I've gotten pop ups aplenty and a slowed system the last week. Ad-aware, AVG and others have identified and tried to remove the problems, but they keep coming back. Here is the log file. Your help is truly appreciated!

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:32 PM, on 11/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Viewpoint\Common\ViewpointService.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\PROGRA~1\AVG\AVG8\avgnsx.exe
H:\Program Files\HP\hpcoretech\hpcmpmgr.exe
H:\WINDOWS\System32\DeltTray.exe
H:\WINDOWS\system32\VTTimer.exe
H:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
H:\Program Files\DNA\btdna.exe
H:\Program Files\Microsoft ActiveSync\Wcescomm.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
H:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - H:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] H:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [H2O] H:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [TSC] "H:\DOCUME~1\David\LOCALS~1\Temp\HouseCall\tsc.exe" /HD
O4 - HKCU\..\Run: [EasyLinkAdvisor] "H:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [BitTorrent DNA] "H:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] "H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145389590374
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nadzmumper.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: mimadove.dll h:\windows\system32\mameyuvo.dll
O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: laborewim - {669aca7b-126f-4c5c-b2e8-d62bd02bb2f5} - h:\windows\system32\mameyuvo.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {669aca7b-126f-4c5c-b2e8-d62bd02bb2f5} - h:\windows\system32\mameyuvo.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - H:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7101 bytes

Hello dmumper, and welcome to Malwarebytes! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

Please do the following...

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

===============================================

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

===============================================


Needed in your next reply:

Malwarebytes log
Combofix log

And let me know how things are running now

Thanks BHowett, I should be done with your instructions shortly...

no worries... when ever you get it is fine.

Ok here is the Malwarebytes log:

--------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 5.1.2600 Service Pack 2

11/4/2009 12:16:34 AM
mbam-log-2009-11-04 (00-16-34).txt

Scan type: Quick Scan
Objects scanned: 115972
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MoreRelevantAdvertisingProgram (Adware.MoreRelevantAdvertising) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
H:\WINDOWS\system32\degibano.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\goketipo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\muvitelu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\susadosu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\zupemeje.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\vuzagama.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\wabidohu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
H:\Documents and Settings\David\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> Quarantined and deleted successfully.
H:\Documents and Settings\David\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> Quarantined and deleted successfully.

-----------------------

and the Combofix log:

ComboFix 09-11-03.01 - David 11/04/2009 0:28.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.494 [GMT -5:00]
Running from: h:\documents and settings\David\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\All Users\Documents\jylydideme.bat
h:\documents and settings\David\Application Data\rexidytu.inf
h:\documents and settings\David\Local Settings\Temporary Internet Files\emabeb.ban
h:\documents and settings\David\Local Settings\Temporary Internet Files\ronun.sys
h:\documents and settings\David\Local Settings\Temporary Internet Files\uxujymufyc.lib
h:\windows\ivofyv.reg
h:\windows\system32\acalyhub.bat
h:\windows\system32\dumphive.exe
h:\windows\system32\hawaveba.dll
h:\windows\system32\msvcsv60.dll
h:\windows\system32\ofowovatat.bat
h:\windows\system32\Process.exe
h:\windows\system32\SrchSTS.exe
h:\windows\system32\tmp.reg
h:\windows\tusunysyp.bat
h:\windows\ubexuqyw.vbs
h:\windows\ulagadasym.bat

