Fake Security Program, Internet Browser Redirecting and Crashing, and Cannot Run Mbam

[scarr]

Hi,

I`ve been having malware problems for about two weeks now, and that was when Malware Bytes began to not open, so I would just use Spybot and Avira. Avira never found anything and Spybot did find things (I`ll post the log), but I don`t think it helped.

Here`s what`s been going on.

I use Google Chrome, and lately it`s been redirecting me to random ad sites when I go on Google and search something. Then, at one point it just began to crash the browser whenever I clicked them! It basically crashes the browser when I try to go on Youtube and watch a video, or when I press the sign in button to go into my e-mail and things like that. Then the other day, explorer.exe stopped working! My usual wallpaper was on the screen, but no icons, bar, nothing, and so I had to run everything off of task manager. But explorer.exe wouldn`t run at all. Then today it just randomly began to work again? And all of a sudden this fake antivirus program thing popped up on my screen, and changed my wallpaper into something bright green that says YOU'RE SYSTEM IS INFECTED! Whenever I try to open Google Chrome now it gives me a warning message that I cannot, so I`m using Mozilla Firefox which seems to be working instead.

I would post an mbam log if I could actually run the program, I`ve already tried renaming it and everything.

I`ll post my Avira log as soon as it`s done scanning (it`s still going) and I`ll post my last Spybot log.

By the way, at the moment, I cannot use task manager.

Thank you!

Avira log:

Avira AntiVir Personal

Report file date: Wednesday, January 13, 2010 19:32

Scanning for 1528331 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ANABEL

Version information:

BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/9/2009 03:21:01

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:21:00

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:21:15

VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 03:21:15

VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 03:21:15

VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 03:21:16

VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 03:21:16

VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 03:21:16

VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 03:21:16

VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 03:21:16

VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 03:21:16

VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 03:21:17

VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 03:21:17

VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 03:21:17

VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 03:19:12

VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 03:20:04

VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 03:20:46

VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 03:21:32

VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 03:21:41

VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 03:24:44

VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 03:24:56

VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 03:25:07

VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 03:25:54

VBASE022.VDF : 7.10.2.158 192000 Bytes 1/11/2010 03:25:13

VBASE023.VDF : 7.10.2.159 2048 Bytes 1/11/2010 03:25:13

VBASE024.VDF : 7.10.2.160 2048 Bytes 1/11/2010 03:25:14

VBASE025.VDF : 7.10.2.161 2048 Bytes 1/11/2010 03:25:14

VBASE026.VDF : 7.10.2.162 2048 Bytes 1/11/2010 03:25:14

VBASE027.VDF : 7.10.2.163 2048 Bytes 1/11/2010 03:25:14

VBASE028.VDF : 7.10.2.164 2048 Bytes 1/11/2010 03:25:15

VBASE029.VDF : 7.10.2.165 2048 Bytes 1/11/2010 03:25:15

VBASE030.VDF : 7.10.2.166 2048 Bytes 1/11/2010 03:25:15

VBASE031.VDF : 7.10.2.180 184320 Bytes 1/13/2010 03:25:18

Engineversion : 8.2.1.134

AEVDF.DLL : 8.1.1.2 106867 Bytes 9/16/2009 00:57:12

AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/5/2010 03:25:52

AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/2009 03:21:15

AESBX.DLL : 8.1.1.1 246132 Bytes 11/20/2009 03:21:28

AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 03:20:06

AEPACK.DLL : 8.2.0.4 422263 Bytes 1/5/2010 03:25:50

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39

AEHEUR.DLL : 8.1.0.194 2228599 Bytes 1/9/2010 03:26:16

AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/2009 03:21:49

AEGEN.DLL : 8.1.1.83 369014 Bytes 1/5/2010 03:25:35

AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 02:15:57

AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/2009 03:21:14

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 12/9/2009 03:21:01

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/9/2009 03:21:01

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Wednesday, January 13, 2010 19:32

Starting search for hidden objects.

'45460' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'rdlD3.tmp.exe' - '1' Module(s) have been scanned

Module is OK -> 'C:\WINDOWS\TEMP\rdlD3.tmp.exe'

[WARNING] The file could not be opened!

