Hello Pancake, well, I have tried to start the ComboFix.exe, but I keep getting kicked out with the message"ComboFix has encountered a problem and needs to close etc. etc." I have rebooted, tried the other 2 links you gave me from ForoSpyware.com and Geekstogo.com and I keep getting the same message. I have been at this for over 2 hours, I'm certainly not complaining, but just letting you know I am determined to try and fix this, and am willing to put in the time! Just let me know what you'd like me to do next!

Two methods we can try.Lets do this one first.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.


"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

====================================

If that fails try this...

Remove the copy of Combofix that you now have...

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3






Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

No luck Pancake. I tried option 1, then all 3 links in option 2, kept getting the message "Combo-Fix encountered a problem and needs to close..etc.etc. I rebooted, tried all options again, with the same result.

Untill we get Combofix running we will have to do things the long way.One or more of these files are stopping it from running.They are all malware and there will be more to remove later.Give Combo another try after fixing these.If no luck will you run Deckard again please


Download OTMoveIt2 http://download.bleepingcomputer.com.../OTMoveIt2.exe

Go to the location where you saved OTMoveIT2 and double click it. (If you're using Vista, right click on it and choose Run as Administrator).
Copy all the information found below. Highlight all of it, right click it and choose Copy.

C:\WINDOWS\system32\pcrwat.dll
C:\WINDOWS\system32\rqRKCtqr.dll
C:\WINDOWS\system32\efcYPjij.dll
C:\WINDOWS\system32\gsepeflhuia.dll
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ymvmugvf.dll
C:\WINDOWS\system32\riythduf.dll
C:\WINDOWS\system32\pvxwuh.dll
C:\WINDOWS\system32\tuwebcau.dll
C:\WINDOWS\system32\oxxgqywl.dll
C:\WINDOWS\system32\lSuEKUvw.ini2
C:\WINDOWS\system32\jzxsvz.dll
C:\WINDOWS\system32\isfelwav.dll
C:\WINDOWS\system32\wvulyfit.dll
C:\WINDOWS\system32\hbytagbx.dll
C:\WINDOWS\system32\cmrlrq.dll
C:\WINDOWS\system32\rbilikmg.dll
C:\WINDOWS\system32\ucdoax.dll
C:\WINDOWS\system32\ktdypoep.dll
C:\WINDOWS\system32\uztnym.dll
C:\WINDOWS\system32\dabvfrlp.dll
C:\WINDOWS\system32\gguhza.dll
C:\WINDOWS\system32\uggwqlah.dll
C:\WINDOWS\system32\udrmmyld.dll
C:\WINDOWS\system32\uobabxje.dll
C:\WINDOWS\system32\nxqstjbl.dll
C:\WINDOWS\system32\gguhza.dll
C:\WINDOWS\system32\uggwqlah.dll
C:\WINDOWS\system32\udrmmyld.dll
C:\WINDOWS\system32\gdixqc.dll
C:\WINDOWS\system32\rbcotakd.dll
C:\WINDOWS\system32\nxdrwjqx.dll
C:\WINDOWS\system32\vxxxwyxx.ini2
C:\WINDOWS\system32\efcYPjij.dll
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\kjkUvGgh.ini2
C:\WINDOWS\system32\DLlVwyxx.ini2
C:\Documents and Settings\angela\Application Data\LimeWire
C:\Program Files\LimeWire


Next, return to OTMoveIt2 and right click in the "Paste List of Files/Patterns to Search For and Move" window.
Important: Paste only into the bottom input panel (under the yellow bar). The top panel will not help you. Then just right click and choose Paste.
Now, click the red MoveIt button and wait several minutes. When it's finished, look in the large right hand panel that says Results. You should see that at least the principal infector files were deleted and whichever applicable registry changes were made. (They may not all apply in your case). Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot your computer to finish the move process. If you're asked to reboot, simply choose Yes.
Now, double click and open OTMoveIt2 again. Click the green Clean Up! button at the top. (Note: It will need to access the Internet to download a small script file, so please allow your firewall to do so).
When it finishes, it will have deleted all of its quarantines, as well as, the OTMoveIt2 program and all the folders it created. Then just reboot your computer to finish up.

