Hey Neal,

I have 2 logs for you, one is ComboFix, the other is Combofix-quarantined files.

ComboFix 07-10-09.3 - Donnie 2007-10-10 15:32:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -4:00]
Running from: \\Senegal\ypsi rehab documents\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Donnie\Application Data\tmp7.tmp.exe
C:\Documents and Settings\Donnie\Application Data\tmp7.tmp.exe
C:\Documents and Settings\Tori\Application Data\tmp4A.tmp.exe
C:\Documents and Settings\Tori\Application Data\tmp4A.tmp.exe
C:\WINNT\cookies.ini
C:\WINNT\system32\dn84082c31.dat
C:\WINNT\system32\install.exe
C:\WINNT\xhelper.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-10 11:11 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-03 10:10 <DIR> d-------- C:\VundoFix Backups
2007-10-02 12:34 <DIR> d-------- C:\Documents and Settings\Donnie\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-02 21:46 --------- d-----w C:\Program Files\Common Files\Motive
2007-09-11 17:35 --------- d---a-w C:\Program Files\ReDoc Suite
2007-09-05 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-05 17:02 --------- d-----w C:\Program Files\Trend Micro
2007-08-03 13:41 17,120 ----a-w C:\WINNT\system32\jkhgdef.dll
2005-06-13 21:08 271 --sh--w C:\Program Files\desktop.ini
2005-06-13 21:08 21,952 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 08:00 C:\WINNT\system32\mobsync.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 C:\WINNT\LOGI_MWX.EXE]
"redocreboot.exe"="C:\DOCUME~1\YPSILA~1\LOCALS~1\T emp\redocreboot.exe" []
"MPFEXE"="C:\Program Files\mcafee.com\personal firewall\MPFTray.exe" [2006-05-03 16:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2006-02-28 08:00]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"MPlayer2_FixUp"=C:\WINNT\inf\unregmp2.exe /Fixups
"tscuninstall"=%systemroot%\system32\tscupgrd. exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hdwcln]
hdwcln.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINNT\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINNT\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk
backup=C:\WINNT\pss\Wireless Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
"C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
"C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

R2 myAgtSvc;McAfee Total Protection Agent Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe /ServiceStart
R3 LCcfltr;Logitech USB Filter Driver;C:\WINNT\system32\Drivers\LCcFltr.Sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;C:\WINNT\system32\DRIVERS\rtl8180.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 04:00:00 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 13:00:00 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 14:00:00 C:\WINNT\Tasks\At11.job"
"2007-10-10 15:00:00 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 16:00:00 C:\WINNT\Tasks\At13.job"
"2007-10-10 17:00:00 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 18:00:00 C:\WINNT\Tasks\At15.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 19:00:00 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 20:00:00 C:\WINNT\Tasks\At17.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 21:00:01 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 22:00:00 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 05:00:00 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-09 23:00:00 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 00:00:00 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 01:00:00 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 02:00:00 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 03:00:00 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 06:00:00 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 07:00:00 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 08:00:00 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 09:00:00 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 10:00:00 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-08 11:00:00 C:\WINNT\Tasks\At8.job"
"2007-10-08 12:00:00 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\mLs25mY3.exe
"2007-10-10 21:57:24 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\System32\cleanmgr.exe
"2007-10-08 23:30:00 C:\WINNT\Tasks\Windows Update.job"
- C:\WINNT\system32\wupdmgr.exe
.
************************************************** ************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 18:24:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-10 18:28:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-10 18:28
.
--- E O F ---



ComboFix-Quarantined

Code:

2007-03-21 08:46      139264    --a--c---    C:\Qoobox\Quarantine\C\WINNT\system32\Install.exe.vir
2007-07-02 21:29      126976    --a------    C:\Qoobox\Quarantine\C\WINNT\xhelper.dll.vir
2007-09-25 18:51      184320    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Tori\Application Data\tmp4A.tmp.exe.vir
2007-10-02 12:15      858    --a------    C:\Qoobox\Quarantine\C\WINNT\cookies.ini.vir
2007-10-02 12:15      87040    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Donnie\Application Data\tmp7.tmp.exe.vir
2007-10-02 13:19      1135066    --a------    C:\Qoobox\Quarantine\C\WINNT\system32\dn84082c31.dat.vir
2007-10-10 11:35      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat


Folder PATH listing
Volume serial number is 8408-2C31
C:\QOOBOX\QUARANTINE
+---C
|   +---Documents and Settings
|   |   +---Donnie
|   |   |   \---Application Data
|   |   |           tmp7.tmp.exe.vir
|   |   |           
|   |   \---Tori
|   |       \---Application Data
|   |               tmp4A.tmp.exe.vir
|   |               
|   \---WINNT
|       |   cookies.ini.vir
|       |   xhelper.dll.vir
|       |   
|       \---system32
|               dn84082c31.dat.vir
|               Install.exe.vir
|               
\---Registry_backups
        LEGACY_DOMAINSERVICE.reg.dat

HIJACK


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:40 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\foolyou.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [redocreboot.exe] C:\DOCUME~1\YPSILA~1\LOCALS~1\Temp\redocreboot.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\mcafee.com\personal firewall\MPFTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://senegal/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144107011341
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redoc.webex.com/client/v_myw...rt/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O20 - Winlogon Notify: hdwcln - hdwcln.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\McAfee.com\personal firewall\mpfservice.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6644 bytes

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done



Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:



C:\WINNT\system32\jkhgdef.dll


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


If that one is to busy here is another option:


http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html


Pleasae post scan results and new hijackthis log and tell me how your computer is behaving now.