Scan process 'smss32.exe' - '1' Module(s) have been scanned

Scan process 'wisptis.exe' - '1' Module(s) have been scanned

Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned

Scan process 'wlcomm.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'iTunes.exe' - '1' Module(s) have been scanned

Scan process 'jucheck.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'COCIManager.exe' - '1' Module(s) have been scanned

Scan process 'mcmnhdlr.exe' - '1' Module(s) have been scanned

Scan process 'mcvsftsn.exe' - '1' Module(s) have been scanned

Scan process 'DLG.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'MpfAgent.exe' - '1' Module(s) have been scanned

Scan process 'MpfTray.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'GoogleDesktopIndex.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'Quickcam.exe' - '1' Module(s) have been scanned

Scan process 'Communications_Helper.exe' - '1' Module(s) have been scanned

Scan process 'MSKAgent.exe' - '1' Module(s) have been scanned

Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned

Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned

Scan process 'mcagent.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'ccApp.exe' - '1' Module(s) have been scanned

Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'LVComSer.exe' - '1' Module(s) have been scanned

Scan process 'Wacom_Tablet.exe' - '1' Module(s) have been scanned

Scan process 'Wacom_TabletUser.exe' - '1' Module(s) have been scanned

Scan process 'ccEvtMgr.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'Wacom_Tablet.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'SeaPort.exe' - '1' Module(s) have been scanned

Scan process 'McVSEscn.exe' - '1' Module(s) have been scanned

Scan process 'mcvsshld.exe' - '1' Module(s) have been scanned

Scan process 'MSKSrvr.exe' - '1' Module(s) have been scanned

Scan process 'MpfService.exe' - '1' Module(s) have been scanned

Scan process 'McTskshd.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'Mcdetect.exe' - '1' Module(s) have been scanned

Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned

Scan process 'LVComSer.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'gearsec.exe' - '1' Module(s) have been scanned

Scan process 'ccSetMgr.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

70 processes with 70 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '69' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Anibanani\Local Settings\Temporary Internet Files\Content.IE5\CDWT2VK5\load[1].php

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0018810.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3466 Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0019280.dll

[DETECTION] Is the TR/Fakealert.4577 Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020336.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3415 Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020337.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3467 Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020338.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3338 Trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020339.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3448 Trojan

C:\WINDOWS\system32\logon.exe

[WARNING] The file could not be opened!

Begin scan in 'D:\' <Backup>

Beginning disinfection:

C:\Documents and Settings\Anibanani\Local Settings\Temporary Internet Files\Content.IE5\CDWT2VK5\load[1].php

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to '4bafa4b8.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0018810.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3466 Trojan

[NOTE] The file was moved to '4b7ea47a.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP154\A0019280.dll

[DETECTION] Is the TR/Fakealert.4577 Trojan

[NOTE] The file was moved to '4e974753.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020336.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3415 Trojan

[NOTE] The file was moved to '4e8ef753.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020337.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3467 Trojan

[NOTE] The file was moved to '4e8825a3.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020338.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3338 Trojan

[NOTE] The file was moved to '4e84bd3b.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0020339.dll

[DETECTION] Is the TR/PCK.Tdss.AA.3448 Trojan

[NOTE] The file was moved to '4e8bde6b.qua'!

End of the scan: Wednesday, January 13, 2010 20:57

Used time: 1:22:50 Hour(s)

The scan has been done completely.

10681 Scanned directories

327817 Files were scanned

7 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

7 Files were moved to quarantine

0 Files were renamed

4 Files cannot be scanned

327806 Files not concerned

3753 Archives were scanned

4 Warnings

9 Notes

45460 Objects were scanned with rootkit scan

0 Hidden objects were found

And it seems that Spybot has just crashed, so... I`ll have to try again and post that log if you`d like.

[SpySentinel]

Hi scarr, welcome to Malwarebytes

Sorry for the delay, we have been very busy.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[scarr]

First I tried to download the first link to combofix, I renamed the file and saved it to my desktop, but when I double-clicked and pressed run, it gave me this error: "Some installation files are corrupt. Please download a fresh copy and retry the installation."

So I tried the next link and the same exact thing happened. Afterwards the loading bar for combofix doesn`t disappear off my screen, but sits there frozen at what looks like 100% loaded.

One thing I noticed, and I don`t know if this is the problem or not, but when I save it to my desktop, it is saved as a "binary file" not an "application" like the screenshots show, and there is no option to save it as an application.

[scarr]

Actually I realized that I hadn`t closed all my browsers, I forgot to close windows task manager, and now it says "application", however, it still gives me that same error message.

[SpySentinel]

Please delete ComboFix and try downloading and running ComboFix again, and make sure everything is closed.

[scarr]

I tried it again and this time it worked!