Ran the OTMoveIt2 program as asked, then tried Combo again, kept getting the same message as prev. stated. One odd thing I noticed, I
didn't get a prompt from the moveit file to let the firewall access the internet, so I hope I was doing everything correctly. Just to make sure I deleted the exe. then rebooted and went thru it all again with the same results. Have run Deckard again, here r the results:

Deckard's System Scanner v20071014.68
Run by angela on 2008-07-28 03:05:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Percentage of Memory in Use: 82% (more than 75%).
System Drive C: has 5.88 GiB (less than 15%) free.

-- HijackThis (run as angela.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:00 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\angela\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\angela.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: (no name) - {403A3765-C163-46B1-AD81-51C3E4D53A6B} - C:\WINDOWS\system32\xxywVlLD.dll (file missing)
O2 - BHO: (no name) - {55DEF831-9A69-46BC-8A73-CEED72EE7DD6} - C:\WINDOWS\system32\mlJAqrQk.dll
O2 - BHO: (no name) - {59AAD935-DB8D-4289-A0A3-67E2B3B55BAB} - C:\WINDOWS\system32\efcYPjij.dll
O2 - BHO: (no name) - {5B969BF7-FD42-4FEE-841D-519D2AC667DA} - C:\WINDOWS\system32\rqRKCtqr.dll (file missing)
O2 - BHO: (no name) - {6083c490-3697-4dd8-b8f6-877578401b82} - (no file)
O2 - BHO: (no name) - {68A850EE-195B-4564-A4AE-1D9B4501D9DF} - (no file)
O2 - BHO: {c20f908d-74bd-d729-3d64-067f49669547} - {74596694-f760-46d3-927d-db47d809f02c} - C:\WINDOWS\system32\osguma.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {826104AC-742F-4BF1-8133-D34C36954CC1} - C:\WINDOWS\system32\tuvVMffc.dll (file missing)
O2 - BHO: (no name) - {86CF5770-6A10-4A56-816A-4ADF6497772B} - C:\WINDOWS\system32\efcCuTJB.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96F11316-0379-4CED-9352-DDB6C3DC3B89} - C:\WINDOWS\system32\xxywxxxv.dll (file missing)
O2 - BHO: (no name) - {A1376D25-2E3F-40B3-B70F-BE3EDD6E3274} - (no file)
O2 - BHO: (no name) - {B4977567-6B39-4AFA-9CD2-47A20209F5FE} - C:\WINDOWS\system32\xxyaXpOH.dll (file missing)
O2 - BHO: (no name) - {B915237E-280A-46EE-95FD-B08EDAD7C2AA} - C:\WINDOWS\system32\hgGvUkjk.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0} - C:\WINDOWS\system32\qoMcyYsP.dll (file missing)
O2 - BHO: (no name) - {D38DB21E-3DD4-43DF-A748-C8842753473D} - C:\WINDOWS\system32\nnnmlMcb.dll (file missing)
O2 - BHO: (no name) - {EA4D0568-BCAB-4D79-9AB9-76A5917B83A6} - C:\WINDOWS\system32\wvUKEuSl.dll (file missing)
O2 - BHO: (no name) - {EBB926B7-31D5-4333-AC96-27FEEDAD01C6} - C:\WINDOWS\system32\byXOhfEW.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [a89728b9] rundll32.exe "C:\WINDOWS\system32\nsvodwdx.dll",b
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\angela\winlogon.exe
O4 - HKLM\..\Run: [BMaba41b25] Rundll32.exe "C:\WINDOWS\system32\dgixacsh.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/acti...CamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: cbXRJATK - cbXRJATK.dll (file missing)
O20 - Winlogon Notify: efcYPjij - C:\WINDOWS\SYSTEM32\efcYPjij.dll
O20 - Winlogon Notify: qoMcyYsP - qoMcyYsP.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 9006 bytes
-- Files created between 2008-06-28 and 2008-07-28 -----------------------------
2008-07-28 01:56:49 32256 --a------ C:\WINDOWS\system32\vtUkkkLB.dll
2008-07-28 01:56:49 32256 --a------ C:\WINDOWS\system32\ljJASihe.dll
2008-07-27 18:44:26 32256 --a------ C:\WINDOWS\system32\nnnMCsPi.dll
2008-07-27 18:44:25 32256 --a------ C:\WINDOWS\system32\yayxwXpq.dll
2008-07-27 18:38:49 0 d-------- C:\327882R2FWJFW
2008-07-27 18:04:02 83968 --a------ C:\WINDOWS\system32\nsvodwdx.dll
2008-07-27 18:01:20 102400 --a------ C:\WINDOWS\system32\osguma.dll
2008-07-27 18:01:13 102400 --a------ C:\WINDOWS\system32\toceeavs.dll
2008-07-27 17:59:59 93696 --a------ C:\WINDOWS\system32\dgixacsh.dll
2008-07-27 13:25:27 0 d--hs---- C:\found.000
2008-07-27 12:18:20 102400 --a------ C:\WINDOWS\system32\dwfqlu.dll
2008-07-27 12:18:14 102400 --a------ C:\WINDOWS\system32\qcimlbwk.dll
2008-07-27 12:16:03 93696 --a------ C:\WINDOWS\system32\rlvmghcy.dll
2008-07-27 12:15:14 574242 --ahs---- C:\WINDOWS\system32\kQrqAJlm.ini2
2008-07-27 12:15:00 283136 --a------ C:\WINDOWS\system32\mlJAqrQk.dll
2008-07-26 20:37:53 283072 --a------ C:\WINDOWS\system32\urqOGXnL.dll
2008-07-26 19:37:49 283072 --a------ C:\WINDOWS\system32\qoMcbayx.dll
2008-07-26 18:37:44 283072 --a------ C:\WINDOWS\system32\byXOgfgG.dll
2008-07-26 16:34:30 32768 --a------ C:\WINDOWS\system32\ljJcApOh.dll
2008-07-26 16:34:23 32768 --a------ C:\WINDOWS\system32\cBsTLCUN.dll
2008-07-23 03:43:30 31744 --a------ C:\WINDOWS\system32\mlJDvsTJ.dll
2008-07-23 03:43:27 31744 --a------ C:\WINDOWS\system32\yayaAsrS.dll
