Malwarebytes does not seem to remove suspect Trojan(s)

[stuck in california]

Hi All-

I am most definitely infected by something and here are the main symptoms:

1. Whenever I attempt to download updates for any malware/spyware/adware removal programs, I get error messages.

2. My computer hangs on bootup, sometimes indefinitely, with cpu at 100 %

3. System Restore opens, but when I select a restore point and click "next" button, nothing happens. "Next" is somehow disabled.

4. I cannot surf to any site that relates to removal tools.

5. I had to rename mbam exe file to get it to run.

Thank you in advance for any help you can provide. I really appreciate it.

Jeff

Here are two malwarebytes logs and one hijackthis log:

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/20/2009 10:49:29 PM

mbam-log-2009-03-20 (22-49-29).txt

Scan type: Full Scan (C:\|D:\|I:\|J:\|K:\|L:\|)

Objects scanned: 359421

Time elapsed: 48 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229,85.255.112.140 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229,85.255.112.140 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229,85.255.112.140 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-2-2-39-100001423-100030663-100027989-4670.com (Trojan.Agent) -> Quarantined and deleted successfully.

---

Malwarebytes' Anti-Malware 1.34

Database version: 1863

Windows 5.1.2600 Service Pack 3

3/20/2009 11:41:08 PM

mbam-log-2009-03-20 (23-41-08).txt

Scan type: Quick Scan

Objects scanned: 74977

Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

-----

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:32:36 AM, on 3/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Jeff Desktop\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [say the Time] C:\Program Files\Say the Time\SayTime.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15035/CTPID.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: SiI 4726 Manager - Unknown owner - C:\Program Files\SiI4726\SiI 4726 Manager\SiI4726.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 12081 bytes

[extremeboy]

Hello.

There was a sign of a rootkit on your computer. Let me know if you wish to format or continue.

Rootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?
  

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,

Extremeboy

[stuck in california]

I would like to proceed with removal attempt, please. I have changed passwords to financial accounts and temporarily disconnected the infected computer's Ethernet cable from the Internet router.

Thank you.

[extremeboy]

Hello.

Good

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  
• Close any open windows, including this one.
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• If you did not have it installed, you will see the prompt below. Choose YES.
  
• 
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you

should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
  

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Download gmer.zip and save to your desktop.
  Alternate Download Site 1
  Alternate Download Site 2
• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
  
• Double-click on Gmer.exe to start the program.
  
• Allow the gmer.sys driver to load if asked.
  
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  
• Click the >>>
  
• Click on Settings, then check the first five settings:
  • System Protection and Tracing
    
  • Processes
    
  • Save created processes to the log
    
  • Drivers
    
  • Save loaded drivers to the log
    

  [*]You will be prompted to restart your computer. Please do so.

After the reboot, run Gmer again and click on the Rootkit tab.

• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  
• Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  
• Click on the Scan and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  
• When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  

Important!:Please do not select the Show all checkbox during the scan..

Post back with:

-Combofix log

-GMER log

-New Hijackthis log

-Description of any problem you still have

With Regards,

Extremeboy

[stuck in california]

Thank you so much for your time, thus far! Following are the logs you requested. With regard to current system function,

1. reboots faster with no freezing

2. browser no longer redirects to random pages.

3. system restore...I have not tested system restore because I do not want to cause irreversible damage.

4. I can now successfully download updates to virus/adware removal products.

Please let me know what further steps to take.

Thanks again,

Jeff

ComboFix 09-03-19.02 - Jeff Desktop 2009-03-21 18:28:40.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2746 [GMT -7:00]

Running from: c:\documents and settings\Jeff Desktop\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\drivers\gaopdxvlklcntdwmirhcpaeoskouppxcvryony.sys

c:\windows\system32\gaopdxcounter

c:\windows\system32\gaopdxssopygkqmewxqfntkaexeglbtxjdtfys.dll

D:\Autorun.inf

d:\recycler\S-2-2-39-100001423-100030663-100027989-4670.com

I:\Autorun.inf

i:\recycler\S-2-2-39-100001423-100030663-100027989-4670.com

J:\Autorun.inf

j:\recycler\S-2-2-39-100001423-100030663-100027989-4670.com

K:\Autorun.inf

k:\recycler\S-2-2-39-100001423-100030663-100027989-4670.com

L:\Autorun.inf

l:\recycler\S-2-2-39-100001423-100030663-100027989-4670.com

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))

.

