Recurrence of System Tool virus - unsure if system clean

[rickcw]

Hi, a few weeks back I had the Google redirect and System Tool viruses and they were treated and seemed to go away.

Yesterday they reappeared. I'm not sure if it was a new infection or a recurrence of the old one. I ran Malwarebytes and quarantined the files.

After running Malwarebytes, I'm not currently experiencing any problems, but I noticed there are still several suspiciously named hidden files in the SYSTEM32 folder (jokigaju.dll, kawokame.dll, sajifamu.dll, zififine.dll, zomesasu.dll) so I fear I'm still infected. Especially since I thought I was clean before and the problem reappeared.

Below are my Malwarebytes and HijackThis logs. I look forward to any assistance you can offer. Thanks!

Malwarebytes' Anti-Malware 1.41

Database version: 3034

Windows 5.1.2600 Service Pack 3

10/26/2009 2:50:20 AM

mbam-log-2009-10-26 (02-50-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 260812

Time elapsed: 1 hour(s), 14 minute(s), 39 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 7

Memory Processes Infected:

C:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\52324925 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\All Users\Application Data\52324925\52324925.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gagaviju.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\52324925\52324925.bat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\scott\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\scott\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\logon.exe (Backdoor.Bot) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:54:49 AM, on 10/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O20 - AppInit_DLLs: c:\windows\system32\huzubijo.dll,sajifamu.dll

O21 - SSODL: bukojezuy - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 5657 bytes

[miekiemoes]

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!

This is somewhat suicidal in today's digital world.

That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/

This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

[rickcw]

Thanks, I installed Avira. I must still be infected with something because I cannot run Windows Update. Automatic Updates keeps setting itself to "Disabled," even if I change it to "Automatic."

Here are my latest Avira & HijackThis logs:

Avira AntiVir Personal

Report file date: Tuesday, October 27, 2009 10:17

Scanning for 1831182 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : DIZZYCHICKEN

Version information:

BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 19:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 15:21:42

ANTIVIR2.VDF : 7.1.6.112 4833792 Bytes 10/15/2009 15:15:49

ANTIVIR3.VDF : 7.1.6.155 434176 Bytes 10/27/2009 15:15:54

Engineversion : 8.2.1.44

AEVDF.DLL : 8.1.1.2 106867 Bytes 10/27/2009 15:16:16

AESCRIPT.DLL : 8.1.2.40 487804 Bytes 10/27/2009 15:16:15

AESCN.DLL : 8.1.2.5 127346 Bytes 10/27/2009 15:16:13

AERDL.DLL : 8.1.3.2 479604 Bytes 10/27/2009 15:16:13

AEPACK.DLL : 8.2.0.2 422263 Bytes 10/27/2009 15:16:10

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39

AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/27/2009 15:16:08

AEHELP.DLL : 8.1.7.0 237940 Bytes 10/27/2009 15:15:59

AEGEN.DLL : 8.1.1.68 364918 Bytes 10/27/2009 15:15:58

AEEMU.DLL : 8.1.1.0 393587 Bytes 10/27/2009 15:15:56

AECORE.DLL : 8.1.8.1 184693 Bytes 10/27/2009 15:15:55

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Tuesday, October 27, 2009 10:17

Starting search for hidden objects.

'124040' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned

Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

27 processes with 27 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Program Files\Common Files\AOL\1136778107\ee\services\imApp\ver1_3_30\uninst.exe

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

Beginning disinfection:

C:\Program Files\Common Files\AOL\1136778107\ee\services\imApp\ver1_3_30\uninst.exe

[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware

[NOTE] The file was moved to '4b502960.qua'!

End of the scan: Tuesday, October 27, 2009 12:08

Used time: 1:50:13 Hour(s)

The scan has been done completely.