h:\windows\system32\proquota.exe was missing
Restored copy from - h:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 04:44 . 2009-11-04 04:44 -------- d-----w- h:\program files\Trend Micro
2009-11-04 01:57 . 2009-11-04 01:57 -------- d-----w- H:\VundoFix Backups
2009-11-03 06:02 . 2009-11-03 05:52 15880 ----a-w- h:\windows\system32\lsdelete.exe
2009-11-03 05:52 . 2009-09-23 12:55 64288 ----a-w- h:\windows\system32\drivers\Lbd.sys
2009-11-03 05:52 . 2009-11-03 05:52 93360 ----a-w- h:\windows\system32\drivers\SBREDrv.sys
2009-11-03 05:49 . 2009-11-03 05:49 -------- dc-h--w- h:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 05:49 . 2009-11-03 05:52 -------- d-----w- h:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 05:49 . 2009-11-03 05:49 -------- d-----w- h:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 05:37 . 2008-09-08 23:40 -------- d-----w- h:\program files\DNA
2009-11-04 05:37 . 2008-09-08 23:40 -------- d-----w- h:\documents and settings\David\Application Data\DNA
2009-11-04 05:08 . 2009-07-24 01:04 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2009-11-03 03:41 . 2009-06-13 21:54 -------- d-----w- h:\documents and settings\All Users\Application Data\avg8
2009-10-19 18:33 . 2006-04-19 01:36 -------- d-----w- h:\documents and settings\David\Application Data\AdobeUM
2009-10-09 23:15 . 2006-04-25 03:10 -------- d-----w- h:\program files\Java
2009-09-15 21:28 . 2006-04-19 01:45 32 ----a-w- h:\windows\msocreg32.dat
2009-09-10 19:54 . 2009-07-24 01:04 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-07-24 01:04 19160 ----a-w- h:\windows\system32\drivers\mbam.sys
2009-08-29 21:38 . 2009-06-13 21:54 335240 ----a-w- h:\windows\system32\drivers\avgldx86.sys
2009-08-29 21:38 . 2009-06-13 21:54 11952 ----a-w- h:\windows\system32\avgrsstx.dll
2009-08-29 21:38 . 2007-12-19 05:01 27784 ----a-w- h:\windows\system32\drivers\avgmfx86.sys
2009-08-06 23:24 . 2006-04-18 19:46 327896 ----a-w- h:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-05-26 08:19 209632 ----a-w- h:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-04-18 19:46 44768 ----a-w- h:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-04-18 19:46 35552 ----a-w- h:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-04-18 19:30 53472 ----a-w- h:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2001-08-23 12:00 96480 ----a-w- h:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-04-18 19:46 575704 ----a-w- h:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-01-05 14:00 274288 ----a-w- h:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-01-05 14:00 215920 ----a-w- h:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-04-18 19:30 1929952 ----a-w- h:\windows\system32\wuaueng.dll
2009-07-24 00:00 . 2009-07-24 00:00 19292 ----a-w- h:\program files\Common Files\zisyluwy.com
2009-07-24 00:00 . 2009-07-24 00:00 12309 ----a-w- h:\program files\Common Files\emucyvixep._dl
2009-07-25 14:39 . 2009-07-25 14:39 3 --sha-w- h:\windows\system32\vodesome.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="h:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"BitTorrent DNA"="h:\program files\DNA\btdna.exe" [2008-12-19 342848]
"H/PC Connection Agent"="h:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"swg"="h:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="h:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"M-Audio Delta Taskbar Icon"="h:\windows\System32\DeltTray.exe" [2004-08-27 56320]
"H2O"="h:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="h:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DeltTray"="DeltTray.exe" - h:\windows\system32\DeltTray.exe [2004-08-27 56320]
"VTTimer"="VTTimer.exe" - h:\windows\system32\VTTimer.exe [2005-03-08 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - h:\windows\system32\narrator.exe [2004-08-04 53760]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - h:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 21:38 11952 ----a-w- h:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=h:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=h:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\StubInstaller.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\BitTorrent\\bittorrent.exe"=
"h:\\Program Files\\DNA\\btdna.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"h:\program files\Microsoft ActiveSync\rapimgr.exe"= h:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"h:\program files\Microsoft ActiveSync\wcescomm.exe"= h:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"h:\program files\Microsoft ActiveSync\WCESMgr.exe"= h:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;h:\windows\system32\drivers\Lbd.sys [11/3/2009 12:52 AM 64288]
R0 xfilt;VIA SATA IDE Hot-plug Driver;h:\windows\system32\drivers\xfilt.sys [2/19/2007 10:31 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [6/13/2009 4:54 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [6/13/2009 4:54 PM 108552]
R1 BIOS;BIOS;h:\windows\system32\drivers\BIOS.sys [2/19/2007 10:25 PM 13696]
R2 avg8wd;AVG Free8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [6/13/2009 4:54 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;h:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\Viewpoint\Common\ViewpointService.exe [4/27/2009 9:40 AM 24652]
R3 CLEDX;Team H2O CLEDX service;h:\windows\system32\drivers\cledx.sys [4/18/2006 7:18 PM 33792]
S3 ICDUSB2;Sony IC Recorder (ST);h:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 h:\windows\Tasks\Ad-Aware Update (Weekly).job
- h:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: moove.com
FF - ProfilePath - h:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\cvuhjv3z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: h:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: h:\program files\Virtual Earth 3D\npVE3D.dll
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{669aca7b-126f-4c5c-b2e8-d62bd02bb2f5} - h:\windows\system32\mameyuvo.dll
SSODL-laborewim-{669aca7b-126f-4c5c-b2e8-d62bd02bb2f5} - h:\windows\system32\mameyuvo.dll
AddRemove-View32 - h:\program files\FR Atlas\UNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 00:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2100)
h:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
h:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
h:\windows\System32\shdoclc.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\Java\jre6\bin\jqs.exe
h:\progra~1\AVG\AVG8\avgrsx.exe
h:\progra~1\AVG\AVG8\avgnsx.exe
h:\windows\System32\wbem\unsecapp.exe
h:\progra~1\MICROS~3\rapimgr.exe
h:\program files\HP\hpcoretech\comp\hptskmgr.exe
h:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-04 0:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 05:41