Here is the Combo-Fix log:

ComboFix 10-01-21.01 - Anibanani 01/21/2010 17:30:34.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.637 [GMT -8:00]

Running from: c:\documents and settings\Anibanani\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Local.dtd

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UA.dtd

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UAcpt.dtd

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Ui.dtd

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Anibanani\Application Data\SystemProc

c:\documents and settings\Anibanani\Application Data\SystemProc\lsass.exe

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\32391.exe

c:\windows\system32\41.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5436.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\system32\bihasivo.dll

c:\windows\system32\dimuzupe.dll

c:\windows\system32\duluguru.dll

c:\windows\system32\helper32.dll

c:\windows\system32\IS15.exe

c:\windows\system32\pedanawe.dll

c:\windows\system32\pufarake.dll

c:\windows\system32\rotiyifa.dll

c:\windows\system32\rumenite.dll

c:\windows\system32\sadogapi.dll

c:\windows\system32\yajosofo.dll

c:\windows\TEMP\logishrd\LVPrcInj03.dll

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.34

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it

.

((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))

.

2010-01-14 03:52 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-14 03:52 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-14 03:52 . 2010-01-14 04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareeeee

2010-01-06 04:37 . 2010-01-06 04:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2009-12-29 22:19 . 2009-12-29 22:19 1794456 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-12-26 20:07 . 2009-12-26 20:07 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

2009-12-23 06:03 . 2009-12-23 06:03 -------- d-----w- c:\documents and settings\Anibanani\Application Data\AnvSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-22 01:38 . 2009-08-11 20:49 -------- d-----w- c:\documents and settings\Anibanani\Application Data\WTablet

2010-01-22 01:38 . 2009-08-12 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-01-21 23:47 . 2004-08-04 03:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-21 06:17 . 2009-08-26 05:30 56 --sh--r- c:\windows\system32\A9225F249E.sys

2010-01-21 06:17 . 2009-08-14 03:44 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-01-20 07:04 . 2009-08-12 04:33 -------- d-----w- c:\program files\PaintToolSAI

2010-01-10 02:35 . 2009-11-27 03:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-08 06:09 . 2009-10-26 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 1

2009-12-30 00:32 . 2009-11-11 02:41 -------- d-----w- c:\documents and settings\Anibanani\Application Data\Move Networks

2009-12-29 22:19 . 2009-11-11 02:41 143976 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\uninstall.exe

2009-12-29 22:19 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-12-25 07:06 . 2009-08-14 03:44 88 --sh--r- c:\windows\system32\9E245F22A9.sys

2009-12-24 18:34 . 2009-10-18 03:25 -------- d-----w- c:\documents and settings\Anibanani\Application Data\vlc

2009-12-22 20:43 . 2009-08-11 05:20 76024 ----a-w- c:\documents and settings\Anibanani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 20:36 . 2009-08-12 04:40 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-22 20:34 . 2009-12-22 20:34 -------- d-----w- c:\program files\Adobe Media Player

2009-12-22 20:31 . 2009-12-22 20:31 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-12-22 20:24 . 2009-12-22 20:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-12-09 03:21 . 2009-08-11 06:04 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-01 00:12 . 2009-12-01 00:12 -------- d-----w- c:\documents and settings\Anibanani\Application Data\dvdcss

2009-11-29 06:31 . 2009-11-29 06:31 62720 ---ha-w- c:\windows\system32\mlfcache.dat

2009-11-11 02:41 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\davuhano.dll

1601-01-01 00:03 . 1601-01-01 00:03 94208 --sha-w- c:\windows\system32\devoresi.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\gavuzeyi.dll

1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\system32\gazufema.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\jidiyivi.dll

1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\system32\lebevati.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\lumeyifi.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\nepihaka.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\pevesuze.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\pinedebe.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\puzenaze.dll

1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\yazarepi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-11 133104]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]

"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]

"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2005-08-26 212992]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-17 169984]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-07-12 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avscan.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:04 PM 108289]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/11/2009 12:49 PM 2789672]

R3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\rtl8180.sys [6/16/2003 10:18 AM 158848]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/10/2009 9:16 PM 15656]

S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 7:57 AM 13532]

.

