Unable to run Malwarebytes, .exe file disappears

[rougjedi]

I've picked up malware, i believe some type of rogue-anti-virus, that I am unable to get rid of with Malwarebytes. When I attempt to execute Malwarebytes, no screens pop up, and when I go back to check the Malwarebytes folder the application file is gone. I am able to start Windows XP in Safe Mode without any pop-ups or anti-virus notifications, but I am still unable to run Malwarebytes, even after uninstalling and reinstalling. I have included a Trend Micro HijackThis log file below:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:34 PM, on 10/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [fonavoned] Rundll32.exe "c:\windows\system32\niwogepi.dll",a

O4 - HKLM\..\Run: [55342423] C:\Documents and Settings\All Users\Application Data\55342423\55342423.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PackersScreenServerSvc] "C:\Program Files\PackersScreenServer\PackersScreenServer.exe" /svc

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: LUMIX Simple Viewer.lnk = ?

O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.doginhispen.com

O15 - Trusted Zone: *.whataboutadog.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} (MNPerformer Class) - http://media.cdigix.com/Performer/download...formerSetup.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v45/pool/pool.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/sis/mjolauncher.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150

O17 - HKLM\System\CS1\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150

O17 - HKLM\System\CS2\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter hijack: text/html - {9157cd03-c369-4924-ae5a-337bc7e0ab3d} - C:\WINDOWS\system32\mst120.dll

O20 - AppInit_DLLs: avgrsstx.dll umenqp.dll ytqlyh.dll c:\windows\system32\niwogepi.dll,vopepimi.dll,jodilose.dll,gehufidu.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: keruvowip - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll

O22 - SharedTaskScheduler: mujuzedij - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 11002 bytes

[extremeboy]

Hello.

Yes, you indeed have a rouge.

Let's check for any rootkits and get a more detailed look.

Run DDS followed by RootRepeal.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
    

  [*]Double click on the DDS icon, allow it to run.

  [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

  [*]Notepad will open with the results soon.

  [*]Follow the instructions that pop up for posting the results and then click Ok.

  [*]The black and message box window shall then disappear.

  [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

• Direct Download (Recommended)
  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror
    

  [*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror
    

• Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  
• Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  
• Physically disconnect your machine from the internet as your system will be unprotected.
  
• Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  
• Click the tab at the bottom.
  
• Now press the button.
  
• A box will pop up, check the boxes beside All Seven options/scan area
  
  
• Now click OK.
  
• Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  
• The scan will take a little while to run, so let it go unhindered.
  
• Once it is done, click the Save Report button.
  
• Save it as RepealScan and save it to your desktop
  
• Reconnect to the internet.
  
• Post the contents of that log in your reply please.
  

~Extremeboy

[rougjedi]

I ran DDS.exe and also RootRepeal and got the following logs. I've separated the DDS log from the RootRepeal log with a line of #. The Attach file for the DDS.exe run I have zipped and attached.

DDS (Ver_09-09-29.01) - NTFSx86 NETWORK

Run by Adam Scharf at 21:24:01.70 on Tue 10/06/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.193 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Adam Scharf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [Aim6]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [fonavoned] Rundll32.exe "c:\windows\system32\niwogepi.dll",a

mRun: [55342423] c:\documents and settings\all users\application data\55342423\55342423.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Filter: text/html - {9157cd03-c369-4924-ae5a-337bc7e0ab3d} -

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: avgrsstx.dll umenqp.dll ytqlyh.dll c:\windows\system32\niwogepi.dll,vopepimi.dll,jodilose.dll,gehufidu.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: keruvowip - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll

STS: mujuzedij: {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkLBtQG

LSA: Notification Packages = scecli gehufidu.dll rafomife.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048]

=============== Created Last 30 ================

2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro

2009-10-06 19:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-06 19:24 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-06 19:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-10-06 18:47 <DIR> --d----- C:\ARK

2009-10-06 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\55342423

2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper

2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper

==================== Find3M ====================

2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe

2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2009-07-06 13:59 26,624 a--sh--- c:\windows\system32\bufezika.dll

