Spyware infection trying to download anti spyware software to my PC - HELP!

I closed down Spyware Doctor and tried it again. This time it ran without crashing. Here is the new log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:52 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\bobsyrrq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)

VundoFix V6.5.11

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 9:44:20 PM 11/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\gqeabyjh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gqeabyjh.dll
C:\WINDOWS\system32\gqeabyjh.dll Has been deleted!

Performing Repairs to the registry.
Done!


But HiJackThis won't even start now. It crashes with a Micosoft Debug screen reporting the following module affected:

AppName: hijackthis.exe AppVer: 1.99.0.1 ModName: mllmm.dll
ModVer: 0.0.0.0 Offset: 0005f5c3

OK - Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 9:27:06 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe
C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\WINDOWS\system32\rpttosxq.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\H.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fccbyxu.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {3165bfb3-b100-7418-e944-26c956bae5c8} - {8c5eab65-9c62-449e-8147-001b3bfb5613} - C:\WINDOWS\system32\oautulcw.dll
O2 - BHO: (no name) - {A704ACCD-BB42-4902-A8D8-7CF7847BD49F} - C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D6DF3354-C767-4DC6-A618-7CD4C1AF2E0C} - C:\WINDOWS\system32\mllmm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [f815a759] rundll32.exe "C:\WINDOWS\system32\ehgdtibx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://www.golfdigest.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147622403015
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} (QuickBooks Online Edition Utilities Class v8) - https://accounting.quickbooks.com/c1/v14.166/qboax8.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL
O20 - Winlogon Notify: fccbyxu - C:\WINDOWS\SYSTEM32\fccbyxu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\rpttosxq.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Unknown owner - C:\Program Files\Kaseya\Agent\AgentMon.exe" -s (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GRSVC - Unknown owner - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe (file missing)

For whatever reason, this did not post last night...

ComboFix 07-11-06.4 - Lynn 2007-11-09 20:02:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gqeabyjh.dllbox
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 20:03 145,984 --a------ C:\WINDOWS\system32\xdoigifd.dll
2007-11-09 20:03 145,984 --a------ C:\WINDOWS\system32\egoebmdb.dll
2007-11-09 10:18 88,128 --a------ C:\WINDOWS\system32\cbjsfdma.dll
2007-11-09 10:12 77,888 --a------ C:\WINDOWS\system32\ubekyrds.dll
2007-11-09 10:09 71,232 --a------ C:\WINDOWS\system32\jqtlitmm.exe
2007-11-08 10:15 80,448 --a------ C:\WINDOWS\system32\oautulcw.dll
2007-11-08 10:09 71,232 --a------ C:\WINDOWS\system32\rpttosxq.exe
2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-07 10:11 79,936 --a------ C:\WINDOWS\system32\holgcprj.dll
2007-11-07 10:11 71,232 --a------ C:\WINDOWS\system32\npbcdbdb.exe
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 18:52 81,472 --a------ C:\WINDOWS\system32\rlklhwfo.dll
2007-11-06 18:43 71,232 --a------ C:\WINDOWS\system32\vadvwupw.exe
2007-11-06 18:40 145,984 --a------ C:\WINDOWS\system32\yfmauanr.dll
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 06:21 81,472 --a------ C:\WINDOWS\system32\erydineo.dll
2007-11-06 06:16 87,104 --a------ C:\WINDOWS\system32\vlqopmap.dll
2007-11-05 08:24 83,008 --a------ C:\WINDOWS\system32\davfxfax.dll
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 18:34 36,352 --a------ C:\WINDOWS\system32\hggeeef.dll
2007-11-04 18:25 36,352 --a------ C:\WINDOWS\system32\nnnonol.dll
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-04 17:48 36,352 --a------ C:\WINDOWS\system32\nnlljhf.dll
2007-11-04 17:48 36,352 --a------ C:\WINDOWS\system32\fccbyxu.dll
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod
2007-10-10 08:02 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 03:32 --------- d-----w C:\Program Files\QuickTime
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-16 01:40 --------- d-----w C:\Program Files\iTunes
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 01:11:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_154.dat
+ 2007-11-10 01:11:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5e8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 180,269 2006-06-10 19:34:21 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe

----a-w 53,248 2004-04-26 13:04:14 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 1,831,936 2007-05-15 03:37:07 C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe

----a-w 68,856 2007-07-28 02:42:16 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-r 98,304 2005-03-18 23:17:02 C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe

----a-w 32,768 2002-07-16 15:55:37 C:\Program Files\Iomega\DriveIcons\bak\deskup.exe

----a-w 86,016 2002-08-13 19:30:57 C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe

----a-w 267,064 2007-09-14 14:00:06 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-26 18:42:04 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\QTTask.exe

----a-w 3,092,480 2005-08-06 00:35:44 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 118,784 2004-08-21 01:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-08-21 01:55:14 C:\WINDOWS\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351ad655-792f-4eb7-b39c-9599d0459d44}]
2007-11-09 10:12 77888 --a------ C:\WINDOWS\system32\ubekyrds.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-04 17:48 36352 --a------ C:\WINDOWS\system32\fccbyxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A704ACCD-BB42-4902-A8D8-7CF7847BD49F}]
C:\Program Files\Internet Explorer\hokeposedC:\WINDOWS\system32\g2\caws83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-09 20:03 145984 --a------ C:\WINDOWS\system32\egoebmdb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\egoebmdb.dll [2007-11-09 20:03 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\egoebmdb.dll [2007-11-09 20:03 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]
"f815a759"="C:\WINDOWS\system32\cbjsfdma.dll" [2007-11-09 10:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\fccbyxu.dll [2007-11-04 17:48 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egoebmdb]
egoebmdb.dll 2007-11-09 20:03 145984 C:\WINDOWS\system32\egoebmdb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyxu]
fccbyxu.dll 2007-11-04 17:48 36352 C:\WINDOWS\system32\fccbyxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R2 WMP54GRSVC;WMP54GRSVC;"C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe"
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 02:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 20:36:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 20:38:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 06:35
.
--- E O F ---

OK here it is. The log file popped up after a reboot, but Windows explorer failed to launch so I had to Ctrl-Alt-Del and run a New Task in Task Manager.


ComboFix 07-11-06.4 - Lynn 2007-11-12 20:54:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\CFScript.txt
* Created a new restore point