Pre-Run: 16,630,480,896 bytes free
Post-Run: 17,037,414,400 bytes free

-------------------------------

Things seem to be running ok right now... Thanks! Anything else I need to look at?

Hi dmumper,


please do the following....


Combofix Script.txt

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

===============================================

P2P Warning!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current problem/infection. I would strongly suggest you remove LimeWire & BitTorrent . Removing can be done through Add/Remove Programs.

===============================================

Needed in your next reply:

Combofix log & fresh HijackThis log

Here is the combofix log:

-----

ComboFix 09-11-04.02 - David 11/04/2009 23:03.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.526 [GMT -5:00]
Running from: h:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\David\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-04 05:34 . 2004-08-04 07:56 50176 -c--a-w- h:\windows\system32\dllcache\proquota.exe
2009-11-04 05:34 . 2004-08-04 07:56 50176 ----a-w- h:\windows\system32\proquota.exe
2009-11-04 04:44 . 2009-11-04 04:44 -------- d-----w- h:\program files\Trend Micro
2009-11-04 01:57 . 2009-11-04 01:57 -------- d-----w- H:\VundoFix Backups
2009-11-03 06:02 . 2009-11-03 05:52 15880 ----a-w- h:\windows\system32\lsdelete.exe
2009-11-03 05:51 . 2009-11-03 05:51 5908024 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-03 05:51 . 2009-11-03 05:51 327000 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-03 05:51 . 2009-11-03 05:51 87496 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-03 05:51 . 2009-11-03 05:51 933120 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-03 05:51 . 2009-11-03 05:51 640608 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-03 05:50 . 2009-11-03 05:50 815760 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 05:50 . 2009-11-03 05:50 822904 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 05:50 . 2009-11-03 05:50 1638104 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 05:50 . 2009-11-03 05:50 788368 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 05:50 . 2009-11-03 05:50 1179232 ----a-w- h:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 05:49 . 2009-11-03 05:49 -------- dc-h--w- h:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 05:49 . 2009-10-03 08:15 2924848 -c--a-w- h:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-03 05:49 . 2009-11-03 05:52 -------- d-----w- h:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 05:49 . 2009-11-03 05:49 -------- d-----w- h:\program files\Lavasoft
2009-10-17 12:36 . 2009-10-17 12:36 2025752 ----a-w- h:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 04:01 . 2008-09-08 23:40 -------- d-----w- h:\documents and settings\David\Application Data\DNA
2009-11-04 05:49 . 2008-09-08 23:40 -------- d-----w- h:\program files\DNA
2009-11-04 05:08 . 2009-07-24 01:04 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2009-11-03 03:41 . 2009-06-13 21:54 -------- d-----w- h:\documents and settings\All Users\Application Data\avg8
2009-10-19 18:33 . 2006-04-19 01:36 -------- d-----w- h:\documents and settings\David\Application Data\AdobeUM
2009-10-09 23:15 . 2006-04-25 03:10 -------- d-----w- h:\program files\Java
2009-10-09 23:13 . 2009-08-29 21:41 152576 ----a-w- h:\documents and settings\David\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-23 12:55 . 2009-11-03 05:52 64288 ----a-w- h:\windows\system32\drivers\Lbd.sys
2009-09-15 21:28 . 2006-04-19 01:45 32 ----a-w- h:\windows\msocreg32.dat
2009-09-10 19:54 . 2009-07-24 01:04 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-07-24 01:04 19160 ----a-w- h:\windows\system32\drivers\mbam.sys
2009-08-29 21:38 . 2009-06-13 21:54 335240 ----a-w- h:\windows\system32\drivers\avgldx86.sys