2009-03-21 03:46 . 2009-03-21 03:50 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-21 03:35 . 2009-03-21 03:35 <DIR> d-------- c:\program files\AVG

2009-03-21 03:35 . 2009-03-21 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-20 23:36 . 2009-03-20 23:37 <DIR> d-------- c:\program files\nothing

2009-03-20 21:31 . 2009-03-20 21:31 <DIR> d-------- c:\documents and settings\Jeff Desktop\Application Data\Malwarebytes

2009-03-20 21:30 . 2009-03-20 23:35 <DIR> d-------- c:\program files\malwarebytes

2009-03-20 21:30 . 2009-03-20 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-20 21:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-20 21:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-20 19:05 . 2009-03-09 12:06 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-20 18:49 . 2009-03-20 18:49 <DIR> d-------- c:\program files\Lavasoft

2009-03-20 18:49 . 2009-03-20 18:49 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-20 18:49 . 2009-03-09 12:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-16 21:49 . 2009-03-16 21:50 <DIR> d-------- c:\documents and settings\Jeff Desktop\Application Data\Marine Aquarium 3

2009-03-16 21:49 . 2009-03-03 15:14 6,545,408 --a------ c:\windows\system32\MarineAquarium3.scr

2009-03-15 15:19 . 2009-03-16 21:49 <DIR> d-------- c:\program files\SereneScreen

2009-03-15 15:19 . 2006-02-28 08:53 2,936,832 --a------ c:\windows\system32\MA2_6.scr

2009-03-05 23:49 . 2009-03-05 23:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2009-03-05 23:35 . 2009-03-05 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings

2009-03-05 23:34 . 2009-03-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-05 23:34 . 2009-03-20 20:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-03-05 23:29 . 2009-03-05 23:29 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-21 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2009-03-21 03:55 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-21 02:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-21 01:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-19 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-03-15 22:57 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Azureus

2009-03-14 01:16 --------- d-----w c:\program files\SmartRipper 2.41

2009-03-13 03:36 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-03-13 03:36 --------- d-----w c:\program files\Java

2009-03-12 02:15 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Audacity

2009-03-06 06:48 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-03-06 06:44 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Symantec

2009-02-27 03:03 --------- d-----w c:\program files\Vuze

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2008-06-30 20:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll

2008-10-29 08:08 12,884 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-05-02 1193472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2007-05-02 1463296]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2007-05-02 373760]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-27 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

"ATnotes.exe"="c:\program files\ATnotes\ATnotes.exe" [2005-01-05 1015808]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Say the Time"="c:\program files\Say the Time\SayTime.exe" [2004-04-28 1015808]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]

"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]

c:\documents and settings\Jeff Desktop\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-06-25 547840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-06-24 209016]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ShadowProtectSvc"=2 (0x2)

"VSNAPVSS"=2 (0x2)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"TivoBeacon2"=2 (0x2)

"Nero BackItUp Scheduler 3"=2 (0x2)

"License Management Service ESD"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-20 64160]

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2008-06-24 215856]

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2008-06-24 127520]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

S1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-06-28 244736]

S1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2008-06-24 86560]

S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

S2 SiI 4726 Manager;SiI 4726 Manager;c:\program files\SiI4726\SiI 4726 Manager\SiI4726.exe [2008-06-24 998400]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-19 24652]

S4 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2008-06-24 1239584]

S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-05-02 865280]

S4 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-06-24 69664]

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]

2009-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-1A:Stardock TrayMonitor - (no file)

HKLM-RunServices-1A:Stardock TrayMonitor - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Jeff Desktop\Application Data\Mozilla\Firefox\Profiles\2vk16ren.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 18:31:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-03-21 18:32:40

ComboFix-quarantined-files.txt 2009-03-22 01:32:38

Pre-Run: 19,592,445,952 bytes free

Post-Run: 20,681,428,992 bytes free

217 --- E O F --- 2009-03-12 10:00:47

GMER 1.0.15.14944 - http://www.gmer.net

Rootkit scan 2009-03-21 23:29:55

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667C10]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxvlklcntdwmirhcpaeoskouppxcvryony.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxvlklcntdwmirhcpaeoskouppxcvryony.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxssopygkqmewxqfntkaexeglbtxjdtfys.dll

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:30:48 PM, on 3/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Jeff Desktop\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [say the Time] C:\Program Files\Say the Time\SayTime.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15035/CTPID.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: SiI 4726 Manager - Unknown owner - C:\Program Files\SiI4726\SiI 4726 Manager\SiI4726.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 12246 bytes

[stuck in california]

Hi Extremeboy-

Someone else responded to their issue in our thread, but please see my latest response prior to his. Thank you, again.