2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\gehufidu.dll

2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\guhiziho.dll

2009-07-06 14:00 37,888 a--sh--- c:\windows\system32\jafasatu.dll

2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\jodilose.dll

2009-07-06 13:59 1,050,147 a--sh--- c:\windows\system32\mawaboga.exe

2009-07-06 14:00 88,576 a--sh--- c:\windows\system32\niwogepi.dll

2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\patafudi.dll

2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\rafomife.dll

2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\sagujele.dll

2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\vopepimi.dll

2008-03-15 14:00 237,595 a--sh--- c:\windows\system32\ybeeg.ini2

2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 21:24:57.54 ===============

#############################################################

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/06 21:31

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF7FC3000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8ADE000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF753B000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: c:\windows\ntbtlog.txt

Status: Size mismatch (API: 337046, Raw: 336922)

==EOF==

Attach.zip

[extremeboy]

Hello.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

If Combofix does not run. Try re-naming it to something else BEFORE saving it on your desktop. If that doesn't work either, let me know and we'll try something else to resolve that.

With Regards,

Extremeboy

[rougjedi]

I was able to run ComboFix without having to rename it. After running ComboFix I was able to successfully install, update, and scan using Malwarebytes. I have included the log files from both of these scans below. I also removed all of the malware that Malwarebytes found on the scan, I just did that after saving the logfile so it says that no action was taken.

ComboFix 09-10-06.04 - Adam Scharf 10/07/2009 18:41.1.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.351 [GMT -5:00]

Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\desktop.ini

c:\documents and settings\Adam Scharf\Local Settings\Temporary Internet Files\fbk.sts

c:\program files\Common

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\run.log

c:\windows\system32\bszip.dll

c:\windows\system32\bufezika.dll

c:\windows\system32\gehufidu.dll

c:\windows\system32\gudosaho.dll

c:\windows\system32\jafasatu.dll

c:\windows\system32\niwogepi.dll

c:\windows\system32\vopepimi.dll

c:\windows\system32\waduzaga.dll

c:\windows\system32\wutizipi.dll

c:\windows\system32\ybeeg.ini

c:\windows\system32\ybeeg.ini2

c:\windows\Tasks\htpxamoq.job

.

((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\mswsock.dll ... is infected !!

c:\windows\system32\drivers\tcpip.sys ... is infected !!

------- Sigcheck -------

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Dtella@Purdue\\dtella.exe"=

"c:\\Program Files\\ApexDC++\\ApexDC.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"60000:TCP"= 60000:TCP:DC Gate TCP Port

"60000:UDP"= 60000:UDP:DC Gate UDP Port

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048]

.

Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

AddRemove-Age of Empires - e:\program files\Microsoft Games\Age of Empires\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-07 18:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.EXE'(660)

c:\progra~1\WINDOW~2\wmpband.dll

c:\docume~1\ADAMSC~1\LOCALS~1\Temp\catchme.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: ~,10time:~,-3machine was rebootedCombobatch-by

ComboFix-quarantined-files.txt 2009-10-07 23:51

Pre-Run: 10,125,328,384 bytes free

Post-Run: 9,852,858,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

147 --- E O F --- 2009-03-23 03:43

###########################################################

Malwarebytes' Anti-Malware 1.41

Database version: 2922

Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/7/2009 7:41:55 PM

mbam-log-2009-10-07 (19-41-48).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 194008

Time elapsed: 43 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fonavoned (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\55342423 (Rogue.Multiple.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83495534 (Rogue.Multiple.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rasefosiwo (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\55342423 (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\83495534 (Rogue.Multiple.H) -> No action taken.

Files Infected:

C:\Documents and Settings\All Users\Application Data\55342423\55342423.bat (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\55342423\55342423.exe (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\83495534\83495534.bat (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\83495534\83495534.exe (Rogue.Multiple.H) -> No action taken.

C:\i386\GTDownDE_87.ocx (Adware.Gdown) -> No action taken.

C:\WINDOWS\system32\badusuke.exe (Rogue.SecurityTool) -> No action taken.

C:\WINDOWS\system32\mawaboga.exe (Rogue.SecurityTool) -> No action taken.

C:\Documents and Settings\Adam Scharf\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.

C:\WINDOWS\system32\beludafa.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\guhiziho.dll (Trojan.Vundo) -> No action taken.

