini
C:\WINDOWS\system32\oqdevkuk.ini
C:\WINDOWS\system32\pneuweqk.ini
C:\WINDOWS\system32\qgensnol.ini
C:\WINDOWS\system32\qnhpxuqj.ini
C:\WINDOWS\system32\qtwkdbrw.ini
C:\WINDOWS\system32\rbylwpya.ini
C:\WINDOWS\system32\rgxwwgnp.ini
C:\WINDOWS\system32\rhlarplo.ini
C:\WINDOWS\system32\rpjlsgnw.ini
C:\WINDOWS\system32\sifyfnkh.ini
C:\WINDOWS\system32\tcccfuir.ini
C:\WINDOWS\system32\txmmgsne.ini
C:\WINDOWS\system32\ujmmxikx.ini
C:\WINDOWS\system32\uqkulyyt.ini
C:\WINDOWS\system32\uqugtlpk.ini
C:\WINDOWS\system32\vircugee.ini
C:\WINDOWS\system32\wtsrqbjl.ini
C:\WINDOWS\system32\xemqnxwu.ini

----- BITS: Possible infected sites -----

hxxp://guilder.staff.biz.uwa.edu.au
.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Documents and Settings\ywu\Application Data\Malwarebytes
2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 18:06 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 18:06 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 06:27 . 2008-05-06 06:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 17:45 . 2008-05-06 06:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 17:33 . 2008-05-05 17:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 17:33 . 2008-05-05 17:33 <DIR> d-------- C:\Program Files\AVG
2008-05-05 17:33 . 2008-05-06 06:23 <DIR> d-------- C:\Documents and Settings\ywu\Application Data\AVGTOOLBAR
2008-05-05 17:33 . 2008-05-05 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-05 17:33 . 2008-05-05 17:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 17:33 . 2008-05-05 17:33 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-05 17:33 . 2008-05-05 17:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 15:40 . 2008-05-05 17:24 <DIR> d-------- C:\VundoFix Backups
2008-05-05 06:22 . 2008-05-05 06:22 <DIR> d-------- C:\Program Files\Belarc
2008-05-05 06:22 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-04-30 16:05 . 2008-04-30 16:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-30 16:05 . 2008-04-30 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 20:10 . 2008-05-03 20:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 20:10 . 2008-04-21 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 09:07 . 2008-04-13 09:07 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 09:07 . 2008-04-13 09:07 <DIR> d-------- C:\Program Files\AGEIA Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 09:25 --------- d-----w C:\Program Files\CA
2008-05-05 10:33 --------- d-----w C:\Program Files\GameSpy Arcade
2008-05-04 08:38 --------- d-----w C:\Program Files\SinaPlus
2008-05-04 08:03 --------- d-----w C:\Program Files\SinaTicker
2008-05-03 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 23:11 --------- d-----w C:\Program Files\iPod
2008-05-03 07:03 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-04-30 08:27 374 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb6334.dat
2008-04-30 08:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 11:13 555 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb8467.dat
2008-04-28 11:13 18,432 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb41.dat
2008-04-17 02:11 --------- d-----w C:\Program Files\LimeWire
2008-04-17 02:04 --------- d-----w C:\Program Files\Microsoft Games
2008-04-16 12:13 --------- d-----w C:\Program Files\eMule
2008-04-16 11:52 --------- d-----w C:\Program Files\9Dragons
2008-03-20 10:01 --------- d--h--r C:\Documents and Settings\ywu\Application Data\SecuROM
2008-03-20 09:42 --------- d-----w C:\Program Files\Flagship Studios
2008-03-12 11:58 41 ----a-w C:\AClient.dat
2008-03-12 11:58 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2004-03-11 05:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-04-19 11:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,400,944 2004-09-07 13:25:58 C:\Program Files\Ahead\InCD\bak\InCD.exe

----a-w 184,320 2007-03-05 03:12:15 C:\Program Files\Altiris\AClient\bak\AClntUsr.EXE
----a-w 184,320 2008-05-06 11:22:30 C:\Program Files\Altiris\AClient\AClntUsr.EXE

----a-w 493,024 2003-02-13 02:25:48 C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe

----a-w 25,600 2006-03-20 08:10:04 C:\Program Files\Common Files\Microsoft Shared\IME\IMSC40W\bak\IMSCMIG.EXE

----a-w 32,768 2003-12-08 09:35:14 C:\Program Files\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe

----a-w 256,576 2006-10-30 01:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 257,088 2007-04-27 03:25:58 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 282,624 2006-10-25 10:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2007-04-27 01:41:54 C:\Program Files\QuickTime\qttask.exe