2008-07-22 22:01:52 0 d-------- C:\WINDOWS\system32\kBin02
2008-07-22 22:01:38 31744 --a------ C:\WINDOWS\system32\mlJCRjhe.dll
2008-07-22 22:01:31 31744 --a------ C:\WINDOWS\system32\mlJYoMcB.dll
2008-07-22 20:23:55 102400 --a------ C:\WINDOWS\system32\gsxyef.dll
2008-07-22 20:23:54 102400 --a------ C:\WINDOWS\system32\htlqlqoo.dll
2008-07-22 20:20:18 93184 --a------ C:\WINDOWS\system32\gxveclus.dll
2008-07-22 01:42:11 102912 --a------ C:\WINDOWS\system32\eglcfjgs.dll
2008-07-22 01:39:02 564272 --ahs---- C:\WINDOWS\system32\rqtCKRqr.ini2
2008-07-21 12:56:28 0 d-------- C:\Documents and Settings\angela\.housecall6.6
2008-07-21 12:49:27 0 d-------- C:\Program Files\Trend Micro
2008-07-20 15:41:34 0 d-------- C:\Documents and Settings\angela\Application Data\Ahead
2008-07-20 15:01:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-07-20 14:34:09 0 d-------- C:\Program Files\Nero
2008-07-20 14:34:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-20 14:34:07 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-20 01:26:38 553566 --ahs---- C:\WINDOWS\system32\eMpsCfhk.ini2
2008-07-19 11:08:25 0 d-------- C:\Documents and Settings\angela\Application Data\muvee Technologies
2008-07-19 08:22:56 0 d-------- C:\WINDOWS\system32\carH18
2008-07-19 01:14:40 554409 --ahs---- C:\WINDOWS\system32\bcMlmnnn.ini2
2008-07-18 13:11:42 81920 --a------ C:\WINDOWS\system32\atuxyixv.dll
2008-07-18 13:05:41 550055 --ahs---- C:\WINDOWS\system32\BJTuCcfe.ini2
2008-07-18 10:14:42 0 d--h----- C:\$AVG8.VAULT$
2008-07-18 08:12:02 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-18 08:11:41 0 d-------- C:\Program Files\AVG
2008-07-18 08:11:41 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 07:51:02 355 --a------ C:\874.bat
2008-07-17 21:05:01 0 d--hs---- C:\WINDOWS\ZGF5
2008-07-17 09:56:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 08:45:09 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-07-17 08:45:09 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-07-17 08:45:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-17 08:45:08 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-07-17 08:45:08 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-17 08:45:08 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-07-17 08:41:38 0 d-------- C:\WINDOWS\pss
2008-07-17 07:17:04 6553600 --a------ C:\Documents and Settings\angela\ntuser.dat
2008-07-17 07:17:00 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-16 22:47:59 450 --ahs---- C:\WINDOWS\system32\YFijQqru.ini2
2008-07-16 09:41:56 102400 --a------ C:\WINDOWS\system32\vcapam.dll
2008-07-16 09:41:53 102400 --a------ C:\WINDOWS\system32\tftjdwke.dll
2008-07-16 09:38:52 692073 --ahs---- C:\WINDOWS\system32\WEfhOXyb.ini2
2008-07-16 09:33:55 64841 --a------ C:\WINDOWS\system32\zizzypxkzblarlyxs.exe
2008-07-16 09:33:50 0 d-------- C:\WINDOWS\system32\xys7
2008-07-16 09:33:50 0 d-------- C:\WINDOWS\system32\tsoc
2008-07-16 09:33:50 0 d-------- C:\WINDOWS\system32\pv2
2008-07-16 09:33:43 0 d-------- C:\WINDOWS\system32\aumsDK18
2008-07-16 09:33:39 32256 --a------ C:\WINDOWS\system32\efcYPjij.dll
2008-07-14 17:24:25 0 d-------- C:\Documents and Settings\angela\Application Data\gtk-2.0
2008-07-14 17:23:06 0 d-------- C:\Documents and Settings\angela\.gimp-2.4
2008-07-14 14:36:04 0 d-------- C:\Program Files\Aurora Digital Imaging
2008-07-14 14:34:49 0 d-------- C:\WINDOWS\Downloaded Installations
2008-07-14 14:22:04 0 d-------- C:\Documents and Settings\angela\Application Data\Help
2008-07-14 09:10:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 07:32:44 0 d-------- C:\Program Files\Windows Defender
2008-07-14 06:27:29 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-07-14 06:18:09 2582 --ahs---- C:\WINDOWS\system32\cffMVvut.ini2
2008-07-14 06:13:00 0 d-------- C:\WINDOWS\system32\olixds18
2008-07-14 06:13:00 0 d-------- C:\Temp
2008-07-13 14:18:20 0 d-------- C:\Documents and Settings\angela\Application Data\FastStone
2008-07-10 22:12:05 0 d-------- C:\Program Files\iPod
2008-07-10 21:54:32 0 d-------- C:\Program Files\Safari
2008-07-03 22:52:38 0 d-------- C:\Documents and Settings\Jen\Application Data\Sun
2008-07-02 12:28:54 0 d-------- C:\DVDVideoSoft
2008-07-02 12:28:24 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-07-02 12:28:23 0 d-------- C:\Program Files\DVDVideoSoft
2008-07-01 17:39:13 0 d-------- C:\Documents and Settings\All Users\Application Data\IsolatedStorage
2008-07-01 17:31:15 0 d-------- C:\Program Files\Flypaper Beta
2008-07-01 17:24:04 0 d-------- C:\Program Files\MSBuild
2008-07-01 17:23:53 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-01 17:23:42 0 d-------- C:\Program Files\Reference Assemblies
2008-07-01 17:17:12 0 d-------- C:\Program Files\MSXML 6.0