10453 Scanned directories

308675 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

308673 Files not concerned

3509 Archives were scanned

1 Warnings

2 Notes

124040 Objects were scanned with rootkit scan

0 Hidden objects were found

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:02:54 PM, on 10/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program

Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll

(file missing)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google

Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes'

Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "dunulaju.dll",s

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -

http://www.crucial.com/controls/cpcScanner.cab

O20 - AppInit_DLLs: c:\windows\system32\huzubijo.dll

O21 - SSODL: bukojezuy - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll

(file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} -

c:\windows\system32\huzubijo.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program

Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir

Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner -

C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 6340 bytes

[miekiemoes]

Hi,

The current formatting of your log makes it difficult to read, so in notepad:

On top, click Format >uncheck Word Wrap

Then, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[rickcw]

Thanks. Here are the latest MBAM & HijackThis logs.

Malwarebytes' Anti-Malware 1.41

Database version: 3043

Windows 5.1.2600 Service Pack 3

10/27/2009 2:25:26 PM

mbam-log-2009-10-27 (14-25-26).txt

Scan type: Quick Scan

Objects scanned: 117567

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\yudukoke.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\dunulaju.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bedazepufo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\yudukoke.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\dunulaju.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\janapeko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jokigaju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yidopamo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yofiyuya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:27:50 PM, on 10/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "dunulaju.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O20 - AppInit_DLLs: c:\windows\system32\huzubijo.dll

O21 - SSODL: bukojezuy - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 6561 bytes

[miekiemoes]

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll (file missing)

O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)

O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "dunulaju.dll",s

O20 - AppInit_DLLs: c:\windows\system32\huzubijo.dll

O21 - SSODL: bukojezuy - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f820dfb-dc5e-48fc-87fb-1b6f3eb2f0df} - c:\windows\system32\huzubijo.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Rescan with HijackThis and post the new log in your next reply.

[rickcw]

Thanks, here's the latest log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:23:28 PM, on 10/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "dunulaju.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 6069 bytes

[miekiemoes]

Hi,

Please check and fix the following entries in HijackThis again:

O2 - BHO: (no name) - {6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll (file missing)

O4 - HKLM\..\Run: [bedazepufo] Rundll32.exe "dunulaju.dll",s

Then rescan with HijackThis and let me know if those entries are still present there.

[rickcw]

Yes, they are still present even after a couple of attempts to fix them.

[miekiemoes]

Ok,

Something must still be lurking here..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[rickcw]

Here's the combofix log:

ComboFix 09-10-26.06 - scott 10/27/2009 17:02.4.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.698 [GMT -5:00]

Running from: c:\documents and settings\scott\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\dunulaju.dll

c:\windows\system32\kawokame.dll

----- BITS: Possible infected sites -----

hxxp://j+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cv033-7B44-A92000000001}

.

((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))

.

2009-10-27 15:12 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-27 15:12 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-27 15:12 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-27 15:12 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-27 15:12 . 2009-10-27 15:12 -------- d-----w- c:\program files\Avira

2009-10-27 15:12 . 2009-10-27 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-27 15:09 . 2009-10-27 15:09 33961728 ----a-w- c:\program files\avira_antivir_personal_en.exe

2009-10-26 19:55 . 2009-10-26 19:56 27386280 ----a-w- c:\program files\AdbeRdr920_en_US.exe

2009-10-17 00:04 . 2009-10-17 00:04 -------- d-sh--w- c:\documents and settings\others\PrivacIE

2009-10-17 00:03 . 2009-10-17 00:03 -------- d-----w- c:\documents and settings\others\Application Data\Malwarebytes

2009-10-14 15:18 . 2009-10-14 18:59 -------- d-----w- C:\548bb66f753ea159e3c5b3c736

2009-10-14 00:26 . 2009-10-14 00:26 3004344 ----a-w- c:\program files\BitTorrent-6.2.exe

2009-10-09 20:49 . 2009-10-09 20:49 -------- d-----w- c:\program files\Trend Micro

2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\NEE

2009-10-09 20:26 . 2009-10-09 20:26 -------- d-----w- c:\program files\NEWRANDOM

2009-10-09 19:59 . 2009-10-09 19:59 -------- d-sh--w- c:\documents and settings\others\IETldCache

2009-10-09 06:01 . 2009-10-09 06:01 -------- d-sh--w- c:\documents and settings\scott\PrivacIE

2009-10-06 19:45 . 2009-10-06 19:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-06 19:41 . 2009-10-06 19:41 -------- d-sh--w- c:\documents and settings\scott\IETldCache