----a-w 32,768 2007-02-09 08:41:55 C:\Program Files\SinaPlus\bak\rw1k2i.exe

----a-w 843,776 2005-06-24 13:56:16 C:\Program Files\UltraVNC\bak\WinVNC.exe

----a-r 49,152 2006-07-04 06:16:32 C:\WINDOWS\bak\Domino.exe

----a-r 49,152 2006-07-14 08:24:10 C:\WINDOWS\bak\ZSSnp211.exe

----a-w 15,360 2004-08-03 16:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-03 16:56:50 C:\WINDOWS\system32\ctfmon.exe

----a-r 77,824 2005-04-05 21:19:18 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2001-07-09 03:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-05 17:33 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-05 17:33 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-05 17:33 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 19:24 167368]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"SigmaTel Audio"="D:\software\Drivers\Audio\setup.exe" [ ]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [ ]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [ ]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-05-06 19:22 184320]
"RwOneKeyToInternet"="C:\Program Files\SinaPlus\rw1k2i.exe" [ ]
"IMSCMIG40W"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.exe" [ ]
"ZSSnp211"="C:\WINDOWS\ZSSnp211.exe" [ ]
"Domino"="C:\WINDOWS\Domino.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 17:33 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\ywu\Start Menu\Programs\Startup\
Xfire.lnk - C:\Documents and Settings\ywu\Desktop\Xfire\Xfire.exe [2005-09-29 05:32:36 3088520]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
PowerSettings.bat [2007-11-20 15:41:21 198]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2005-06-08 10:02 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=wufix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1459\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1459\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1540\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1540\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-2367\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-2367\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\ywu\\Desktop\\warcraft 3 e\\Warcraft III.exe"=
"C:\\Program Files\\SJLabs\\SJphone\\SJphone.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 17:33]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-05 17:33]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 17:33]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-05 17:33]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-05-21 17:08]
S3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys [2005-03-09 22:43]
S3 lac97inf;lac97inf;C:\DOCUME~1\ywu\LOCALS~1\Temp\lac97inf.sys []
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-06-15 19:28]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22164f4c-1fd4-11dc-a2f8-00184d40d6f5}]
\Shell\AutoRun\command - E:\Data.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 05:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 19:23:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
r Running Proce
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\AClient\ACLIENT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
.
**************************************************************************
.
Completion time: 2008-05-06 19:26:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 11:26:19

Pre-Run: 201,726,697,472 bytes free
Post-Run: 203,912,581,120 bytes free

275 --- E O F --- 2008-01-06 23:51:17

and the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32, on 2008-05-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uwa.edu.au:8888
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;sinaplusserver;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel Audio] D:\software\Drivers\Audio\setup.exe -postqfe /s
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RwOneKeyToInternet] C:\Program Files\SinaPlus\rw1k2i.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Documents and Settings\ywu\Desktop\Xfire\Xfire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: PowerSettings.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = staff.biz.uwa.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A66EF995-ECCE-4E8B-88DE-99CA10770E54}: NameServer = 130.95.4.21,130.95.4.28
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = staff.biz.uwa.edu.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)

--
End of file - 7607 bytes

Lot of garbage cleaned from your system. logs looking much better. :)

---

Open notepad, Don't use any other texteditor than notepad or the script will fail.
Copy/paste the bold text below into notepad:

File::
C:\WINDOWS\system32\ikhykqho.dll
C:\WINDOWS\system32\owbvwnru.dll
C:\WINDOWS\system32\lsasss.exe

Save this as text file with name of CFScript. Select "All files" from Save as Type.

Then drag the CFScript file into ComboFix.exe icon.

This will start ComboFix again.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

---
To remove Red X icon from your drive please do the followings.

First, please back your Registry with ERUNT.

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: To restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following bold text into the Notepad.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).
Save it to your Desktop.

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer.

---

Also scan with Malwarebytes again and post its new fresh log in your next reply.

---

Can you tell about Pos.tmp files? are these still present on c drive?

How things are running on your computer??