[rougjedi]

I updated Malwarebytes again today and performed another full system scan and had the following logfile (again I saved the logfile before removing the infected files):

Malwarebytes' Anti-Malware 1.41

Database version: 2926

Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/8/2009 5:55:48 PM

mbam-log-2009-10-08 (17-55-45).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 194432

Time elapsed: 42 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103955.exe (Rogue.SecurityTool) -> No action taken.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103957.exe (Rogue.SecurityTool) -> No action taken.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103958.ocx (Adware.Gdown) -> No action taken.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103959.exe (Rogue.SecurityTool) -> No action taken.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103960.exe (Rogue.SecurityTool) -> No action taken.

[extremeboy]

Hello.

Please re-run Combofix. Post the new log once done.

Thanks.

~Extremeboy

[rougjedi]

I re-ran ComboFix and Malwarebytes again, and the logs are below (Malwarebytes items were removed):

ComboFix 09-10-06.04 - Adam Scharf 10/08/2009 18:21.2.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.326 [GMT -5:00]

Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\famizula.dll

c:\windows\system32\hejitavo.dll

c:\windows\system32\mukewaha.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-08 23:09 . 2009-10-08 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\08418425

2009-10-07 00:45 . 2009-10-07 00:45 -------- d-----w- c:\program files\Trend Micro

2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- C:\ARK

2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\BitZipper

2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\program files\BitZipper

2009-09-11 02:00 . 2009-09-11 02:00 -------- d-----w- c:\program files\Microsoft Silverlight

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-07 23:49 . 2006-01-20 20:07 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\PackersScreenServer

2009-08-28 17:42 . 2008-08-17 01:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-28 17:42 . 2008-08-17 01:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 17:42 . 2008-08-17 01:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-23 18:09 . 2008-08-21 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-25 10:23 . 2009-01-12 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll

2005-07-28 18:51 . 2005-07-28 18:51 2944958 ------w- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-21 01:29 . 2005-07-21 01:29 6250584 ----a-w- c:\program files\Install_AIM.exe

2005-07-19 16:00 . 2005-07-19 15:58 2077424 ----a-w- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2009-07-07 14:51 . 2009-07-07 14:51 88576 --sha-w- c:\windows\system32\bilayuje.dll

2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\dimoburi.dll.tmp

2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\dowuvedo.dll.tmp

2009-07-08 23:09 . 2009-07-08 23:09 51712 --sha-w- c:\windows\system32\fakuriyo.dll

2009-07-08 23:09 . 2009-07-08 23:09 83968 --sha-w- c:\windows\system32\juguteto.dll

2009-07-08 23:09 . 2009-07-08 23:09 61440 --sha-w- c:\windows\system32\kowajovu.dll

2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\lipulone.dll.tmp

2009-07-08 23:10 . 2009-07-08 23:10 51712 --sha-w- c:\windows\system32\numosiko.dll

2009-07-06 19:00 . 2009-07-06 19:00 51712 --sha-w- c:\windows\system32\patafudi.dll

2009-07-07 14:51 . 2009-07-07 14:51 51712 --sha-w- c:\windows\system32\piseraho.dll

2009-07-08 23:09 . 2009-07-08 23:09 1050147 --sha-w- c:\windows\system32\yivilaje.exe

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2005-07-09 00:10 . 2004-10-15 00:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-04-03 19:28 . 2006-04-03 19:28 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-05-09 05:10 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe

2005-07-09 00:28 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2006-10-07 12:20 . 2006-10-07 12:20 6266880 c:\program files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe

2006-03-19 21:44 . 2007-09-14 15:48 421888 c:\program files\Grisoft\AVG Free\bak\avgcc.exe

2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

2008-03-30 14:36 . 2008-03-30 14:36 267048 c:\program files\iTunes\iTunesHelper.exe

2003-11-19 22:48 . 2003-11-19 22:48 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2007-02-19 20:46 . 2007-02-19 20:46 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

2003-07-01 01:56 . 2003-07-01 01:56 188416 c:\program files\Logitech\Video\bak\ISStart.exe

2003-07-01 02:00 . 2003-07-01 02:00 65536 c:\program files\Logitech\Video\bak\LogiTray.exe

2007-02-12 21:21 . 2007-02-12 21:21 734624 c:\program files\Microsoft Xbox 360 Accessories\bak\XboxStat.exe