2009-10-06 19:37 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\windows\ie8updates

2009-10-06 19:35 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-10-06 19:35 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2009-10-06 19:35 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-10-06 19:35 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-10-06 19:35 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-06 19:35 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll

2009-10-06 19:33 . 2009-10-06 19:35 -------- dc-h--w- c:\windows\ie8

2009-10-06 05:53 . 2009-10-07 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-06 05:36 . 2009-10-06 05:36 16409960 ----a-w- c:\program files\spybotsd162.exe

2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-10-01 03:27 . 2009-10-01 03:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-26 06:34 . 2009-03-29 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-16 23:16 . 2006-01-29 05:44 -------- d-----w- c:\documents and settings\scott\Application Data\AdobeUM

2009-10-14 20:24 . 2007-11-04 01:56 -------- d-----w- c:\program files\Trillian

2009-10-14 00:27 . 2008-03-01 01:47 -------- d-----w- c:\documents and settings\scott\Application Data\BitZipper

2009-10-07 16:23 . 2006-01-14 14:52 -------- d-----w- c:\program files\Lavasoft

2009-10-07 16:20 . 2006-01-14 15:08 -------- d-----w- c:\documents and settings\scott\Application Data\Lavasoft

2009-10-06 19:26 . 2005-12-23 14:47 -------- d-----w- c:\program files\GoogleAFE

2009-10-01 14:56 . 2006-07-12 01:36 -------- d-----w- c:\program files\NINTENDO

2009-09-29 13:49 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe

2009-09-25 14:02 . 2008-04-14 04:32 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2009-09-25 14:01 . 2008-04-14 04:31 -------- d-----w- c:\program files\DVDVideoSoft

2009-09-25 14:00 . 2009-09-25 13:56 29271931 ----a-w- c:\program files\FreeStudio.exe

2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 19:54 . 2009-03-29 15:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-03-29 15:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll

2009-08-28 03:30 . 2006-01-15 17:26 17144 -c--a-w- c:\documents and settings\scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 01:44 . 2004-08-10 18:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 04:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-06-20 18:11 . 2009-06-20 18:10 1878888 -c--a-w- c:\program files\install_flash_player.exe

2009-04-06 19:55 . 2009-04-06 19:52 118392240 -c--a-w- c:\program files\vegaspro80c-trial_enu.exe

2009-03-17 03:51 . 2009-03-17 03:51 4042648 -c--a-w- c:\program files\DivXCodec.exe

2009-03-17 02:49 . 2009-03-17 02:47 37452296 -c--a-w- c:\program files\Ad-AwareAE2009.exe

2008-11-08 19:16 . 2008-11-08 19:13 67167528 -c--a-w- c:\program files\iTunes801Setup.exe

2008-07-15 00:58 . 2008-07-15 00:58 5406994 -c--a-w- c:\program files\Last.fm-1.5.1.30182.exe

2008-04-14 04:17 . 2008-04-14 04:15 7252235 -c--a-w- c:\program files\FreeVideoToMp3Converter.exe

2008-03-28 21:43 . 2008-03-28 21:43 874448 -c--a-w- c:\program files\BitTorrent-6.0.3.exe

2008-03-01 01:51 . 2008-03-01 01:50 1206366 -c--a-w- c:\program files\winrar371.exe

2008-03-01 01:46 . 2008-03-01 01:46 4986104 -c--a-w- c:\program files\BitZipper503TrialSetup-en-pl-techpro.exe

2008-02-14 03:14 . 2008-02-14 03:12 9733451 -c--a-w- c:\program files\vlc-0.8.6d-win32.exe

2008-01-10 04:57 . 2008-01-10 04:57 4186768 -c--a-w- c:\program files\aim553599.exe

2007-12-31 18:50 . 2007-12-31 18:50 8759168 -c--a-w- c:\program files\winamp551_full_emusic-7plus_en-us.exe

2007-09-04 01:15 . 2007-05-28 23:41 3378248 -c--a-w- c:\program files\LimeWireWin.exe

2007-07-16 11:49 . 2007-07-16 11:48 9679815 -c--a-w- c:\program files\vlc-0.8.6c-win32.exe