*Do Safe Computing*

Things are running betta but theres are still pos. shortcuts in my c drive

heres the logs

COMBOFIX

ComboFix 08-05-01.3 - ywu 2008-05-07 6:13:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1606 [GMT 8:00]
Running from: C:\Documents and Settings\ywu\Desktop\PC stuff\ComboFix.exe
Command switches used :: C:\Documents and Settings\ywu\Desktop\PC stuff\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Documents and Settings\ywu\Application Data\Malwarebytes
2008-05-06 18:06 . 2008-05-06 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 18:06 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 18:06 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 06:27 . 2008-05-06 06:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 17:45 . 2008-05-07 06:06 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 17:33 . 2008-05-05 17:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 17:33 . 2008-05-05 17:33 <DIR> d-------- C:\Program Files\AVG
2008-05-05 17:33 . 2008-05-06 06:23 <DIR> d-------- C:\Documents and Settings\ywu\Application Data\AVGTOOLBAR
2008-05-05 17:33 . 2008-05-05 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-05 17:33 . 2008-05-05 17:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 17:33 . 2008-05-05 17:33 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-05 17:33 . 2008-05-05 17:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 15:40 . 2008-05-05 17:24 <DIR> d-------- C:\VundoFix Backups
2008-05-05 06:22 . 2008-05-05 06:22 <DIR> d-------- C:\Program Files\Belarc
2008-05-05 06:22 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-04-30 16:05 . 2008-04-30 16:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-30 16:05 . 2008-04-30 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 20:10 . 2008-05-03 20:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 20:10 . 2008-04-21 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 09:07 . 2008-04-13 09:07 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 09:07 . 2008-04-13 09:07 <DIR> d-------- C:\Program Files\AGEIA Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 09:25 --------- d-----w C:\Program Files\CA
2008-05-05 10:33 --------- d-----w C:\Program Files\GameSpy Arcade
2008-05-04 08:38 --------- d-----w C:\Program Files\SinaPlus
2008-05-04 08:03 --------- d-----w C:\Program Files\SinaTicker
2008-05-03 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 23:11 --------- d-----w C:\Program Files\iPod
2008-05-03 07:03 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-04-30 08:27 374 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb6334.dat
2008-04-30 08:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 11:13 555 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb8467.dat
2008-04-28 11:13 18,432 ----a-w C:\Documents and Settings\ywu\Application Data\internaldb41.dat
2008-04-17 02:11 --------- d-----w C:\Program Files\LimeWire
2008-04-17 02:04 --------- d-----w C:\Program Files\Microsoft Games
2008-04-16 12:13 --------- d-----w C:\Program Files\eMule
2008-04-16 11:52 --------- d-----w C:\Program Files\9Dragons
2008-03-20 10:01 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-20 10:01 --------- d--h--r C:\Documents and Settings\ywu\Application Data\SecuROM
2008-03-20 09:42 --------- d-----w C:\Program Files\Flagship Studios
2008-03-12 11:58 41 ----a-w C:\AClient.dat
2008-03-12 11:58 2,401 ----a-w C:\WINDOWS\system32\drivers\AlKernel.sys
2004-03-11 05:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-04-19 11:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-06_19.26.05.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 11:22:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 21:58:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,400,944 2004-09-07 13:25:58 C:\Program Files\Ahead\InCD\bak\InCD.exe

----a-w 184,320 2007-03-05 03:12:15 C:\Program Files\Altiris\AClient\bak\AClntUsr.EXE
----a-w 184,320 2008-05-06 21:58:50 C:\Program Files\Altiris\AClient\AClntUsr.EXE

----a-w 493,024 2003-02-13 02:25:48 C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe

----a-w 25,600 2006-03-20 08:10:04 C:\Program Files\Common Files\Microsoft Shared\IME\IMSC40W\bak\IMSCMIG.EXE

----a-w 32,768 2003-12-08 09:35:14 C:\Program Files\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe

----a-w 256,576 2006-10-30 01:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 257,088 2007-04-27 03:25:58 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 282,624 2006-10-25 10:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2007-04-27 01:41:54 C:\Program Files\QuickTime\qttask.exe

----a-w 32,768 2007-02-09 08:41:55 C:\Program Files\SinaPlus\bak\rw1k2i.exe

----a-w 843,776 2005-06-24 13:56:16 C:\Program Files\UltraVNC\bak\WinVNC.exe

----a-r 49,152 2006-07-04 06:16:32 C:\WINDOWS\bak\Domino.exe

----a-r 49,152 2006-07-14 08:24:10 C:\WINDOWS\bak\ZSSnp211.exe

----a-w 15,360 2004-08-03 16:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-03 16:56:50 C:\WINDOWS\system32\ctfmon.exe