2005-08-04 17:33 . 2006-01-19 15:06 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

2007-07-29 18:12 . 2006-11-16 16:42 183367 c:\program files\Plaxo\2.12.1.1\bak\PlaxoHelper.exe

2007-01-20 07:09 . 2007-01-20 07:09 200704 c:\program files\PowerISO\bak\PWRISOVM.EXE

2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe

2008-05-27 14:50 . 2008-05-27 14:50 413696 c:\program files\QuickTime\QTTask.exe

2005-07-09 00:10 . 2005-09-20 14:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-09-20 14:36 . 2005-09-20 14:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-07-09 00:10 . 2005-09-20 14:35 94208 c:\windows\system32\bak\igfxtray.exe

2005-07-09 00:36 . 2005-05-31 09:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632b28d4-765e-4296-81b3-07759d9d5d7c}]

2009-07-08 23:10 51712 --sha-w- c:\windows\system32\numosiko.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]

"08418425"="c:\documents and settings\All Users\Application Data\08418425\08418425.exe" [2009-10-08 1050147]

"fonavoned"="c:\windows\system32\mukewaha.dll" [N/A]

"rasefosiwo"="hejitavo.dll" [N/A]

c:\documents and settings\Adam Scharf\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-2-16 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-1-7 57344]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-12-4 884840]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Dtella@Purdue\\dtella.exe"=

"c:\\Program Files\\ApexDC++\\ApexDC.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"60000:TCP"= 60000:TCP:DC Gate TCP Port

"60000:UDP"= 60000:UDP:DC Gate UDP Port

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048]

.

Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

FF - ProfilePath - c:\documents and settings\Adam Scharf\Application Data\Mozilla\Firefox\Profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, .

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{8727dde2-e11e-490b-b9b1-96fecbe0b79d} - c:\windows\system32\niwogepi.dll

SharedTaskScheduler-{5fb28d8a-ac65-4799-8a48-bfcee652c72f} - c:\windows\system32\mukewaha.dll

SSODL-bogejadik-{8727dde2-e11e-490b-b9b1-96fecbe0b79d} - c:\windows\system32\niwogepi.dll

SSODL-yomigusad-{5fb28d8a-ac65-4799-8a48-bfcee652c72f} - c:\windows\system32\mukewaha.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 18:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

.

**************************************************************************

.

Completion time: 2009-10-08 18:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 23:39

ComboFix2.txt 2009-10-07 23:51

Pre-Run: 10,317,164,544 bytes free

Post-Run: 10,294,538,240 bytes free

217 --- E O F --- 2009-03-23 03:43

###########################################################

Malwarebytes' Anti-Malware 1.41

Database version: 2927

Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/8/2009 7:34:26 PM

mbam-log-2009-10-08 (19-34-21).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 194235

Time elapsed: 43 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fonavoned (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08418425 (Rogue.Multiple.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rasefosiwo (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\08418425 (Rogue.Multiple.H) -> No action taken.

Files Infected:

C:\Documents and Settings\All Users\Application Data\08418425\08418425.bat (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\08418425\08418425.exe (Rogue.Multiple.H) -> No action taken.

C:\WINDOWS\system32\yivilaje.exe (Rogue.SecurityTool) -> No action taken.

C:\WINDOWS\system32\fakuriyo.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\kowajovu.dll (Trojan.Vundo) -> No action taken.

[extremeboy]

Hello.

Some of the information CF reports seem to be removed by MBAM but to make sure, please take a new DDS run and post the results and we'll fix anything afterwards.

Getting late here so I need to leave now. We'll check the logs tomorrow.

~EB

[rougjedi]

I've run DDS again, and I have the log results below, as well as the attached file:

DDS (Ver_09-09-29.01) - NTFSx86 NETWORK

Run by Adam Scharf at 22:27:34.84 on Thu 10/08/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.222 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Adam Scharf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: {632b28d4-765e-4296-81b3-07759d9d5d7c} - numosiko.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048]

=============== Created Last 30 ================

2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons

2009-10-07 18:37 229,888 a------- c:\windows\PEV.exe

2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe

2009-10-07 18:37 98,816 a------- c:\windows\sed.exe

2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro

2009-10-06 18:47 <DIR> --d----- C:\ARK

2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper

2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper

==================== Find3M ====================

2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe

2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2009-07-07 09:51 88,576 a--sh--- c:\windows\system32\bilayuje.dll

