I found this forum through google when I searched for winh32.exe.

My little bro's computer is all screwed up right now; his desktop background keeps reverting to some html file with an IP number on it, claiming that his comp is infected with spyware. Popups keep appearing, even when not connected to the internet. His virus scanner keeps picking up winh32.exe, but there seems to be other adware that is on the computer as well. I am unable to get rid of with Adaware or Spybot SD; they delete them but they are back almost instantly. Also, I can't get into the Taskmanager it is "greyed out" when I click ctrl-alt-del. Some of the stuff spybot and Adaware keep finding is: "Command Service," Aconti, Smitfraud-C, Accoona, AdBreak, there are more... I posted a Hijack this log.

Thanks in advance...

Brian

Seems my log didn't get attached here it is:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:02 PM, on 9/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\nusrmgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\HijackThis\analyse.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 24.33.14.33:80
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0E6BF957-1A9B-4E39-B4AA-8CC171013768} - C:\Program Files\Common Files\hoke4444.dll (file missing)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {31D2CE3D-B27F-4B7A-8A35-CCBF270A669F} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {80377A0D-220A-405A-BEE7-00C8145A9B50} - C:\WINNT\system32\mljkj.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {9D9BB137-D0FD-48DC-8674-0AB73CE6FA48} - C:\Program Files\Common Files\hoke83122.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {ADE4D7D8-2017-40EF-91B7-DCC7902AA8AF} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINNT\system32\ssqnmmm.dll
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINNT\system32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Status Monitor CLJ1500] "C:\Program Files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe"
O4 - HKLM\..\Run: [AAWTray] "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O20 - Winlogon Notify: ssqnmmm - C:\WINNT\SYSTEM32\ssqnmmm.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: Zboard - C:\WINNT\SYSTEM32\Winlognotif.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

Yep, that is a major mess... Please do this:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

Hey, thanks for the quick reply. Believe it or not, I got impatient and tried to follow the instructions on a previous thread about winh32.exe, using combofix. It seems to have eliminated most, if not all of the problems. I attached the log that it created and created a new hijackthis log. Let me know if anything looks messed up, but for now it seems to be running pretty good.

Thanks!

Please post the logs...not attach them.

Use multiple posts if needed.

ComboFix 07-09-21.2 - "Administrator" 09/21/2007 18:55:22.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.97 [GMT -7:00]