FILE
C:\temp\mZOr
C:\WINDOWS\system32\cbjsfdma.dll
C:\WINDOWS\system32\davfxfax.dll
C:\WINDOWS\system32\egoebmdb.dll
C:\WINDOWS\system32\erydineo.dll
C:\WINDOWS\system32\fccbyxu.dll
C:\WINDOWS\system32\g2\caws83122.exe.dll
C:\WINDOWS\system32\hggeeef.dll
C:\WINDOWS\system32\holgcprj.dll
C:\WINDOWS\system32\jqtlitmm.exe
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\nnlljhf.dll
C:\WINDOWS\system32\nnnonol.dll
C:\WINDOWS\system32\npbcdbdb.exe
C:\WINDOWS\system32\oautulcw.dll
C:\WINDOWS\system32\rpttosxq.exe
C:\WINDOWS\system32\ubekyrds.dll
C:\WINDOWS\system32\vadvwupw.exe
C:\WINDOWS\system32\vlqopmap.dll
C:\WINDOWS\system32\xdoigifd.dll
C:\WINDOWS\system32\yfmauanr.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Lynn\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\OrderReminder\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\Iomega\DriveIcons\bak\deskup.exe
C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe
C:\Program Files\iTunes\bak
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Messenger\bak
C:\Program Files\Messenger\bak\msmsgs.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Yahoo!\Messenger\bak\ypager.exe
C:\WINDOWS\bak
C:\WINDOWS\bak\UpdReg.EXE
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\cbjsfdma.dll
C:\WINDOWS\system32\davfxfax.dll
C:\WINDOWS\system32\egoebmdb.dllbox
C:\WINDOWS\system32\erydineo.dll
C:\WINDOWS\system32\fccbyxu.dll
C:\WINDOWS\system32\hggeeef.dll
C:\WINDOWS\system32\holgcprj.dll
C:\WINDOWS\system32\jqtlitmm.exe
C:\WINDOWS\system32\nnlljhf.dll
C:\WINDOWS\system32\nnnonol.dll
C:\WINDOWS\system32\npbcdbdb.exe
C:\WINDOWS\system32\nxiwtdmh.dllbox
C:\WINDOWS\system32\oautulcw.dll
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\rpttosxq.exe
C:\WINDOWS\system32\ubekyrds.dll
C:\WINDOWS\system32\vadvwupw.exe
C:\WINDOWS\system32\vlqopmap.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\xdoigifd.dll
C:\WINDOWS\system32\yfmauanr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-12 20:54 145,984 --a------ C:\WINDOWS\system32\nxiwtdmh.dll
2007-11-12 20:54 145,984 --a------ C:\WINDOWS\system32\htjodbld.dll
2007-11-12 08:54 81,472 --a------ C:\WINDOWS\system32\mvhbipbd.dll
2007-11-12 08:51 89,664 --a------ C:\WINDOWS\system32\edcehlyu.dll
2007-11-12 08:51 71,232 --a------ C:\WINDOWS\system32\jgrgykwh.exe
2007-11-11 08:57 79,936 --a------ C:\WINDOWS\system32\gbejjqrc.dll
2007-11-11 08:51 71,232 --a------ C:\WINDOWS\system32\vxubloyq.exe
2007-11-10 08:56 81,472 --a------ C:\WINDOWS\system32\ibalhclw.dll
2007-11-10 08:50 71,232 --a------ C:\WINDOWS\system32\fbdxemrx.exe
2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 18:52 81,472 --a------ C:\WINDOWS\system32\rlklhwfo.dll
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 01:58 --------- d-----w C:\Program Files\QuickTime
2007-11-13 01:58 --------- d-----w C:\Program Files\iTunes
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-13 02:02:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
+ 2007-11-13 02:02:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{214a7e93-97ba-4c1d-b346-59f1b2e11245}]
2007-11-12 08:54 81472 --a------ C:\WINDOWS\system32\mvhbipbd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-12 20:54 145984 --a------ C:\WINDOWS\system32\nxiwtdmh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\nxiwtdmh.dll [2007-11-12 20:54 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nxiwtdmh]
nxiwtdmh.dll 2007-11-12 20:54 145984 C:\WINDOWS\system32\nxiwtdmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R2 WMP54GRSVC;WMP54GRSVC;"C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe" "WMP54GR.exe"
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 02:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 22:04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 22:05:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 20:38
C:\ComboFix3.txt ... 2007-11-06 06:35
.
--- E O F ---

I'm getting ready to give up on this one. How many more times do you think we need to do this?

ComboFix 07-11-06.4 - Lynn 2007-11-13 21:31:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lynn\Desktop\Bob's Spyware Folder\CFScript.txt
* Created a new restore point