2007-05-13 23:23 . 2007-05-13 23:23 3096576 -c--a-w- c:\program files\launchpadremoval.exe

2006-12-06 01:35 . 2006-12-06 01:33 9918872 -c--a-w- c:\program files\WMEncoder.exe

2006-12-06 01:32 . 2006-12-06 01:32 1475376 -c--a-w- c:\program files\GenuineCheck.exe

2006-12-06 01:32 . 2006-12-06 01:32 878384 -c--a-w- c:\program files\WGAPluginInstall.exe

2006-12-06 00:47 . 2006-12-06 00:47 4479257 -c--a-w- c:\program files\allok_movconverter.exe

2006-12-06 00:29 . 2006-12-06 00:28 9429960 -c--a-w- c:\program files\mediaconverter.exe

2006-05-13 16:22 . 2006-05-13 16:22 35640 -c--a-w- c:\program files\VirusScan.zip

2006-05-13 16:14 . 2006-05-13 16:13 22647 -c--a-w- c:\program files\mccleanup.log

2006-05-13 16:13 . 2006-05-13 16:12 295520 -c--a-w- c:\program files\MSKCleanupTool.exe

2006-04-06 23:37 . 2006-04-06 23:36 855893 -c--a-w- c:\program files\FLVplayer_v0.0.4.exe

2006-04-06 23:30 . 2006-04-06 23:27 2871488 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe

2006-04-06 23:19 . 2006-04-06 23:23 1418940 -c--a-w- c:\program files\2004_dynamic_flv_player_v2.3.zip

2006-01-14 14:49 . 2006-01-14 14:48 2855080 -c--a-w- c:\program files\aawsepersonal.exe

2006-01-14 13:26 . 2006-01-14 13:25 5225384 -c--a-w- c:\program files\Firefox Setup 1.5.exe

2003-04-22 14:46 . 2003-04-22 14:46 2719744 -c----w- c:\program files\aiodrv.msi

2003-04-22 14:42 . 2003-04-22 14:42 2588672 -c----w- c:\program files\aiosw.msi

2003-04-22 14:24 . 2003-04-22 14:24 16606 -c--a-w- c:\program files\hpomdl01.dat

2003-04-22 14:23 . 2003-04-22 14:23 267 -c--a-w- c:\program files\readme.html

2003-04-09 22:19 . 2003-04-09 22:19 2848 -c--a-w- c:\program files\hpound08.inf

2003-04-09 22:19 . 2003-04-09 22:19 14157 -c--a-w- c:\program files\hpousc08.inf

2003-04-09 22:00 . 2003-04-09 22:00 2889 -c--a-w- c:\program files\hpousb08.inf

2003-04-09 22:00 . 2003-04-09 22:00 4715 -c--a-w- c:\program files\hpoglu08.inf

2003-03-20 20:20 . 2003-03-20 20:20 22523 -c--a-w- c:\program files\HPZius12.cat

2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\hpzist12.cat

2003-03-20 20:20 . 2003-03-20 20:20 24728 -c--a-w- c:\program files\HPZipr12.cat

2003-03-20 20:20 . 2003-03-20 20:20 22082 -c--a-w- c:\program files\HPZid412.cat

2003-03-20 20:20 . 2003-03-20 20:20 21641 -c--a-w- c:\program files\HPOunp08.cat

2003-03-20 20:20 . 2003-03-20 20:20 24285 -c--a-w- c:\program files\hposcu08.cat

2003-03-20 20:20 . 2003-03-20 20:20 205503 -c--a-w- c:\program files\hpoprn08.cat

2003-03-10 01:30 . 2003-03-10 01:30 3667 -c--a-w- c:\program files\hpzist12.inf

2003-03-10 01:30 . 2003-03-10 01:30 184320 -c--a-w- c:\program files\hpzscr07.dll