FILE::
C:\WINDOWS\winh32.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\Program Files\ISM\ISMModule4.exe
C:\WINDOWS\retadpu11.exe
C:\Program Files\WinAble\winable.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\ADMINI~1\APPLIC~1\rbap500.dll
C:\DOCUME~1\ADMINI~1\err.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Windows Media Player\profsyxy.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINNT\764.exe
C:\WINNT\7search.dll
C:\WINNT\aconti.exe
C:\WINNT\adbar.dll
C:\WINNT\b122.exe
C:\WINNT\cbinst$.exe
C:\WINNT\daxtime.dll
C:\WINNT\dp0.dll
C:\WINNT\eventlowg.dll
C:\WINNT\fhfmm-Uninstaller.exe
C:\WINNT\fhfmm.exe
C:\WINNT\flt.dll
C:\WINNT\hcwprn.exe
C:\WINNT\hotporn.exe
C:\WINNT\ie_32.exe
C:\WINNT\iexplorr23.dll
C:\WINNT\jd2002.dll
C:\WINNT\kkcomp$.exe
C:\WINNT\kkcomp.dll
C:\WINNT\kkcomp.exe
C:\WINNT\kvnab$.exe
C:\WINNT\kvnab.dll
C:\WINNT\kvnab.exe
C:\WINNT\liqad$.exe
C:\WINNT\liqad.dll
C:\WINNT\liqad.exe
C:\WINNT\liqui-Uninstaller.exe
C:\WINNT\liqui.dll
C:\WINNT\liqui.exe
C:\WINNT\ngd.dll
C:\WINNT\pbar.dll
C:\WINNT\pbsysie.dll
C:\WINNT\settn.dll
C:\WINNT\spredirect.dll
C:\WINNT\system32\A1
C:\WINNT\system32\drivers\bg_bg.gif
C:\WINNT\system32\drivers\blank.gif
C:\WINNT\system32\drivers\box_1.gif
C:\WINNT\system32\drivers\box_2.gif
C:\WINNT\system32\drivers\box_3.gif
C:\WINNT\system32\drivers\button_buynow.gif
C:\WINNT\system32\drivers\button_freescan.gif
C:\WINNT\system32\drivers\cell_bg.gif
C:\WINNT\system32\drivers\cell_footer.gif
C:\WINNT\system32\drivers\cell_header_block.gif
C:\WINNT\system32\drivers\cell_header_remove.gif
C:\WINNT\system32\drivers\cell_header_scan.gif
C:\WINNT\system32\drivers\close_ico.gif
C:\WINNT\system32\drivers\detect.htm
C:\WINNT\system32\drivers\download_box.gif
C:\WINNT\system32\drivers\download_btn.jpg
C:\WINNT\system32\drivers\download_now_btn.gif
C:\WINNT\system32\drivers\footer_back.jpg
C:\WINNT\system32\drivers\fopn.sys
C:\WINNT\system32\drivers\header_1.gif
C:\WINNT\system32\drivers\header_2.gif
C:\WINNT\system32\drivers\header_3.gif
C:\WINNT\system32\drivers\header_4.gif
C:\WINNT\system32\drivers\header_red_bg.gif
C:\WINNT\system32\drivers\header_red_free_scan.gif
C:\WINNT\system32\drivers\header_red_free_scan_bg. gif
C:\WINNT\system32\drivers\header_red_protect_your_ pc.gif
C:\WINNT\system32\drivers\icon_warning_big.gif
C:\WINNT\system32\drivers\infected.gif
C:\WINNT\system32\drivers\main_back.gif
C:\WINNT\system32\drivers\perfect_cleaner_box.jpg
C:\WINNT\system32\drivers\product_1_header.gif
C:\WINNT\system32\drivers\product_1_name_small.gif
C:\WINNT\system32\drivers\product_2_header.gif
C:\WINNT\system32\drivers\product_2_name_small.gif
C:\WINNT\system32\drivers\product_3_header.gif
C:\WINNT\system32\drivers\product_3_name_small.gif
C:\WINNT\system32\drivers\product_features.gif
C:\WINNT\system32\drivers\pt.htm
C:\WINNT\system32\drivers\rating.gif
C:\WINNT\system32\drivers\remove_spyware_header.gi f
C:\WINNT\system32\drivers\s_detect.htm
C:\WINNT\system32\drivers\screenshot.jpg
C:\WINNT\system32\drivers\sep_hor.gif
C:\WINNT\system32\drivers\sep_vert.gif
C:\WINNT\system32\drivers\shadow.jpg
C:\WINNT\system32\drivers\shadow_bg.gif
C:\WINNT\system32\drivers\spacer.gif
C:\WINNT\system32\drivers\spy_away_box.jpg
C:\WINNT\system32\drivers\spyware_detected.gif
C:\WINNT\system32\drivers\star.gif
C:\WINNT\system32\drivers\star_gray.gif
C:\WINNT\system32\drivers\star_gray_small.gif
C:\WINNT\system32\drivers\star_small.gif
C:\WINNT\system32\drivers\style.css
C:\WINNT\system32\drivers\v.gif
C:\WINNT\system32\drivers\warning_ico.gif
C:\WINNT\system32\drivers\warning_icon.gif
C:\WINNT\system32\drivers\win_logo.gif
C:\WINNT\system32\drivers\x.gif
C:\WINNT\system32\drivers\yellow_warning_ico.gif
C:\WINNT\system32\ESHOPEE.exe
C:\WINNT\system32\f02WtR
C:\WINNT\system32\f02WtR\f02WtR1065.exe
C:\WINNT\system32\f24WtR
C:\WINNT\system32\f24WtR\f24WtR2218.exe
C:\WINNT\system32\gtv_sd.bin
C:\WINNT\system32\mljkj.dll
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\nusrmgr.exe
C:\WINNT\system32\opnopmm.dll
C:\WINNT\system32\Q2
C:\WINNT\system32\Q2\mon33dll.exe
C:\WINNT\system32\regscan.exe
C:\WINNT\system32\ssqnmmm.dll
C:\WINNT\system32\urqrpnm.dll
C:\WINNT\system32\vxddsk.exe
C:\WINNT\system32\wml.exe
C:\WINNT\TTC-4444.exe
C:\WINNT\vxddsk.exe
C:\WINNT\wbeCheck.exe
C:\WINNT\wbeInst$.exe
C:\WINNT\wml.exe
C:\WINNT\xadbrk.dll
C:\WINNT\xadbrk.exe
C:\WINNT\xadbrk_.exe
C:\WINNT\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\nm