-- Find3M Report ---------------------------------------------------------------
2008-07-28 03:05:02 0 d-------- C:\Documents and Settings\angela\Application Data\Skype
2008-07-27 18:49:05 0 d-------- C:\Program Files\Common Files
2008-07-21 16:45:08 0 d-------- C:\Program Files\Picasa2
2008-07-20 13:50:08 0 d-------- C:\Program Files\Ahead
2008-07-20 06:33:28 0 d-------- C:\Program Files\Incomplete
2008-07-16 09:42:56 0 d-------- C:\Documents and Settings\angela\Application Data\Adobe
2008-07-16 09:42:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-14 13:36:28 0 d-------- C:\Program Files\Java
2008-07-13 07:03:00 0 d-------- C:\Documents and Settings\angela\Application Data\Apple Computer
2008-07-10 22:12:39 0 d-------- C:\Program Files\iTunes
2008-07-10 22:08:19 0 d-------- C:\Program Files\QuickTime
2008-06-10 03:04:20 0 d-------- C:\Program Files\Microsoft Works
2008-06-08 10:38:18 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-13 09:12:06 33280 --a------ C:\WINDOWS\system32\HUFFYUV.DLL <Not Verified; Disappearing Inc.; Huffyuv>
2008-05-10 17:13:59 50 --a------ C:\AUTOEXEC.BAT