2009-07-08 18:09 83,968 a--sh--- c:\windows\system32\juguteto.dll

2009-07-08 18:10 51,712 a--sh--- c:\windows\system32\numosiko.dll

2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\patafudi.dll

2009-07-07 09:51 51,712 a--sh--- c:\windows\system32\piseraho.dll

2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 22:28:12.37 ===============

Attach2.zip

[extremeboy]

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:

  http://www.malwarebytes.org/forums/index.php?showtopic=26961
  Collect::[68]
  c:\windows\system32\bilayuje.dll
  c:\windows\system32\dimoburi.dll.tmp
  c:\windows\system32\dowuvedo.dll.tmp
  c:\windows\system32\fakuriyo.dll
  c:\windows\system32\juguteto.dll
  c:\windows\system32\kowajovu.dll
  c:\windows\system32\lipulone.dll.tmp
  c:\windows\system32\numosiko.dll
  c:\windows\system32\patafudi.dll
  c:\windows\system32\piseraho.dll
  c:\windows\system32\yivilaje.exe
  c:\windows\system32\bilayuje.dll
  c:\windows\system32\juguteto.dll
  c:\windows\system32\numosiko.dll
  c:\windows\system32\patafudi.dll
  c:\windows\system32\piseraho.dll
  DDS::
  TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} -
  TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
  TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
  TB: {A057A204-BACC-4D26-9990-79A187E2698E} -
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "UpdatesDisableNotify"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "fonavoned"=-
  "rasefosiwo"=-
  "08418425"=-
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632b28d4-765e-4296-81b3-07759d9d5d7c}]
  Folder::
  c:\documents and settings\All Users\Application Data\08418425
  C:\program files\Grisoft\AVG Anti-Spyware 7.5
  c:\program files\QuickTime\bak

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  

• Refering to the picture above, drag CFScript into ComboFix.exe.
  
• When finished, it shall produce a log for you at "C:\ComboFix.txt"
  
• Please post the contents of the Combofix log in your next reply.
  

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

• Important: Ensure you are connected to the internet before clicking OK on the message box.
  
• A blue-screen would appear auto-uploading the zipped file I requested.
  
• After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
  

**NOTE**

=================

• IF for some reason Combofix fails to upload anything please do the following:
  
• Go to Start >> My Computer > C:\
  
• Then Navigate to the C:\Qoobox\Quarantine folder.
  
• Find the archive zip file called "[68]-Submit_Date_Time.zip"
  
• Simply go to This Channel and upload the submit.zip archive file to me.
  
• Follow the instructions on that page to copy/paste/send the requested file.
  

Let me know how it goes and if the upload went successfully or not in your next reply.

[extremeboy]

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,

Extremeboy

[rougjedi]

Sorry, I was out of town for a couple of days and was unable to follow your instructions. I've run the CF Script that you gave me and it looked like it was successful in sending the results to the server. I've included the log file below, not sure if you need it or not.

ComboFix 09-10-12.03 - Adam Scharf 10/12/2009 23:04.3.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.340 [GMT -5:00]

Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Adam Scharf\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\bilayuje.dll

file zipped: c:\windows\system32\dimoburi.dll.tmp

file zipped: c:\windows\system32\dowuvedo.dll.tmp

file zipped: c:\windows\system32\juguteto.dll

file zipped: c:\windows\system32\lipulone.dll.tmp

file zipped: c:\windows\system32\numosiko.dll

file zipped: c:\windows\system32\patafudi.dll

file zipped: c:\windows\system32\piseraho.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Grisoft\AVG Anti-Spyware 7.5

c:\program files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe

c:\program files\QuickTime\bak

c:\program files\QuickTime\bak\qttask.exe

c:\windows\system32\bilayuje.dll

c:\windows\system32\dimoburi.dll.tmp

c:\windows\system32\dowuvedo.dll.tmp

c:\windows\system32\juguteto.dll

c:\windows\system32\lipulone.dll.tmp

c:\windows\system32\numosiko.dll

c:\windows\system32\patafudi.dll

c:\windows\system32\piseraho.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-10-13 03:52 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2009-10-08 23:42 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-08 23:42 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 23:42 . 2009-10-08 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-07 00:45 . 2009-10-07 00:45 -------- d-----w- c:\program files\Trend Micro