[extremeboy]

Hello.

Yes, I see and I'm not pleased with that..

@WhatsGrammar?

Start your OWN topic please and wait. This topic is ONLY for stuck in california. I will not look at those logs and will not post back as it will cause confusion for stuck in california.

I will let a MOD know and delete that post or move it away.

@stuck in california

Give me a few minutes or so to look over the logs please. Instructions are coming soon.

With regards,

Extremeboy

[extremeboy]

Hello

Sounds everything is better now. Glad I could help but we are not quite done yet.

3. system restore...I have not tested system restore because I do not want to cause irreversible damage.

Good.

A few programs you need to be warned about.

View Point Programs Warning

Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Additional instructions on removing program can be found here.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Vuze). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:

  Registry::[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000000[-HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys]

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  Refering to the picture above, drag CFScript into ComboFix.exe.
  

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run FlashDisinfector

• Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.
  

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
    

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
    
  • Then click on the Scan button.
    

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:

-Combofix log

-MBAM log

With Regards,

Extremeboy

[stuck in california]

Dear Extremeboy:

I take your words regarding Vuze seriously. Thank you. I deleted Viewpoint as instructed. I will await further word. Thanks again!!!

Here are the additional logs you requested:

ComboFix 09-03-22.01 - Jeff Desktop 2009-03-22 23:49:51.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2246 [GMT -7:00]

Running from: c:\documents and settings\Jeff Desktop\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jeff Desktop\Desktop\CFScript.txt

AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated)

FW: Norton 360 Premier Edition *disabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))

.

2009-03-21 23:45 . 2009-03-21 23:45 <DIR> d-------- c:\program files\Windows Sidebar

2009-03-21 23:45 . 2009-03-22 00:58 <DIR> d-------- c:\program files\Norton 360 Premier Edition

2009-03-21 23:44 . 2009-03-21 23:46 <DIR> d-------- c:\program files\Symantec

2009-03-21 23:44 . 2009-03-21 23:46 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2009-03-21 23:44 . 2009-03-21 23:46 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2009-03-21 23:44 . 2009-03-21 23:46 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2009-03-21 23:44 . 2009-03-21 23:46 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2009-03-21 03:46 . 2009-03-21 03:50 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-21 03:35 . 2009-03-21 03:35 <DIR> d-------- c:\program files\AVG

2009-03-21 03:35 . 2009-03-21 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-20 23:36 . 2009-03-20 23:37 <DIR> d-------- c:\program files\nothing

2009-03-20 21:31 . 2009-03-20 21:31 <DIR> d-------- c:\documents and settings\Jeff Desktop\Application Data\Malwarebytes

2009-03-20 21:30 . 2009-03-20 23:35 <DIR> d-------- c:\program files\malwarebytes

2009-03-20 21:30 . 2009-03-20 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-20 21:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-20 21:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-20 19:05 . 2009-03-09 12:06 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-20 18:49 . 2009-03-20 18:49 <DIR> d-------- c:\program files\Lavasoft

2009-03-20 18:49 . 2009-03-20 18:49 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-20 18:49 . 2009-03-09 12:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-16 21:49 . 2009-03-16 21:50 <DIR> d-------- c:\documents and settings\Jeff Desktop\Application Data\Marine Aquarium 3

2009-03-16 21:49 . 2009-03-03 15:14 6,545,408 --a------ c:\windows\system32\MarineAquarium3.scr

2009-03-15 15:19 . 2009-03-16 21:49 <DIR> d-------- c:\program files\SereneScreen

2009-03-15 15:19 . 2006-02-28 08:53 2,936,832 --a------ c:\windows\system32\MA2_6.scr

2009-03-05 23:49 . 2009-03-05 23:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2009-03-05 23:35 . 2009-03-05 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings

2009-03-05 23:34 . 2009-03-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-05 23:34 . 2009-03-20 20:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-03-05 23:29 . 2009-03-05 23:29 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-23 06:48 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-23 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-03-23 06:32 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Azureus

2009-03-22 13:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-22 09:35 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Symantec

2009-03-22 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-03-22 06:59 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-21 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2009-03-21 01:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-19 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-03-14 01:16 --------- d-----w c:\program files\SmartRipper 2.41

2009-03-13 03:36 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-03-13 03:36 --------- d-----w c:\program files\Java

2009-03-12 02:15 --------- d-----w c:\documents and settings\Jeff Desktop\Application Data\Audacity

2009-02-27 03:03 --------- d-----w c:\program files\Vuze

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2008-06-30 20:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll

2008-10-29 08:08 12,884 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_18.31.32.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-22 06:44:55 7,406 ----a-r c:\windows\Installer\{E80F62FF-5D3C-4A19-8409-9721F2928206}\IconE80F62FF.exe

- 2009-03-21 06:02:51 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-22 07:44:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-21 06:02:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-22 07:44:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-21 06:02:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-22 07:44:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-08-09 00:39:56 36,056 ----a-w c:\windows\system32\drivers\CO_Mon.sys

+ 2008-07-31 00:42:12 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys

+ 2008-02-01 01:51:16 279,088 ----a-w c:\windows\system32\drivers\srtsp.sys

+ 2008-02-01 01:51:16 317,616 ----a-w c:\windows\system32\drivers\srtspl.sys

+ 2008-02-01 01:51:16 43,696 ----a-w c:\windows\system32\drivers\srtspx.sys

+ 2008-02-05 19:34:43 13,616 ----a-w c:\windows\system32\drivers\symdns.sys

+ 2008-02-05 19:34:43 96,432 ----a-w c:\windows\system32\drivers\symfw.sys

+ 2008-02-05 19:34:43 38,576 ----a-w c:\windows\system32\drivers\symids.sys

+ 2008-02-06 21:43:53 31,408 ----a-w c:\windows\system32\drivers\SymIM.sys

+ 2008-02-05 19:34:43 37,424 ----a-w c:\windows\system32\drivers\symndis.sys

+ 2008-02-05 19:34:43 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys

+ 2008-02-05 19:34:43 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys

+ 2008-02-05 19:34:43 188,464 ----a-w c:\windows\system32\drivers\symtdi.sys

- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe

+ 2009-02-25 19:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe

+ 2008-02-20 01:06:11 579,464 ----a-w c:\windows\system32\SymNeti.dll

+ 2008-02-20 01:06:11 207,240 ----a-w c:\windows\system32\SymRedir.dll

+ 2009-03-22 07:42:42 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6bc.dat

+ 2009-03-22 07:42:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-05-02 1193472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2007-05-02 1463296]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2007-05-02 373760]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-27 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

"ATnotes.exe"="c:\program files\ATnotes\ATnotes.exe" [2005-01-05 1015808]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Say the Time"="c:\program files\Say the Time\SayTime.exe" [2004-04-28 1015808]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]

"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]

"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]

c:\documents and settings\Jeff Desktop\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-06-25 547840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-06-24 209016]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-20 64160]

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2008-06-24 127520]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-06-28 244736]

R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2008-06-24 86560]

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]

R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2008-06-24 1239584]

R2 SiI 4726 Manager;SiI 4726 Manager;c:\program files\SiI4726\SiI 4726 Manager\SiI4726.exe [2008-06-24 998400]

R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-05-02 865280]

R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-06-24 69664]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-21 101936]

S0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2008-06-24 215856]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*NewlyCreated* - LIVEUPDATE

.

Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]

2009-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Jeff Desktop\Application Data\Mozilla\Firefox\Profiles\2vk16ren.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-22 23:52:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-03-22 23:54:24

ComboFix-quarantined-files.txt 2009-03-23 06:54:20

ComboFix2.txt 2009-03-22 02:02:28

ComboFix3.txt 2009-03-22 01:32:41

Pre-Run: 15,678,029,824 bytes free

Post-Run: 15,677,972,480 bytes free

227 --- E O F --- 2009-03-22 10:02:54

Malwarebytes' Anti-Malware 1.34

Database version: 1887

Windows 5.1.2600 Service Pack 3

3/23/2009 12:06:04 AM

mbam-log-2009-03-23 (00-06-04).txt

Scan type: Quick Scan

Objects scanned: 77932

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[extremeboy]

Hello again.