Contents of the 'Scheduled Tasks' folder

2009-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006Core.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006UA.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-01-22 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ANABEL-Anibanani).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-08-17 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Anibanani\Application Data\Mozilla\Firefox\Profiles\ibp2ej2g.default\

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{ddcad3c2-4fd1-48df-812e-3b864d5abb19} - sadogapi.dll

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware 1\mbam.exe

HKLM-Run-vodugopal - c:\windows\system32\rumenite.dll

HKLM-Run-yebafoyivi - dimuzupe.dll

SharedTaskScheduler-{756c631f-6a1d-4189-9e48-3da376b86f9e} - c:\windows\system32\gesanesi.dll

SharedTaskScheduler-{9ddb6613-6181-4376-aa6a-7286a21bfe9b} - c:\windows\system32\ketovige.dll

SharedTaskScheduler-{21532ad7-8a0c-45a0-af93-5547898ce206} - c:\windows\system32\rumenite.dll

SharedTaskScheduler-{7537d627-7cc3-43a8-be9c-efcb2894bd85} - c:\windows\system32\rumenite.dll

SharedTaskScheduler-{4143be51-a8d2-461a-948f-f403c65cf965} - c:\windows\system32\rumenite.dll

SharedTaskScheduler-{a62ee253-d214-4c48-a084-d1327329440d} - c:\windows\system32\rumenite.dll

SharedTaskScheduler-{2bce5713-ae5d-40b3-a007-41f4ad026fa8} - c:\windows\system32\yajosofo.dll

SSODL-mowuhomoz-{a62ee253-d214-4c48-a084-d1327329440d} - c:\windows\system32\rumenite.dll

SSODL-sovegomef-{2bce5713-ae5d-40b3-a007-41f4ad026fa8} - c:\windows\system32\yajosofo.dll

AddRemove-Any Video Converter_is1 - f:\anabelllllllllllllll\Any Video Converter\unins000.exe

AddRemove-PaintToolSAI - c:\documents and settings\Anibanani\My Documents\Downloads\PaintToolSAI\uninst.exe

AddRemove-Springboard_is1 - f:\anabelllllllllllllll\springboard\Springboard\unins000.exe

AddRemove-Wacom Tablet Driver - c:\program files\Tablet\Wacom\Remove.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-21 17:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(10764)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\windows\system32\shdoclc.dll

c:\windows\system32\msi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\System32\GEARSec.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\progra~1\mcafee.com\vso\mcshield.exe

c:\progra~1\mcafee.com\agent\mctskshd.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\program files\Norton Ghost\CfgWiz.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2010-01-21 17:49:58 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-22 01:49

Pre-Run: 25,641,123,840 bytes free

Post-Run: 25,515,180,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 54C2ABBAA5C24DB614CDA5580D054EEE

[SpySentinel]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Rootkit::

c:\windows\system32\A9225F249E.sys

c:\windows\system32\9E245F22A9.sys

c:\windows\system32\davuhano.dll

c:\windows\system32\devoresi.dll

c:\windows\system32\gavuzeyi.dll

c:\windows\system32\gazufema.dll

c:\windows\system32\jidiyivi.dll

c:\windows\system32\lebevati.dll

c:\windows\system32\lumeyifi.dll

c:\windows\system32\nepihaka.dll

c:\windows\system32\pevesuze.dll

c:\windows\system32\pinedebe.dll

c:\windows\system32\puzenaze.dll

c:\windows\system32\yazarepi.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[scarr]

Sorry for taking so long, school left me little time to do anything else but study this week. Thanks for being patient with me!

Here`s that log:

ComboFix 10-01-31.01 - Anibanani 01/31/2010 12:09:01.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.618 [GMT -8:00]

Running from: c:\documents and settings\Anibanani\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Anibanani\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Fonts\MyriadPro-Regular.otf

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))

.

2010-01-14 03:52 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-14 03:52 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-14 03:52 . 2010-01-14 04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareeeee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-31 20:15 . 2009-08-11 20:49 -------- d-----w- c:\documents and settings\Anibanani\Application Data\WTablet

2010-01-31 20:15 . 2009-08-12 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-01-31 20:00 . 2009-08-12 04:33 -------- d-----w- c:\program files\PaintToolSAI

2010-01-31 03:44 . 2009-11-27 03:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-21 23:47 . 2004-08-04 03:59 95360 ------w- c:\windows\system32\drivers\atapi.sys

2010-01-21 06:17 . 2009-08-14 03:44 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-01-08 06:09 . 2009-10-26 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 1

2009-12-30 00:32 . 2009-11-11 02:41 -------- d-----w- c:\documents and settings\Anibanani\Application Data\Move Networks

2009-12-29 22:19 . 2009-11-11 02:41 143976 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\uninstall.exe

2009-12-29 22:19 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-12-29 22:19 . 2009-12-29 22:19 1794456 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-12-24 18:34 . 2009-10-18 03:25 -------- d-----w- c:\documents and settings\Anibanani\Application Data\vlc