2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- C:\ARK

2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\BitZipper

2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\program files\BitZipper

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-07 23:49 . 2006-01-20 20:07 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\PackersScreenServer

2009-09-11 02:00 . 2009-09-11 02:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-28 17:42 . 2008-08-17 01:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-28 17:42 . 2008-08-17 01:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 17:42 . 2008-08-17 01:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-23 18:09 . 2008-08-21 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-25 10:23 . 2009-01-12 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll

2005-07-28 18:51 . 2005-07-28 18:51 2944958 ------w- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-21 01:29 . 2005-07-21 01:29 6250584 ----a-w- c:\program files\Install_AIM.exe

2005-07-19 16:00 . 2005-07-19 15:58 2077424 ----a-w- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2005-07-09 00:10 . 2004-10-15 00:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-04-03 19:28 . 2006-04-03 19:28 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-05-09 05:10 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe

2005-07-09 00:28 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2006-03-19 21:44 . 2007-09-14 15:48 421888 c:\program files\Grisoft\AVG Free\bak\avgcc.exe

2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

2008-03-30 14:36 . 2008-03-30 14:36 267048 c:\program files\iTunes\iTunesHelper.exe

2003-11-19 22:48 . 2003-11-19 22:48 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2007-02-19 20:46 . 2007-02-19 20:46 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

2003-07-01 01:56 . 2003-07-01 01:56 188416 c:\program files\Logitech\Video\bak\ISStart.exe

2003-07-01 02:00 . 2003-07-01 02:00 65536 c:\program files\Logitech\Video\bak\LogiTray.exe

2007-02-12 21:21 . 2007-02-12 21:21 734624 c:\program files\Microsoft Xbox 360 Accessories\bak\XboxStat.exe

2005-08-04 17:33 . 2006-01-19 15:06 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

2007-07-29 18:12 . 2006-11-16 16:42 183367 c:\program files\Plaxo\2.12.1.1\bak\PlaxoHelper.exe

2007-01-20 07:09 . 2007-01-20 07:09 200704 c:\program files\PowerISO\bak\PWRISOVM.EXE

2006-10-07 12:20 . 2006-10-07 12:20 6266880 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe.vir

2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\qoobox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir

2005-07-09 00:10 . 2005-09-20 14:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-09-20 14:36 . 2005-09-20 14:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-07-09 00:10 . 2005-09-20 14:35 94208 c:\windows\system32\bak\igfxtray.exe

2005-07-09 00:36 . 2005-05-31 09:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Adam Scharf\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-2-16 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-1-7 57344]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-12-4 884840]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Dtella@Purdue\\dtella.exe"=

"c:\\Program Files\\ApexDC++\\ApexDC.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"60000:TCP"= 60000:TCP:DC Gate TCP Port

"60000:UDP"= 60000:UDP:DC Gate UDP Port

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048]

.

Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

FF - ProfilePath - c:\documents and settings\Adam Scharf\Application Data\Mozilla\Firefox\Profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-12 23:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-10-13 23:16

ComboFix-quarantined-files.txt 2009-10-13 04:16

ComboFix2.txt 2009-10-08 23:39

ComboFix3.txt 2009-10-07 23:51

Pre-Run: 10,273,095,680 bytes free

Post-Run: 10,239,488,000 bytes free

207 --- E O F --- 2009-03-23 03:43

Upload was successful

[extremeboy]

Update and Scan with MalwareBytes Anti-Malware

• Launch Malwarebytes' Anti-Malware
  
• Go to the Update tab
  
• Select Check for Update and let MBAM download and install any available updates.
  
• After the update is complete go to the Scanner tab.
  
• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.
  

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Run ESET Online Scan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       
   12. Push the button.
       
   13. Push
       
       You can refer to this animation by neomage if needed.
       Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.
       Thanks.
       With Regards,
       Extremeboy

[rougjedi]

I updated and ran Malwarebytes, which found no infections. I then ran ESET, which found 32 files and removed them. Unfortunately I missed a step and don't have the logfile. I then booted normally (not in safe mode) and ran both scans again, each returning zero infected files. I didn't have any security warnings or pop-ups (so far), and my computer seems to be running ok, possibly a little slowly but that could be my imagination. I've included a DDS log file below, and have attached the attach file.