----a-r 77,824 2005-04-05 21:19:18 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2001-07-09 03:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-05 17:33 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-05 17:33 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-05 17:33 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 19:24 167368]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"SigmaTel Audio"="D:\software\Drivers\Audio\setup.exe" [ ]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [ ]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56 143360]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [ ]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"AClntUsr"="C:\Program Files\Altiris\AClient\AClntUsr.EXE" [2008-05-07 05:58 184320]
"RwOneKeyToInternet"="C:\Program Files\SinaPlus\rw1k2i.exe" [ ]
"IMSCMIG40W"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.exe" [ ]
"ZSSnp211"="C:\WINDOWS\ZSSnp211.exe" [ ]
"Domino"="C:\WINDOWS\Domino.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 17:33 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\ywu\Start Menu\Programs\Startup\
Xfire.lnk - C:\Documents and Settings\ywu\Desktop\Xfire\Xfire.exe [2005-09-29 05:32:36 3088520]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
PowerSettings.bat [2007-11-20 15:41:21 198]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2005-06-08 10:02 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=wufix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1459\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1459\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1540\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-1540\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-2367\Scripts\Logoff\[u]0[/u]\[u]0[/u]]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2274462086-3665701602-1850547962-2367\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\ywu\\Desktop\\warcraft 3 e\\Warcraft III.exe"=
"C:\\Program Files\\SJLabs\\SJphone\\SJphone.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 17:33]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-05 17:33]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 17:33]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-05 17:33]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-05-21 17:08]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
S3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys [2005-03-09 22:43]
S3 lac97inf;lac97inf;C:\DOCUME~1\ywu\LOCALS~1\Temp\lac97inf.sys []
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-06-15 19:28]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22164f4c-1fd4-11dc-a2f8-00184d40d6f5}]
\Shell\AutoRun\command - E:\Data.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 05:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 06:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RtlGina2.dll
.
Completion time: 2008-05-07 6:16:11
ComboFix-quarantined-files.txt 2008-05-06 22:16:02
ComboFix2.txt 2008-05-06 11:26:22

Pre-Run: 203,897,315,328 bytes free
Post-Run: 203,887,357,952 bytes free

207 --- E O F --- 2008-01-06 23:51:17

and the MBAM

Malwarebytes' Anti-Malware 1.12
Database version: 723

Scan type: Full Scan (C:\|)
Objects scanned: 111862
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please download the OTMoveIt2 by OldTimer.

http://download.bleepingcomputer.co...

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the following bold file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\pos*.tmp /D
%userprofile%\My Documents\pos*.tmp /D
%appdata%\My Documents\pos*.tmp /D

Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt2\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-------------------

How things are running now?

--

Reset and Re-enable your System Restore:

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

(You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

--------

Your java is out of date and can be exploited:

Download the latest version of java from this link: http://java.sun.com/javase/download...

Click on the JDK 6 Update 6 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then double-click on jdk-6u5-windows-i586-p.exe from your desktop to install the newest version.

*Do Safe Computing*

its betta but how do i delete the pos. shortcuts. do i just delete them? or is there special stuff i must do anyway heres the log

< C:\pos*.tmp /D >
File/Folder C:\pos*.tmp not found.
< %userprofile%\My Documents\pos*.tmp /D >
Folder C:\Documents and Settings\ywu\My Documents\pos*.tmp not found.
< %appdata%\My Documents\pos*.tmp /D >
Folder C:\Documents and Settings\ywu\Application Data\My Documents\pos*.tmp not found.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_174558

Yes you can delete them, also here is few more steps to do.

---
please download AVG Anti-Spyware v7.5.

http://free.grisoft.com/doc/20/lng/...

Now double click on the AVG Anti-Spyware setup file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here: http://www.ewido.net/en/download/up...
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

please reboot your computer in Safe Mode by doing the following:
Restart the computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the Option to Start Windows in Safemode
Press the Enter key. A dialog box confirms that Windows is in Safe Mode
Click OK. Note: This may take longer than a normal boot.

Scan with AVG Anti-Spyware as follows:

Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
Click the "Scan" tab to return to scanning options.
Click "Complete System Scan" to start.
When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-yyyymmdd-hhmmss.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

Click on start > run > and then paste the following into the "open" field: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports and press OK.

Then have a look if the log was saved there and post it in your next reply. Thanks.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

-------

Please do an online scan with Kaspersky WebScanner.

online scanner: http://www.kaspersky.com/virusscanner

1.Click on "Kaspersky Online Scanner".
2.You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
3.The program will launch and then begin downloading the latest definition files.
4.Once the files have been downloaded click on "NEXT".
5.Now click on "Scan Settings".
6.In the scan settings make that the following are selected:
7.Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
8.Scan Options:
Scan Archives
Scan Mail Bases
9.Click OK.
10.Under select a target to scan, select "My Computer".
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Upon completion, click on the "Save as Text" button.
Save the file to your desktop.

Copy and paste that information in your next reply.

*Do Safe Computing*