2009-08-29 21:38 . 2009-06-13 21:54 11952 ----a-w- h:\windows\system32\avgrsstx.dll
2009-08-29 21:38 . 2007-12-19 05:01 27784 ----a-w- h:\windows\system32\drivers\avgmfx86.sys
2009-07-24 00:00 . 2009-07-24 00:00 19292 ----a-w- h:\program files\Common Files\zisyluwy.com
2009-07-24 00:00 . 2009-07-24 00:00 12309 ----a-w- h:\program files\Common Files\emucyvixep._dl
2009-07-25 14:39 . 2009-07-25 14:39 3 --sha-w- h:\windows\system32\vodesome.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_05.37.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 05:49 . 2009-11-04 05:49 16384 h:\windows\temp\Perflib_Perfdata_7dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="h:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"BitTorrent DNA"="h:\program files\DNA\btdna.exe" [2008-12-19 342848]
"H/PC Connection Agent"="h:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"swg"="h:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="h:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"M-Audio Delta Taskbar Icon"="h:\windows\System32\DeltTray.exe" [2004-08-27 56320]
"H2O"="h:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="h:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DeltTray"="DeltTray.exe" - h:\windows\system32\DeltTray.exe [2004-08-27 56320]
"VTTimer"="VTTimer.exe" - h:\windows\system32\VTTimer.exe [2005-03-08 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - h:\windows\system32\narrator.exe [2004-08-04 53760]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - h:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 21:38 11952 ----a-w- h:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=h:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=h:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=h:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\StubInstaller.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\BitTorrent\\bittorrent.exe"=
"h:\\Program Files\\DNA\\btdna.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"h:\program files\Microsoft ActiveSync\rapimgr.exe"= h:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"h:\program files\Microsoft ActiveSync\wcescomm.exe"= h:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"h:\program files\Microsoft ActiveSync\WCESMgr.exe"= h:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;h:\windows\system32\drivers\Lbd.sys [11/3/2009 12:52 AM 64288]
R0 xfilt;VIA SATA IDE Hot-plug Driver;h:\windows\system32\drivers\xfilt.sys [2/19/2007 10:31 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [6/13/2009 4:54 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [6/13/2009 4:54 PM 108552]
R1 BIOS;BIOS;h:\windows\system32\drivers\BIOS.sys [2/19/2007 10:25 PM 13696]
R2 avg8wd;AVG Free8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [6/13/2009 4:54 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\Viewpoint\Common\ViewpointService.exe [4/27/2009 9:40 AM 24652]
R3 CLEDX;Team H2O CLEDX service;h:\windows\system32\drivers\cledx.sys [4/18/2006 7:18 PM 33792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;h:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S3 ICDUSB2;Sony IC Recorder (ST);h:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 8:23 PM 39048]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 h:\windows\Tasks\Ad-Aware Update (Weekly).job
- h:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\cvuhjv3z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: h:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: h:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 23:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3356)
h:\windows\System32\shdoclc.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-05 23:12
ComboFix-quarantined-files.txt 2009-11-05 04:11
ComboFix2.txt 2009-11-04 05:41