((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-21 19:07 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_544.dat
2007-09-21 19:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_288.dat
2007-09-21 18:52 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-21 17:30 1,977,802 --ahs---- C:\WINNT\system32\jkjlm.ini2
2007-09-21 17:22 1,977,209 --ahs---- C:\WINNT\system32\jkjlm.bak2
2007-09-21 17:21 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-09-21 17:21 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2007-09-21 17:21 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys
2007-09-21 17:21 163,128 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2007-09-21 17:20 164 --a------ C:\install.dat
2007-09-21 17:20 1,521,464 --a------ C:\WINNT\WRSetup.dll
2007-09-21 17:20 <DIR> d-------- C:\Program Files\Webroot
2007-09-21 17:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-21 17:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-09-21 17:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GetRightToGo
2007-09-21 15:11 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-09-21 15:11 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-09-21 15:10 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2007-09-21 15:10 94,416 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-09-21 15:10 92,848 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-09-21 15:10 783,224 --a------ C:\WINNT\system32\aswBoot.exe
2007-09-21 15:10 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-09-21 14:00 120 --ah----- C:\aaw7boot.cmd
2007-09-21 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-21 12:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-09-21 12:29 31,744 --a------ C:\WINNT\system32\ace16win.dll
2007-09-21 01:27 4 --a------ C:\WINNT\system32\stfv.bin
2007-09-20 23:36 <DIR> d-a------ C:\WINNT\system32\acespy
2007-09-20 23:13 8,246 --a------ C:\WINNT\rpd.exe
2007-09-20 23:13 68,096 --a------ C:\WINNT\system32\l4acdb2.dll
2007-09-20 23:09 6,448 --ahs---- C:\WINNT\system32\jkjlm.bak1
2007-09-20 23:08 89,088 --a------ C:\WINNT\system32\atl71.dll
2007-09-20 23:07 <DIR> d-------- C:\Program Files\Temporary
2007-09-20 23:03 <DIR> d-a------ C:\WINNT\system32\GRB9
2007-09-20 23:03 <DIR> d-a------ C:\WINNT\system32\DLL2
2007-09-20 23:03 <DIR> d--hs---- C:\WINNT\anVqdQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-09-21 17:44 --------- d-------- C:\Program Files\Trillian
07-09-21 15:12 --------- d-------- C:\Program Files\SpywareBlaster
07-09-21 14:56 --------- d-------- C:\Program Files\Yahoo!
07-09-21 13:23 --------- d-------- C:\Program Files\Lavasoft
07-09-21 13:21 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
07-09-21 01:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-09-08 12:31 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
07-08-25 23:06 --------- d-------- C:\Program Files\World of Warcraft
07-08-07 13:58 8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-07-27 15:49 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\MakeMusic
07-06-28 14:25 94208 --a------ C:\WINNT\ScUnin.exe
04-11-23 17:28 271 ---h----- C:\Program Files\desktop.ini
04-11-23 17:28 21952 ---h----- C:\Program Files\folder.htt
2005-07-29 23:24:26 472 --sha-r C:\WINNT\anVqdQ\uBpNxk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E6BF957-1A9B-4E39-B4AA-8CC171013768}]
C:\Program Files\Common Files\hoke4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31D2CE3D-B27F-4B7A-8A35-CCBF270A669F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADE4D7D8-2017-40EF-91B7-DCC7902AA8AF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [04-10-04 20:53 ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" []
"Status Monitor CLJ1500"="C:\Program Files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe" [03-06-05 04:34 ]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [07-08-08 15:53 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-07-27 15:03 ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-07-19 22:54 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 01:04 ]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-01-27 10:45:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
Winlognotif.dll 03-09-03 07:14 49152 C:\WINNT\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tuus]