2003-03-10 01:30 . 2003-03-10 01:30 14285 -c--a-w- c:\program files\hpzius12.inf

2003-03-10 01:30 . 2003-03-10 01:30 10325 -c--a-w- c:\program files\hpzipr12.inf

2003-03-10 01:30 . 2003-03-10 01:30 63562 -c--a-w- c:\program files\hposcu08.inf

2003-03-10 01:30 . 2003-03-10 01:30 51266 -c--a-w- c:\program files\hpoprn08.inf

2003-03-10 01:30 . 2003-03-10 01:30 3898 -c--a-w- c:\program files\hpounp08.inf

2003-03-10 01:30 . 2003-03-10 01:30 33952 -c--a-w- c:\program files\hpzid412.inf

2003-03-10 01:30 . 2003-03-10 01:30 274432 -c--a-w- c:\program files\hpzglu07.exe

2003-03-10 01:30 . 2003-03-10 01:30 237568 -c--a-w- c:\program files\hpzc3212.dll

2003-03-10 01:30 . 2003-03-10 01:30 23186 -c--a-w- c:\program files\hpzcin06.ex_

2002-09-09 22:48 . 2002-09-09 22:48 22608 -c--a-w- c:\program files\usbprint.sys

2002-09-09 22:48 . 2002-09-09 22:48 12288 -c--a-w- c:\program files\usbmon.dll

2002-09-09 22:47 . 2002-09-09 22:47 254005 -c--a-w- c:\program files\msvcrt.dll

2002-09-09 22:47 . 2002-09-09 22:47 70656 -c--a-w- c:\program files\msvcirt.dll

2002-09-09 22:47 . 2002-09-09 22:47 55155 -c--a-w- c:\program files\hpzusb00.sy_

2002-09-09 22:47 . 2002-09-09 22:47 5705 -c--a-w- c:\program files\hpzuci02.dl_

2002-09-09 22:47 . 2002-09-09 22:47 25639 -c--a-w- c:\program files\hpzpom04.dl_

2002-09-09 22:47 . 2002-09-09 22:47 212992 -c--a-w- c:\program files\hpzpnp07.dll

2002-09-09 22:46 . 2002-09-09 22:46 49212 -c--a-w- c:\program files\hpzjvp01.dll

2002-09-09 22:46 . 2002-09-09 22:46 249913 -c--a-w- c:\program files\hpzjut01.dll

2002-09-09 22:46 . 2002-09-09 22:46 417849 -c--a-w- c:\program files\hpzjpp01.dll

2002-09-09 22:46 . 2002-09-09 22:46 28722 -c--a-w- c:\program files\hpzjlog.dll

2002-09-09 22:46 . 2002-09-09 22:46 52552 -c--a-w- c:\program files\hpziou01.dl_

2002-09-09 22:46 . 2002-09-09 22:46 46017 -c--a-w- c:\program files\hpzion00.sy_

2002-09-06 14:54 . 2002-09-06 14:54 995383 -c--a-w- c:\program files\MFC42.DLL

2006-01-16 22:30 . 2006-01-15 17:25 56 --sh--r- c:\windows\system32\6DD3891BC4.sys

2006-01-16 22:30 . 2006-01-15 17:25 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk

backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1136778107\\ee\\aim6.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\scott\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/27/2009 10:12 AM 108289]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2007-07-12 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4175832606.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com?o=14986&l=dis

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\scott\Application Data\Mozilla\Firefox\Profiles\oiyyc4by.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{6b707b53-5f78-4714-a9c3-b005dcd83d6c} - yudukoke.dll

HKLM-Run-bedazepufo - dunulaju.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-27 17:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3880)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\bcmwltry.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\windows\system32\wscntfy.exe

c:\combofix\CF8717.exe

c:\combofix\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-27 17:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-27 22:26

ComboFix2.txt 2009-10-15 03:56

Pre-Run: 433,414,144 bytes free

Post-Run: 561,065,984 bytes free

- - End Of File - - 0FEA6B684509B0E1C2BD2F5FB4A95D9D

[miekiemoes]

Hi,

This looks OK again.

Can you do me a favor please?

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Qoobox\quarantine\c\windows\system32\dunulaju.dll.vir

Select it and click ok:

Then click the Send File button below.

Do the same for the following file:

C:\Qoobox\quarantine\c\windows\system32\kawokame.dll.vir

Let me know once you uploaded them.

[rickcw]

Done, thanks!

[miekiemoes]

Thanks for the files

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[rickcw]

Things seem fine at the moment, thanks.

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.