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{403A3765-C163-46B1-AD81-51C3E4D53A6B}]
C:\WINDOWS\system32\xxywVlLD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55DEF831-9A69-46BC-8A73-CEED72EE7DD6}]
07/27/2008 12:15 PM 283136 --a------ C:\WINDOWS\system32\mlJAqrQk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59AAD935-DB8D-4289-A0A3-67E2B3B55BAB}]
07/16/2008 09:33 AM 32256 --a------ C:\WINDOWS\system32\efcYPjij.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B969BF7-FD42-4FEE-841D-519D2AC667DA}]
C:\WINDOWS\system32\rqRKCtqr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6083c490-3697-4dd8-b8f6-877578401b82}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68A850EE-195B-4564-A4AE-1D9B4501D9DF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74596694-f760-46d3-927d-db47d809f02c}]
07/27/2008 06:01 PM 102400 --a------ C:\WINDOWS\system32\osguma.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{826104AC-742F-4BF1-8133-D34C36954CC1}]
C:\WINDOWS\system32\tuvVMffc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86CF5770-6A10-4A56-816A-4ADF6497772B}]
C:\WINDOWS\system32\efcCuTJB.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96F11316-0379-4CED-9352-DDB6C3DC3B89}]
C:\WINDOWS\system32\xxywxxxv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1376D25-2E3F-40B3-B70F-BE3EDD6E3274}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4977567-6B39-4AFA-9CD2-47A20209F5FE}]
C:\WINDOWS\system32\xxyaXpOH.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B915237E-280A-46EE-95FD-B08EDAD7C2AA}]
C:\WINDOWS\system32\hgGvUkjk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0}]
C:\WINDOWS\system32\qoMcyYsP.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38DB21E-3DD4-43DF-A748-C8842753473D}]
C:\WINDOWS\system32\nnnmlMcb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA4D0568-BCAB-4D79-9AB9-76A5917B83A6}]
C:\WINDOWS\system32\wvUKEuSl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBB926B7-31D5-4333-AC96-27FEEDAD01C6}]
C:\WINDOWS\system32\byXOhfEW.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\Alcxmntr.exe]
"zzzHPSETUP"="E:\Setup.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumpre p 0 -k" []
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/18/2008 10:01 AM]
"a89728b9"="C:\WINDOWS\system32\nsvodwdx.dll" [07/27/2008 06:04 PM]
"Windows Logon Applicationedc"="C:\Documents and Settings\angela\winlogon.exe" []
"BMaba41b25"="C:\WINDOWS\system32\dgixacsh.dll " [07/27/2008 06:00 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [09/29/2006 05:25 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [02/25/2008 06:23 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" -t
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0}"= C:\WINDOWS\system32\qoMcyYsP.dll [ ]
"{B4977567-6B39-4AFA-9CD2-47A20209F5FE}"= C:\WINDOWS\system32\xxyaXpOH.dll [ ]
"{59AAD935-DB8D-4289-A0A3-67E2B3B55BAB}"= C:\WINDOWS\system32\efcYPjij.dll [07/16/2008 09:33 AM 32256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRJATK]
cbXRJATK.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcYPjij]
efcYPjij.dll 07/16/2008 09:33 AM 32256 C:\WINDOWS\system32\efcYPjij.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMcyYsP]
qoMcyYsP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJAqrQk

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9ef3de30-ff49-11dc-9a4a-806d6172696f}]
AutoRun\command- E:\Info.exe folder.htt 480 480


-- End of Deckard's System Scanner: finished at 2008-07-28 03:08:49 ------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O2 - BHO: (no name) - {403A3765-C163-46B1-AD81-51C3E4D53A6B} - C:\WINDOWS\system32\xxywVlLD.dll (file missing)
O2 - BHO: (no name) - {55DEF831-9A69-46BC-8A73-CEED72EE7DD6} - C:\WINDOWS\system32\mlJAqrQk.dll
O2 - BHO: (no name) - {59AAD935-DB8D-4289-A0A3-67E2B3B55BAB} - C:\WINDOWS\system32\efcYPjij.dll
O2 - BHO: (no name) - {5B969BF7-FD42-4FEE-841D-519D2AC667DA} - C:\WINDOWS\system32\rqRKCtqr.dll (file missing)
O2 - BHO: (no name) - {6083c490-3697-4dd8-b8f6-877578401b82} - (no file)
O2 - BHO: (no name) - {68A850EE-195B-4564-A4AE-1D9B4501D9DF} - (no file)
O2 - BHO: {c20f908d-74bd-d729-3d64-067f49669547} - {74596694-f760-46d3-927d-db47d809f02c} - C:\WINDOWS\system32\osguma.dll
O2 - BHO: (no name) - {826104AC-742F-4BF1-8133-D34C36954CC1} - C:\WINDOWS\system32\tuvVMffc.dll (file missing)
O2 - BHO: (no name) - {86CF5770-6A10-4A56-816A-4ADF6497772B} - C:\WINDOWS\system32\efcCuTJB.dll (file missing)
O2 - BHO: (no name) - {96F11316-0379-4CED-9352-DDB6C3DC3B89} - C:\WINDOWS\system32\xxywxxxv.dll (file missing)
O2 - BHO: (no name) - {A1376D25-2E3F-40B3-B70F-BE3EDD6E3274} - (no file)
O2 - BHO: (no name) - {B4977567-6B39-4AFA-9CD2-47A20209F5FE} - C:\WINDOWS\system32\xxyaXpOH.dll (file missing)
O2 - BHO: (no name) - {B915237E-280A-46EE-95FD-B08EDAD7C2AA} - C:\WINDOWS\system32\hgGvUkjk.dll (file missing)
O2 - BHO: (no name) - {C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0} - C:\WINDOWS\system32\qoMcyYsP.dll (file missing)
O2 - BHO: (no name) - {D38DB21E-3DD4-43DF-A748-C8842753473D} - C:\WINDOWS\system32\nnnmlMcb.dll (file missing)
O2 - BHO: (no name) - {EA4D0568-BCAB-4D79-9AB9-76A5917B83A6} - C:\WINDOWS\system32\wvUKEuSl.dll (file missing)
O2 - BHO: (no name) - {EBB926B7-31D5-4333-AC96-27FEEDAD01C6} - C:\WINDOWS\system32\byXOhfEW.dll (file missing)
O4 - HKLM\..\Run: [a89728b9] rundll32.exe "C:\WINDOWS\system32\nsvodwdx.dll",b
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\angela\winlogon.exe
O4 - HKLM\..\Run: [BMaba41b25] Rundll32.exe "C:\WINDOWS\system32\dgixacsh.dll",s
O20 - Winlogon Notify: cbXRJATK - cbXRJATK.dll (file missing)
O20 - Winlogon Notify: efcYPjij - C:\WINDOWS\SYSTEM32\efcYPjij.dll
O20 - Winlogon Notify: qoMcyYsP - qoMcyYsP.dll (file missing)