FILE
C:\temp\mZOr
C:\WINDOWS\system32\edcehlyu.dll
C:\WINDOWS\system32\fbdxemrx.exe
C:\WINDOWS\system32\gbejjqrc.dll
C:\WINDOWS\system32\htjodbld.dll
C:\WINDOWS\system32\ibalhclw.dll
C:\WINDOWS\system32\jgrgykwh.exe
C:\WINDOWS\system32\mvhbipbd.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\nxiwtdmh.dll
C:\WINDOWS\system32\rlklhwfo.dll
C:\WINDOWS\system32\vxubloyq.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Lynn\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Lynn\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\edcehlyu.dll
C:\WINDOWS\system32\fbdxemrx.exe
C:\WINDOWS\system32\gbejjqrc.dll
C:\WINDOWS\system32\htjodbld.dll
C:\WINDOWS\system32\ibalhclw.dll
C:\WINDOWS\system32\jgrgykwh.exe
C:\WINDOWS\system32\mvhbipbd.dll
C:\WINDOWS\system32\nxiwtdmh.dll
C:\WINDOWS\system32\nxiwtdmh.dllbox
C:\WINDOWS\system32\rlklhwfo.dll
C:\WINDOWS\system32\vxubloyq.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-07 22:55 102,400 --a------ C:\temp\KLicense.exe
2007-11-07 22:47 d-------- C:\Program Files\Kaseya
2007-11-07 22:47 122,880 --a------ C:\WINDOWS\system32\kaseyasp.dll
2007-11-07 22:47 13,696 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2007-11-07 22:47 6,144 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2007-11-07 22:09 d-------- C:\Program Files\Lavasoft
2007-11-07 22:09 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:08 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 21:44 d-------- C:\VundoFix Backups
2007-11-06 20:41 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 20:40 d-------- C:\Program Files\Spyware Doctor
2007-11-06 20:40 d-------- C:\Documents and Settings\Lynn\Application Data\PC Tools
2007-11-06 20:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-06 20:40 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-06 20:40 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-06 20:40 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-06 20:40 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-06 07:10 d-------- C:\WINDOWS\ERUNT
2007-11-06 06:48 d-------- C:\Deckard
2007-11-06 06:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 17:48 d-------- C:\WINDOWS\system32\Mz02r
2007-11-04 17:48 d-------- C:\temp\mZOr
2007-11-02 11:59 26,240 --a------ C:\WINDOWS\system32\drivers\csrbcxp.sys
2007-10-15 20:40 d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 01:58 --------- d-----w C:\Program Files\QuickTime
2007-11-13 01:58 --------- d-----w C:\Program Files\iTunes
2007-11-08 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 08:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\AdobeUM
2007-10-12 19:27 --------- d-----w C:\Documents and Settings\Lynn\Application Data\ICAClient
2007-10-10 03:10 --------- d-----w C:\Program Files\Citrix
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\Lynn\Application Data\Citrix
2007-10-10 02:51 --------- d-----w C:\Program Files\Google
2007-10-09 20:24 81 ----a-w C:\CTX.DAT
2007-09-26 20:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-23 15:48 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-22 23:21 --------- d-----w C:\Program Files\Java
2007-09-22 06:42 --------- d-----w C:\Program Files\Iomega
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-10-05 15:42 561,152 ----a-w C:\Documents and Settings\Lynn\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 6.33.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-06 12:10:57 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:57 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\ 00000002\UsrClass.dat
+ 2007-11-03 23:46:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-06 12:10:44 4,571,136 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000001\NTUSER.DAT
+ 2007-11-06 12:10:44 196,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\ 00000002\UsrClass.dat
+ 2007-11-08 03:09:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-08 03:09:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-08 03:09:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-08 03:09:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-04 22:14:09 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-09 02:37:16 61,930 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 22:14:09 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-09 02:37:16 402,426 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-14 02:36:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1b0.dat
+ 2007-11-14 02:36:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 16:51 C:\WINDOWS\system32\P17.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nxiwtdmh]
nxiwtdmh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL WIKI.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 AR5513;%ATHER.Service.DispName%;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 CSRBC;CSRBC.Sys CSR test driver;C:\WINDOWS\system32\Drivers\csrbcxp.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 02:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 23:48:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 23:49:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 22:05
C:\ComboFix3.txt ... 2007-11-09 20:38
.
--- E O F ---

OK bamajim, we're going to stick this out. I have good news too. It seems that the self launching IE popups have not been occuring over the past 2 days. I'm crossing my fingers that we're coming out of the woods. Let me know what I have to do to get rid of this once and for all.