Pre-Run: 16,994,398,208 bytes free
Post-Run: 16,958,144,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

-----

And the hijackthis log:

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:42 PM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\HP\hpcoretech\hpcmpmgr.exe
H:\WINDOWS\System32\DeltTray.exe
H:\WINDOWS\system32\VTTimer.exe
H:\Program Files\Viewpoint\Common\ViewpointService.exe
H:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
H:\Program Files\DNA\btdna.exe
H:\Program Files\Microsoft ActiveSync\Wcescomm.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\PROGRA~1\MICROS~3\rapimgr.exe
H:\WINDOWS\System32\svchost.exe
H:\PROGRA~1\AVG\AVG8\avgnsx.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - H:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] H:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [H2O] H:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "H:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [EasyLinkAdvisor] "H:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [BitTorrent DNA] "H:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] "H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145389590374
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nadzmumper.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - H:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - H:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6677 bytes

Again, BHowett, thanks for all your help!

Hi dmumper,

OTM by OldTimer

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  h:\program files\Common Files\zisyluwy.com
  h:\program files\Common Files\emucyvixep._dl
  h:\windows\system32\vodesome.dll
  :Commands
  [purity]
  [emptytemp]
  [Reboot]
  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..

===============================================

Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

Kaspersky WebScanner

please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

===============================================

Needed in your next reply:

OTM log
Kaspersky WebScanner

and let me know how things are running now

Here is the OTM log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
h:\program files\Common Files\zisyluwy.com moved successfully.
h:\program files\Common Files\emucyvixep._dl moved successfully.
LoadLibrary failed for h:\windows\system32\vodesome.dll
h:\windows\system32\vodesome.dll NOT unregistered.
h:\windows\system32\vodesome.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: David
->Temp folder emptied: 1726548 bytes
->Temporary Internet Files folder emptied: 12263635 bytes
->Java cache emptied: 111363991 bytes
->FireFox cache emptied: 59252405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 7617570 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Nadia
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 7911729 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. H:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119049 bytes
%systemroot%\System32 .tmp files removed: 3052561 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 194.92 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11092009_235259

Files moved on Reboot...

Registry entries deleted on Reboot...

-----------------------------

And the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 10, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 10, 2009 14:27:17
Records in database: 3188069
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
J:\
K:\

Scan statistics:
Objects scanned: 99385
Threats found: 4
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 02:06:57


File name / Threat / Threats count
E:\Limewire Downloads\Latin\lo que pidas tu - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
E:\Limewire Downloads\Latin\Roberto Lugo - Enamorado de ti.wma Infected: Trojan-Clicker.WMA.Agent.d 1
H:\Documents and Settings\David\.housecall6.6\Quarantine\19 salsa - Roberto Lugo - Corazon en Blanco.wma.bac_a07120 Infected: Trojan-Clicker.WMA.Agent.d 1
H:\Documents and Settings\David\.housecall6.6\Quarantine\navidad hector lavoe.mp3.bac_a07120 Infected: Trojan-Downloader.WMA.GetCodec.c 1
H:\Documents and Settings\David\.housecall6.6\Quarantine\Spank Rock - Let's Make Love and Listen to Death from Above (Spank Rock Remix)-CSS.mp3.bac_a07120 Infected: Trojan-Downloader.WMA.GetCodec.c 1
H:\Documents and Settings\David\.housecall6.6\Quarantine\wiilie gonzalez.mp3.bac_a07120 Infected: Trojan-Downloader.WMA.GetCodec.c 1
H:\Documents and Settings\David\.housecall6.6\Quarantine\~TME0.tmp.bac_a07120 Infected: Backdoor.Win32.Bredolab.bd 1

Selected area has been scanned.

