Unable to run or reinstall Malware & random pop-ups

[Thundergod76]

It began with random pop-ups on the computer. I went to run Malwarebytes to clean it out and was told it could not find the executable. I tried running an uninstall and reinstall. Upon reinstall, I get the following message:

"Unable to execute file mbam.exe

CreateProcess failed; code 2

The system cannot find the file specified."

Then I tried to run one of the randomly named executables and got this error;

"Error code: 730 (0,0)"

I ran some different scanners based on some recommendations in the forums. I have attached those logs.

Any help you can offer would be greatly appreciated!

Thanks!

Steve

OTL.txt

OTL logfile created on: 2/27/2010 3:12:18 PM - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 270.61 Gb Total Space | 245.49 Gb Free Space | 90.72% Space Free | Partition Type: NTFS

Drive D: | 8.83 Gb Total Space | 0.55 Gb Free Space | 6.19% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 7.52 Gb Total Space | 6.37 Gb Free Space | 84.72% Space Free | Partition Type: FAT32

Computer Name: YOUR-4DACD0EA75

Current User Name: HP_Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)

PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe (Yahoo! Inc.)

PRC - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)

PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

PRC - C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)

PRC - C:\WINDOWS\arservice.exe (Microsoft)

PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe (Hewlett-Packard)

========== Modules (SafeList) ==========

MOD - C:\WINDOWS\system32\pabuzili.dll ()

MOD - C:\WINDOWS\system32\vihokaso.dll ()

MOD - C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\AppPatch\aclayers.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\shimeng.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)

SRV - (getPlusHelper) getPlus

Edited February 27, 2010 by Maurice Naggar
Placing log reports In-Line

[Maurice Naggar]

Hello Thundergod76,

Did you get guided expert help in running Combofix ? If yes, where then?

IF you are self-medicating, please STOP running any tools on your own.

Combofix is not meant to be run without trained expert help. Please advise me if you are getting help elsewhere.

This is your EXTRAS.txt log

OTL Extras logfile created on: 2/27/2010 3:12:18 PM - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 270.61 Gb Total Space | 245.49 Gb Free Space | 90.72% Space Free | Partition Type: NTFS

Drive D: | 8.83 Gb Total Space | 0.55 Gb Free Space | 6.19% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 7.52 Gb Total Space | 6.37 Gb Free Space | 84.72% Space Free | Partition Type: FAT32

Computer Name: YOUR-4DACD0EA75

Current User Name: HP_Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\DISC\DISCover.exe" = C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System -- (Digital Interactive Systems Corporation)

"C:\Program Files\DISC\DiscStreamHub.exe" = C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub -- (Digital Interactive Systems Corporation, Inc.)

"C:\Program Files\DISC\myFTP.exe" = C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP -- (Digital Interactive Systems Corporation, Inc.)

"C:\Program Files\Laplink\PCmover\PCmover.exe" = C:\Program Files\Laplink\PCmover\PCmover.exe:*:Disabled:PCmover -- (Laplink Software Inc.)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

"C:\WINDOWS\ehome\ehtray.exe" = C:\WINDOWS\ehome\ehtray.exe:*:Enabled:ehtray -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306

"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow

"{1341D838-719C-4A05-B50F-49420CA1B4BB}" = HP Boot Optimizer

"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus

"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement

"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress

"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006

"{2AEABBDC-89E6-4AE2-BF99-DA6D188D6F7C}" = LightScribe 1.4.113.1

"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005

"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1

"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express

"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder

"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset

"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine

"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport

"{38D097C0-EAA2-012B-ADC2-000000000000}" = TurboTax 2009 wksiper

"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper

"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1

"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1

"{492E1D84-D7BF-4FA2-A26A-30AFC89EF547}" = Tiger Woods PGA TOUR 2003

"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder

"{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}" = muvee autoProducer unPlugged 2.0

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler

"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX

"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English

"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up

"{82081779-4175-4666-A457-AB711CD37EF0}" = cp_LightScribeConfig

"{829DAAD6-BB11-4BB7-921B-07FFB703F944}" = CP_Package_Variety3

"{82E55892-6FFD-403F-AA97-D726846768AA}" = CP_AtenaShokunin1Config

"{866A0078-DEA7-4348-9C9A-999AF2991EAA}" = SlideShowMusic

"{8A534F71-3202-4464-A422-B767295E67B9}" = CP_Package_Variety2

"{8CDC6712-AF80-459E-911F-F1E156CB0AB0}" = hp deskjet 5600

"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload

"{90200409-6000-11D3-8CFE-0050048383C9}" = System Files Update

"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage

"{93E5A317-24EC-4744-812C-16FECFE86E6A}" = CP_Package_Variety1

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime

"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio

"{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}" = MSN Messenger 7.0

"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy

"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig

"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc

"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour

"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config

"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery

"{C3FAA091-B278-44A7-BF48-190811C5F9F7}" = cp_UpdateProjectsConfig

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CBF3C503-946E-45EA-B347-EACC41781989}" = W Photo Studio

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{DAAD5187-62C5-4AD6-A526-803C18C4944D}" = HP Web Helper

"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp

"{E0828692-FD9D-459F-9312-C645C3CA6650}" = HP Photo and Imaging 2.0 - Deskjet Series

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks

"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1

"{EF1989B2-F482-49D3-BB19-7C81E3EAAB39}" = PCmover

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F80239D8-7811-4D5E-B033-0D0BBFE32920}" = HP DigitalMedia Archive