DDS (Ver_09-09-29.01) - NTFSx86

Run by Adam Scharf at 17:59:09.98 on Wed 10/14/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.163 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\PackersScreenServer\PackersScreenServer.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Documents and Settings\Adam Scharf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048]

=============== Created Last 30 ================

2009-10-13 23:03 <DIR> --d----- c:\program files\ESET

2009-10-12 22:52 14,592 a------- c:\windows\system32\drivers\kbdhid.sys

2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons

2009-10-07 18:37 236,544 a------- c:\windows\PEV.exe

2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe

2009-10-07 18:37 98,816 a------- c:\windows\sed.exe

2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro

2009-10-06 18:47 <DIR> --d----- C:\ARK

2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper

2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper

==================== Find3M ====================

2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe

2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 18:00:07.50 ===============

Attach3.zip

[extremeboy]

Hello.

That looks a lot better.

The eset log file may be found in the c:\program files\ESET folder.

If not do a search for ESET.txt or ESET.log and see if it comes up with any results if not then let me know.

Post the log if it's there.

Take another DDS run for me and post the log file in your next reply please.

With Regards,

Extremeboy

[rougjedi]

I found the ESET log in the folder you mentioned, and I've posted it below, along with another DDS log and attachment.

ESETSmartInstaller@High as downloader log:

all ok

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-14 04:36:48

# local_time=2009-10-13 11:36:48 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1026 21 83 97 7403532500000

# scanned=798

# found=0

# cleaned=0

# scan_time=167

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-14 06:09:20

# local_time=2009-10-14 01:09:20 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1026 21 83 97 7459050937500

# scanned=92465

# found=32

# cleaned=32

# scan_time=5351

C:\Qoobox\Quarantine\[68]-Submit_2009-10-12_23.04.22.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\bufezika.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\famizula.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\gehufidu.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\gudosaho.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\hejitavo.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\jafasatu.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\niwogepi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\vopepimi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\waduzaga.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\wutizipi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103683.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103684.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103685.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103833.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103834.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103835.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103836.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103837.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103838.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103839.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103840.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103841.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103962.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103963.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104084.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104085.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104166.exe a variant of Win32/Kryptik.AQV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104167.exe a variant of Win32/Kryptik.AQV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104168.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-14 09:11:40

# local_time=2009-10-14 04:11:40 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1026 21 83 97 78192968750

# scanned=92590

# found=0

# cleaned=0

# scan_time=6593

#######################################################################

DDS (Ver_09-09-29.01) - NTFSx86

Run by Adam Scharf at 19:52:19.03 on Thu 10/15/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.295 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\PackersScreenServer\PackersScreenServer.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Adam Scharf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: musicmatch.com\online

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048]

=============== Created Last 30 ================

2009-10-13 23:03 <DIR> --d----- c:\program files\ESET

2009-10-12 22:52 14,592 a------- c:\windows\system32\drivers\kbdhid.sys

2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons

2009-10-07 18:37 236,544 a------- c:\windows\PEV.exe

2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe

2009-10-07 18:37 98,816 a------- c:\windows\sed.exe

2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro

2009-10-06 18:47 <DIR> --d----- C:\ARK

2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper

2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper

==================== Find3M ====================

2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE

2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe

2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe

2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 19:53:26.35 ===============

Attach4.zip

[extremeboy]

Hello.

That looks fine. We can wrap up.

Please follow/read the steps below to remove the tools we used and for some more information.

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Click on your Start Menu, then Run....
  
• Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
  
  
• You will then recieve a message letting you know that Combofix was uninstalled Successfully.
  

This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
  
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.
  

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Congratulations! You now appear clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

• So How did I get infected?
  
• Miekies' prevention suggestions
  
• Hardening Windows Security - Part 1 & Part 2.
  

[*]Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a sm

[rougjedi]

Thank you so much for all your help!! I really appreciate it! I think this is all I needed. Again, thank you so much!

[extremeboy]

You're very welcome.

Good luck in the future and stay clean!

~Extremeboy

[extremeboy]

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,

Extremeboy