Reboot....................

================================

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.
  
  
  Code:

  Files to delete:
  C:\WINDOWS\system32\vtUkkkLB.dll
   C:\WINDOWS\system32\ljJASihe.dll
   C:\WINDOWS\system32\nnnMCsPi.dll
   C:\WINDOWS\system32\yayxwXpq.dll
  C:\WINDOWS\system32\nsvodwdx.dll
   C:\WINDOWS\system32\osguma.dll
   C:\WINDOWS\system32\toceeavs.dll
   C:\WINDOWS\system32\dgixacsh.dll
  C:\WINDOWS\system32\dwfqlu.dll
   C:\WINDOWS\system32\qcimlbwk.dll
   C:\WINDOWS\system32\rlvmghcy.dll
   C:\WINDOWS\system32\kQrqAJlm.ini2
   C:\WINDOWS\system32\mlJAqrQk.dll
   C:\WINDOWS\system32\urqOGXnL.dll
   C:\WINDOWS\system32\qoMcbayx.dll
   C:\WINDOWS\system32\byXOgfgG.dll
   C:\WINDOWS\system32\ljJcApOh.dll
   C:\WINDOWS\system32\cBsTLCUN.dll
   C:\WINDOWS\system32\mlJDvsTJ.dll
   C:\WINDOWS\system32\yayaAsrS.dll
  C:\WINDOWS\system32\mlJCRjhe.dll
   C:\WINDOWS\system32\mlJYoMcB.dll
   C:\WINDOWS\system32\gsxyef.dll
   C:\WINDOWS\system32\htlqlqoo.dll
   C:\WINDOWS\system32\gxveclus.dll
   C:\WINDOWS\system32\eglcfjgs.dll
  C:\WINDOWS\system32\rqtCKRqr.ini2
  C:\WINDOWS\system32\eMpsCfhk.ini2
  C:\WINDOWS\system32\bcMlmnnn.ini2
  C:\WINDOWS\system32\BJTuCcfe.ini2
  C:\WINDOWS\system32\YFijQqru.ini2
   C:\WINDOWS\system32\vcapam.dll
   C:\WINDOWS\system32\tftjdwke.dll
   C:\WINDOWS\system32\WEfhOXyb.ini2
   C:\WINDOWS\system32\zizzypxkzblarlyxs.exe
   C:\WINDOWS\system32\xys7
   C:\WINDOWS\system32\tsoc
   C:\WINDOWS\system32\pv2
  C:\WINDOWS\system32\aumsDK18
   C:\WINDOWS\system32\efcYPjij.dll
   C:\WINDOWS\system32\cffMVvut.ini2
  Folders to delete:
  C:\327882R2FWJFW
   C:\found.000

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a shutdown. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

Please run Deckard again and post the log.

Thanks for your continued support, Pancake! Just one question, before I go ahead and do what you've asked of me, do I need to have my firewall
and antivirus programs turned off? or doesn't it matter?