I take your words regarding Vuze seriously. Thank you. I deleted Viewpoint as instructed. I will await further word. Thanks again!!!

B)

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  
• Open the Kaspersky WebScanner
  page.
  
• Click on the button on the main page.
  
• The program will launch and fill in the Information section on the left.
  
• Read the "Requirements and Limitations" then press the button.
  
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
    
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
    
  • Click the button, if you made any changes.
    

  [*]Now under the Scan section on the left:

  Select My Computer

  [*]The program will now start and scan your system. This will run for a while, be patient and let it finish.

  [*]Once the scan is complete, click on View scan report

  [*]Now, click on the Save Report as button.

  [*]Save the file to your desktop.

  [*]Copy and paste that information in your next post.

You can refer to this animation by sundavis.

Download and Run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
    
  • DDS.pif
    

  [*]Double click on the DDS icon, allow it to run.

  [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

  [*]Notepad will open with the results, click no to the Optional_Scan

  [*]Follow the instructions that pop up for posting the results.

  [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

-- Note: The screen instructions indicate the attach.txt must be zipped before attaching (not posted) to your forum post. Instead, we want you to include attach.txt as an attachment to upload using the "Browse" button in the text editor when making your reply.

Post back with:

-Kaspersky scan log

-DDS log

-Attach log

With Regards,

Extremeboy

[stuck in california]

Hello, Extremeboy:

I wanted to give you a quick "heads up" to let you know that Kapersky is scanning, but it is a very slow process. It has been running for about 40 minutes and says 1% complete. So, it might take a while, naturally, for me to respond with the logs.

Thanks again!!!

Jeff

[stuck in california]

Hi Extremeboy:

I ran DDS and Kapersky. The requested logs are attached. If you would like me to re-send with the contents of the logs included in my actualy post, please let me know.

Thank you very much for everything,

Jeff

Attach.txt

DDS.txt

Kapersky.txt

Attach.txt

DDS.txt

Kapersky.txt

[extremeboy]

Hello.

Don't worry. Kaspersky does indeed take a while to complete. I can see the logs perfectly fine

Let's remove the following things please.

Uninstall the older versions of Java on your system:

J2SE Runtime Environment 5.0 Update 5

Java 6 Update 5

Java 6 Update 7

Delete the following infected music file:

D:\My Documents\My Music\iTunes\iTunes Music\Keith Urban\Greatest Hits\03-keith_urban-i_told_you_so.mp3 <- This file

After that everything looks good

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Click on your Start Menu, then Run....
  
• Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
  
  
• When shown the disclaimer, Select "2"
  

This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTCleanIt

We will now remove the tools we used during this fix.

• Download OTCleanIt by OldTimer to your desktop.
  
• Double click OTCleanIt.exe to start the program.
  
• Click the big CleanUp! button.
  
• When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
  

Congratulations! You now appear clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

• So How did I get infected?
• Miekies' prevention suggestions
  
• Hardening Windows Security - Part 1 & Part 2.
  

[*]Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a sm

[stuck in california]

Dear Extremeboy:

Wow. Thank you so much for all of your hard work and input. I really appreciate it!!!! Do you have a favorite charity? I would love to "give back" by making a donation to a cause that you support.

Thank you.

Thank you.

Thank you.

Jeff

[extremeboy]

Hello.

That's very kind of you.

I have talked to one of the members in this forum regarding donations.

Currently, neither I nor Malwarebytes accept donations. However, one way to show your appreciation is to buy the Malwarebytes Anti-Malware product if you like it and if it has helped you. Billy O'Neal one of our HJT Teams at BleepingComputer accepts donations and the money you donate goes towards a license of Camtasia Studio, which he will write video tutorials for BleepingComputer.

I appreciate your kind offering!

With Regards,

Extremeboy

[stuck in california]

Okay, great. Will do.

Thanks again!!!!

[extremeboy]

You're welcome.

Happy surfing and good luck in the future!

With Regards,

Extremeboy

[extremeboy]

Hello.

Since the problem appears to be resolved, this topic wil be Closed by a Moderator. Glad we could help

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,

Extremeboy