2009-12-23 06:03 . 2009-12-23 06:03 -------- d-----w- c:\documents and settings\Anibanani\Application Data\AnvSoft

2009-12-22 20:43 . 2009-08-11 05:20 76024 ----a-w- c:\documents and settings\Anibanani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 20:36 . 2009-08-12 04:40 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-22 20:34 . 2009-12-22 20:34 -------- d-----w- c:\program files\Adobe Media Player

2009-12-22 20:31 . 2009-12-22 20:31 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-12-22 20:24 . 2009-12-22 20:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-12-09 03:21 . 2009-08-11 06:04 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-29 06:31 . 2009-11-29 06:31 62720 ---ha-w- c:\windows\system32\mlfcache.dat

2009-11-11 02:41 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_01.39.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-31 20:15 . 2010-01-31 20:15 16384 c:\windows\temp\Perflib_Perfdata_21c.dat

+ 2008-10-16 21:09 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe

+ 2010-01-22 01:42 . 2009-08-07 03:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2010-01-22 01:42 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2004-08-10 17:50 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2004-08-10 17:50 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-11 133104]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]

"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 212992]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-17 169984]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware 1\mbam.exe" [bU]

"vodugopal"="c:\windows\system32\yajosofo.dll" [bU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-16 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avscan.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:04 PM 108289]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/11/2009 12:49 PM 2789672]

R3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\rtl8180.sys [6/16/2003 10:18 AM 158848]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/10/2009 9:16 PM 15656]

S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 7:57 AM 13532]

.

Contents of the 'Scheduled Tasks' folder

2009-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006Core.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006UA.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-01-31 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ANABEL-Anibanani).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-08-17 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Anibanani\Application Data\Mozilla\Firefox\Profiles\ibp2ej2g.default\

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-31 12:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4584)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\System32\GEARSec.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\progra~1\mcafee.com\vso\mcshield.exe

c:\progra~1\mcafee.com\agent\mctskshd.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

c:\program files\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2010-01-31 12:21:29 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-31 20:21

ComboFix2.txt 2010-01-22 01:49

Pre-Run: 25,137,016,832 bytes free

Post-Run: 25,112,100,864 bytes free

- - End Of File - - 1EDD1993090DA29A65F813DA2D3FD373

[SpySentinel]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::

c:\windows\system32\drivers\SjyPkt.sys

Driver::

SjyPkt

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
     

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[scarr]

Here is the ComboFix log:

ComboFix 10-02-07.06 - Anibanani 02/07/2010 15:56:23.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.636 [GMT -8:00]

Running from: c:\documents and settings\Anibanani\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Anibanani\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SJYPKT

-------\Service_SjyPkt

((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))

.

2010-01-14 03:52 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-14 03:52 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-14 03:52 . 2010-01-14 04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwareeeee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-08 02:31 . 2009-08-11 20:49 -------- d-----w- c:\documents and settings\Anibanani\Application Data\WTablet

2010-02-08 02:30 . 2009-08-12 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet

2010-02-04 02:21 . 2009-08-12 04:33 -------- d-----w- c:\program files\PaintToolSAI

2010-01-31 03:44 . 2009-11-27 03:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-21 23:47 . 2004-08-04 03:59 95360 ------w- c:\windows\system32\drivers\atapi.sys

2010-01-21 06:17 . 2009-08-14 03:44 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-01-08 06:09 . 2009-10-26 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 1

2009-12-30 00:32 . 2009-11-11 02:41 -------- d-----w- c:\documents and settings\Anibanani\Application Data\Move Networks

2009-12-29 22:19 . 2009-11-11 02:41 143976 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\uninstall.exe

2009-12-29 22:19 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-12-29 22:19 . 2009-12-29 22:19 1794456 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-12-24 18:34 . 2009-10-18 03:25 -------- d-----w- c:\documents and settings\Anibanani\Application Data\vlc

2009-12-23 06:03 . 2009-12-23 06:03 -------- d-----w- c:\documents and settings\Anibanani\Application Data\AnvSoft

2009-12-22 20:43 . 2009-08-11 05:20 76024 ----a-w- c:\documents and settings\Anibanani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 20:36 . 2009-08-12 04:40 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-22 20:34 . 2009-12-22 20:34 -------- d-----w- c:\program files\Adobe Media Player