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys
R2 Belkin 54Mbps Wireless USB;Belkin 54Mbps Wireless USB Network Service;C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
R3 lne100v4;Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4);C:\WINNT\system32\DRIVERS\lne100v4.sys
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacp ci.sys
S3 gUSBSTOi;gUSBSTOi;\??\C:\DOCUME~1\ADMINI~1\LOCALS~ 1\Temp\gUSBSTOi.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 21:40:25 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-09-22 00:21:28 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-09-21 19:08:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
= ??A?? ????????????????C

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-09-21 19:11:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-21 19:10
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:51:29 PM, on 9/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\analyse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 24.33.14.33:80
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E6BF957-1A9B-4E39-B4AA-8CC171013768} - C:\Program Files\Common Files\hoke4444.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {31D2CE3D-B27F-4B7A-8A35-CCBF270A669F} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {80377A0D-220A-405A-BEE7-00C8145A9B50} - (no file)
O2 - BHO: (no name) - {9D9BB137-D0FD-48DC-8674-0AB73CE6FA48} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {ADE4D7D8-2017-40EF-91B7-DCC7902AA8AF} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Status Monitor CLJ1500] "C:\Program Files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O20 - Winlogon Notify: Zboard - C:\WINNT\SYSTEM32\Winlognotif.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

You still have a bunch of malware there and, most importantly, you have a keylogger... Please stay offline as much as possible and do not install any new programs other than the ones needed to clean this up... Especially avoid any financial transactions on this computer and I urge you to contact any financial organization that you have worked with online to change passwords and account numbers while putting a watch on all accounts... Do this by phone and do not use any of the new passwords or account numbers until your computer appears to be completely clean... It may not be possible to completely clean the computer without wiping the drive and reinstalling Windows, but we can give it a good shot if you wish... If you want to proceed, please run these tools...

http://www.atribune.org/ccount/click.php?id=1

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose:Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click
* No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
* NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Then................

* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.


and then...................

Download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)
Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
On the top of the main screen click Shield and then [active] to change it to inactive
On the top of the main screen click Update and then Start Update.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".


Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions: (...it's important that all windows must be closed)

* Click Scanner and then the Scan tab
* Click Complete System Scan to begin scanning.

Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your Desktop. (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and Reboot.

and finally, for now................

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the Registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the Desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your Desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.


Post each of the logs in as many posts as it takes...

This post explains exactly what I have going on, when I try task manager I get window that opens , says administrator has disabled it.

I found this forum through google when I searched for winh32.exe.

"My little bro's computer is all screwed up right now; his desktop background keeps reverting to some html file with an IP number on it, claiming that his comp is infected with spyware. Popups keep appearing, even when not connected to the internet. His virus scanner keeps picking up winh32.exe, but there seems to be other adware that is on the computer as well. I am unable to get rid of with Adaware or Spybot SD; they delete them but they are back almost instantly. Also, I can't get into the Taskmanager it is "greyed out" when I click ctrl-alt-del. ...

Brian

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

This post explains exactly what I have going on, when I try task manager I get window that opens , says administrator has disabled it.
If you believe your computer is infected, please start you own thread and include a HijackThis log so we can get an idea of what is going on...