----------------------------------------------------------

Also, these are the last few occurrences that AVG has picked up:

"Infection";"Trojan horse Vundo.IH";"H:\System Volume Information\_restore{C5C82F3C-B268-4FFB-92B3-6242B7ED55D5}\RP1017\A0097273.dll";"";"11/10/2009, 1:48:35 PM"

"Infection";"Trojan horse Vundo.IH";"H:\System Volume Information\_restore{C5C82F3C-B268-4FFB-92B3-6242B7ED55D5}\RP1017\A0097272.dll";"";"11/9/2009, 10:43:02 PM"

Hi dmumper,

As you can see the infected files found came from limewire, so please refer back to the P2P warning I posted in post # 6

OK lets get rid of them, and don’t worry about the ones in System Volume Information, we will clean that out to.

OTM by OldTimer

• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  E:\Limewire Downloads\Latin\lo que pidas tu - greatest hits.mp3
  E:\Limewire Downloads\Latin\Roberto Lugo - Enamorado de ti.wma
  H:\Documents and Settings\David\.housecall6.6\Quarantine\19 salsa - Roberto Lugo - Corazon en Blanco.wma.bac_a07120
  H:\Documents and Settings\David\.housecall6.6\Quarantine\navidad hector lavoe.mp3.bac_a07120
  H:\Documents and Settings\David\.housecall6.6\Quarantine\Spank Rock - Let's Make Love and Listen to Death from Above (Spank Rock Remix)-CSS.mp3.bac_a07120 H:\Documents and Settings\David\.housecall6.6\Quarantine\wiilie gonzalez.mp3.bac_a07120
  H:\Documents and Settings\David\.housecall6.6\Quarantine\~TME0.tmp.bac_a07120
  :Commands
  [purity]
  [emptytemp]
  [Reboot]
  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


===============================================

Please post the OTM log in your next reply.

Thanks for your continued help...

Here is the new OTM log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
E:\Limewire Downloads\Latin\lo que pidas tu - greatest hits.mp3 moved successfully.
E:\Limewire Downloads\Latin\Roberto Lugo - Enamorado de ti.wma moved successfully.
File/Folder H:\Documents and Settings\David\.housecall6.6\Quarantine\19 salsa - Roberto Lugo - Corazon en Blanco.wma.bac_a07120 not found.
H:\Documents and Settings\David\.housecall6.6\Quarantine\navidad hector lavoe.mp3.bac_a07120 moved successfully.
File/Folder H:\Documents and Settings\David\.housecall6.6\Quarantine\Spank Rock - Let's Make Love and Listen to Death from Above (Spank Rock Remix)-CSS.mp3.bac_a07120 H:\Documents and Settings\David\.housecall6.6\Quarantine\wiilie gonzalez.mp3.bac_a07120 not found.
H:\Documents and Settings\David\.housecall6.6\Quarantine\~TME0.tmp.bac_a07120 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: David
->Temp folder emptied: 89592449 bytes
->Temporary Internet Files folder emptied: 7784955 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 39275636 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Nadia
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 130.51 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11102009_214158

Files moved on Reboot...

Registry entries deleted on Reboot...

Hi dmumper,

Well done, your log appears clean

Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
  

===============================================

Click Here to download OTC
Double-click OTC.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any logs that you have left over on your desktop.

===============================================

For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.

To find out more information about how you got infected in the first place, you can read this article.

===============================================

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!

A most helpful experience! I truly appreciate it, and your advice regarding overall PC health is well taken.

Best,
David