2009-12-22 20:31 . 2009-12-22 20:31 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-12-22 20:24 . 2009-12-22 20:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-12-09 03:21 . 2009-08-11 06:04 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-29 06:31 . 2009-11-29 06:31 62720 ---ha-w- c:\windows\system32\mlfcache.dat

2009-11-11 02:41 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-22_01.39.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-08 02:26 . 2010-02-08 02:26 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat

+ 2010-02-08 02:30 . 2010-02-08 02:30 16384 c:\windows\temp\Perflib_Perfdata_21c.dat

+ 2010-02-08 02:26 . 2010-02-08 02:26 16384 c:\windows\temp\History\History.IE5\index.dat

+ 2010-02-08 02:26 . 2010-02-08 02:26 16384 c:\windows\temp\Cookies\index.dat

+ 2008-10-16 21:09 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe

+ 2010-01-22 01:42 . 2009-08-07 03:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2010-01-22 01:42 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2004-08-10 17:50 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2004-08-10 17:50 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll

- 2010-01-22 01:38 . 2008-02-06 01:20 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll

+ 2010-02-08 02:30 . 2008-02-06 01:20 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2004-08-10 18:02 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2004-08-10 17:51 . 2004-08-04 10:00 502272 c:\windows\system32\dllcache\winlogon.exe

+ 2004-08-10 18:02 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll

+ 2004-08-10 18:02 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-11 133104]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]

"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-17 169984]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]

"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware 1\mbam.exe" [bU]

"vodugopal"="c:\windows\system32\yajosofo.dll" [bU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-16 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avscan.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:04 PM 108289]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/11/2009 12:49 PM 2789672]

R3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\rtl8180.sys [6/16/2003 10:18 AM 158848]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/10/2009 9:16 PM 15656]

.

Contents of the 'Scheduled Tasks' folder

2009-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006Core.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4246716827-4108051984-306324000-1006UA.job

- c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 05:02]

2010-02-08 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ANABEL-Anibanani).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-08-17 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Anibanani\Application Data\Mozilla\Firefox\Profiles\ibp2ej2g.default\

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Anibanani\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Anibanani\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-07 18:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)

c:\windows\system32\sirenacm.dll

- - - - - - - > 'explorer.exe'(6148)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\System32\GEARSec.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\progra~1\mcafee.com\vso\mcshield.exe

c:\progra~1\mcafee.com\agent\mctskshd.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\program files\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe

c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\InstallShield\UpdateService\agent.exe

c:\program files\mcafee.com\agent\mcupdate.exe

.

**************************************************************************

.

Completion time: 2010-02-07 18:36:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-08 02:36

ComboFix2.txt 2010-01-31 20:21

ComboFix3.txt 2010-01-22 01:49

Pre-Run: 25,114,431,488 bytes free

Post-Run: 25,086,189,568 bytes free

- - End Of File - - 6B6E6C1072B71EE185F05980A28398CC

And now the Mbam log:

Malwarebytes' Anti-Malware 1.44

Database version: 3704

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

2/7/2010 6:52:13 PM

mbam-log-2010-02-07 (18-52-13).txt

Scan type: Quick Scan

Objects scanned: 115656

Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vodugopal (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And now the Kaspersky Report:

Malwarebytes' Anti-Malware 1.44

Database version: 3704

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

2/7/2010 6:52:13 PM

mbam-log-2010-02-07 (18-52-13).txt

Scan type: Quick Scan

Objects scanned: 115656

Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vodugopal (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[SpySentinel]

Please post the Kaspersky Scan as well.

[scarr]

Oh sorry about that, faulty copy pasting on my part, oooops.

Here is the Kaspersky Scan:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, February 7, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, February 08, 2010 02:58:09

Records in database: 3448507

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 82712

Threats found: 1

Infected objects found: 21

Suspicious objects found: 0

Scan duration: 02:53:29

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\davuhano.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\devoresi.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\gavuzeyi.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\gazufema.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\jidiyivi.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\lebevati.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\pedanawe.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\puzenaze.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\yajosofo.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0019207.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0019208.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP153\A0019209.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0024183.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP161\A0024188.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024822.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024823.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024824.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024825.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024826.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024827.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP170\A0024832.dll Infected: Packed.Win32.TDSS.aa 1

Selected area has been scanned.

[SpySentinel]

How is your computer running?

[scarr]

Generally, pretty okay, not too slow, but sometimes it`ll have its moments where it`s a total slowpoke. But the virus or trojan or what it is, is still in my computer isn`t it?

[SpySentinel]

Sorry, not sure how I missed this:

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
  

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)