File jkhgdef.dll received on 10.12.2007 17:48:57 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.12.1 2007.10.12 -
AntiVir 7.6.0.23 2007.10.12 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.10.12 -
Avast 4.7.1051.0 2007.10.11 Win32:Agent-KAN
AVG 7.5.0.488 2007.10.12 -
BitDefender 7.2 2007.10.12 -
CAT-QuickHeal 9.00 2007.10.12 -
ClamAV 0.91.2 2007.10.12 -
DrWeb 4.44.0.09170 2007.10.12 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5205 2007.10.12 -
Ewido 4.0 2007.10.12 -
FileAdvisor 1 2007.10.12 -
Fortinet 3.11.0.0 2007.10.12 -
F-Prot 4.3.2.48 2007.10.11 -
F-Secure 6.70.13030.0 2007.10.12 -
Ikarus T3.1.1.12 2007.10.12 MemScanTrojan.Juan.V
Kaspersky 7.0.0.125 2007.10.12 -
McAfee 5139 2007.10.11 -
Microsoft 1.2908 2007.10.12 TrojanDownloader:Win32/Conhook.AD
NOD32v2 2589 2007.10.12 -
Norman 5.80.02 2007.10.12 -
Panda 9.0.0.4 2007.10.12 Suspicious file
Prevx1 V2 2007.10.12 SpywareQuake
Rising 19.44.42.00 2007.10.12 -
Sophos 4.22.0 2007.10.12 -
Sunbelt 2.2.907.0 2007.10.11 VIPRE.Suspicious
Symantec 10 2007.10.12 -
TheHacker 6.2.8.087 2007.10.12 -
VBA32 3.12.2.4 2007.10.12 -
VirusBuster 4.3.26:9 2007.10.12 -
Webwasher-Gateway 6.0.1 2007.10.12 Trojan.Crypt.XPACK.Gen

Additional information
File size: 17120 bytes
MD5: 365ed241dd33cc69bfab1b610d17abe0
SHA1: 065eb8ff0146ff04e702755addb6d80817b2b047
packers: RLPack
Prevx info: http://fileinfo.prevx.com/fileinfo.a...956B00AE33F28D
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

HiJack LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:04 AM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\foolyou.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [redocreboot.exe] C:\DOCUME~1\YPSILA~1\LOCALS~1\Temp\redocreboot.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\mcafee.com\personal firewall\MPFTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://senegal/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144107011341
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://redoc.webex.com/client/v_myw...rt/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{50A9218D-0941-4ED3-8E55-EA881C5E9564}: NameServer = 192.168.2.1,192.168.2.0
O20 - Winlogon Notify: hdwcln - hdwcln.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\McAfee.com\personal firewall\mpfservice.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6693 bytes


Overall it is doing good. The processor is a little slow and the RAM capacity is only 512 MAX, which is stupid. I want to get a new computer, but can't afford it right now.

They are mighty expensive these days.


Run hijackthis and click on "scan system only" button and put check next to this:


O20 - Winlogon Notify: hdwcln - hdwcln.dll (file missing)


Nothing open but hijackthis and click "fix checked"







Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:

C:\WINNT\system32\jkhgdef.dll


Reboot normal mode.




Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Neal, Here's the new log you wanted. Everything look ok?



Access 2002 update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
AnswerWorks Runtime
AVG 7.5
BroadJump Client Foundation
CCleaner (remove only)
ECLIPSE PT Demo
HijackThis 2.0.2
Hotfix for MDAC 2.80 (KB911562)
Hotfix for MDAC 2.80 (KB927779)
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79
Logitech Resource Center
Macromedia Shockwave Player
McAfee Firewall Protection Service
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Access 2002 Runtime
Microsoft Office Professional Edition 2003
Microsoft Tool Web Package:ipsecpol.exe
OTOY
PC Registry Cleaner
PTOS for Windows
ReDoc Icon Repair Utility
ReDoc Suite 6.32 Remove
ReDoc Suite 6.42 Remove
Remote Desktop Connection
SBC Self Support Tool
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Visual IP InSight(SBC)
WebEx
Windows Installer 3.1 (KB893803)
Wireless CardBus/PCI Adapter
Yahoo! Anti-Spy

Hi,


Looks good from this end how about your end?

So far so good, just like I said before, it's got a slow processor so it's kinda choppy, but no where near as bad as before. Thanks alot Neal

Excellent,



Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.
   
   Reconfigure Windows XP to hide hidden files:
   • Click Start. Open My Computer.
   • Select the Tools menu and click Folder Options. Select the View Tab.
     
   • Under the Hidden files and folders heading deselect "Show hidden files and folders".
   • Check the "Hide protected operating system files (recommended)" option.
   • Click Yes to confirm. Click OK.
2. Please download ATF Cleaner by Atribune.
   This program is for XP and Windows 2000 only
   • Double-click ATF-Cleaner.exe to run the program.
     Under Main choose: Select All
     Click the Empty Selected button.
   If you use Firefox browser
   • Click Firefox at the top and choose: Select All
     Click the Empty Selected button.
     NOTE: If you would like to keep your saved passwords, please click No at the prompt.
   If you use Opera browser
   • Click Opera at the top and choose: Select All
     Click the Empty Selected button.
     NOTE: If you would like to keep your saved passwords, please click No at the prompt.
   Click Exit on the Main menu to close the program.
   For Technical Support, double-click the e-mail address located at the bottom of each menu.
   
3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:
   
   TO DISABLE SYSTEM RESTORE
   1. Right-click "My Computer", and then left click "Properties".
   2. Left click on "System Restore Tab"
   3. Check box beside "Turn Off System Restore"
   4. Left click on "Apply"
   Reboot your System
   
   TO ENABLE SYSTEM RESTORE
   1. Remove check mark from "Turn Off System Restore"
   2. Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)