"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations

"{FB4740B3-2530-452D-A825-F7AB246CA7DF}" = muvee autoProducer 5.0

"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic

"840315" = Windows 98 Q840315 Update

"888113" = Windows 98 Q888113 Update

"890175" = Windows 98 Q890175 Update

"891711" = Windows 98 KB891711 Update

"896358" = Windows 98 KB896358 Update

"908519" = Windows 98 KB908519 Update

"918547" = Windows 98 KB918547 Update

"Ace Utilities_is1" = Ace Utilities

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"American Conquest - Divided Nation" = American Conquest - Divided Nation

"AVG8Uninstall" = AVG Free 8.5

"AwayMode160" = Microsoft Away Mode

"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto

"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP

"DISCover" = DISCover

"EESInst 99" = Encarta Encyclopedia 99

"hp deskjet 5600 series_Driver" = hp deskjet 5600 series

"HP Imaging Device Functions" = HP Imaging Device Functions 7.0

"HP Photo & Imaging" = HP Photosmart Premier Software 6.5

"HP Photosmart for Media Center PC" = HP Photosmart for Media Center PC

"hp print screen utility" = hp print screen utility

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"Install WeatherBug" = Remove WeatherBug Installer

"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement

"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up

"InstallShield_{EF1989B2-F482-49D3-BB19-7C81E3EAAB39}" = PCmover

"Macromedia Shockwave Player" = Macromedia Shockwave Player

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Windows Critical Update Notification" = Microsoft Windows Critical Update Notification

"Money2006b" = Microsoft Money 2006

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSNINST" = MSN

"Netscape Browser" = Netscape Browser (remove only)

"Netscape Navigator (9.0.0.5)" = Netscape Navigator (9.0.0.5)

"Network Play System (Patching)" = Network Play System (Patching)

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NV4Tweak" = NVIDIA Display Properties Extension

"NVIDIA Drivers" = NVIDIA Drivers

"OLYMPUS CAMEDIA Master 1.2" = OLYMPUS CAMEDIA Master 1.2

"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows

"PokerStars.net" = PokerStars.net

"QuickTime" = QuickTime

"QuickTime32" = QuickTime for Windows (32-bit)

"RealPlayer 6.0" = RealPlayer

"Rhapsody" = Rhapsody

"Rockwell HCF 56K Modem" = Rockwell HCF 56K Modem

"Rockwell PCI Audio" = Riptide PCI Audio

"TurboTax 2009" = TurboTax 2009

"TurboTax Deluxe 2004" = TurboTax Deluxe 2004

"TurboTax Deluxe 2005" = TurboTax Deluxe 2005

"TurboTax Deluxe 2007" = TurboTax Deluxe 2007

"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006

"ViewpointMediaPlayer" = Viewpoint Media Player

"WildTangent CDA" = WildTangent Web Driver

"WildTangent hpmedia Master Uninstall" = My HP Games

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR archiver

"WinZip" = WinZip

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Customizations" = Yahoo! Browser Services

"Yahoo! Internet Mail" = Yahoo! Internet Mail

"Yahoo! Messenger" = Yahoo! Messenger

"Yahoo! Toolbar" = Yahoo! Toolbar

"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"ESPN Java Check" = ESPN Java Check

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 2/27/2010 4:13:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:13:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:13:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:13:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:25:34 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: An internal certificate chaining error has occurred.

Error - 2/27/2010 4:25:34 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The server name or address could not be resolved

Error - 2/27/2010 4:29:38 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:29:38 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:29:38 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

and it will not be loaded. This is most likely caused by a faulty registration.

Error - 2/27/2010 4:29:38 PM | Computer Name = YOUR-4DACD0EA75 | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]

Error - 2/27/2010 4:33:51 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 4:41:33 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 4:44:45 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 4:57:22 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 4:57:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 5:07:15 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 5:08:52 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 5:13:25 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 5:13:39 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

Error - 2/27/2010 5:16:20 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10000

Description = Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.

The

error: "%2" Happened while starting this command: C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE

-Embedding

< End of report >

[Thundergod76]

No. The help I had was from a Malewarebytes forum post with the same problem that was incurred on this machine. After reading the response from a Malware person, I followed the instructions there only to the point of getting the initial log. Then sent the log here, along with the others, as it had been done there. I stopped at that point, because from there it was said that the fix is individual for each situation.

I apologize if I have stepped on toes by going this far. However, my understanding was that it was just running the program to generate the initial log. I appreciate any help that you can offer.

[Maurice Naggar]

Hello Thudergod76.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Thudergod76 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :OTL
  O2 - BHO: (no name) - {11923b8c-4a08-4c8c-85d8-8346c26613b9} - C:\WINDOWS\System32\vihokaso.dll ()
  O4 - HKLM..\Run: [yobilalir] C:\WINDOWS\System32\pabuzili.DLL ()
  O20 - AppInit_DLLs: (royotago.dll)
  O20 - AppInit_DLLs: (c:\windows\system32\pabuzili.dll) - C:\WINDOWS\system32\pabuzili.dll ()
  O21 - SSODL: hiwubeseh - {906653c4-4756-40ba-857b-acf67cafb257} - C:\WINDOWS\system32\pabuzili.dll ()
  O22 - SharedTaskScheduler: {906653c4-4756-40ba-857b-acf67cafb257} - gahurihor - C:\WINDOWS\system32\pabuzili.dll ()
  :files
  C:\WINDOWS\System32\pabuzili.dll
  C:\WINDOWS\System32\susalade.dll
  C:\WINDOWS\System32\vihokaso.dll
  C:\WINDOWS\System32\pamepusu.dll
  C:\WINDOWS\System32\kulepive.dll
  C:\WINDOWS\System32\royotago.dll
  C:\WINDOWS\System32\levuhopu
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  :Commands
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT]
  *****************************************************************
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Reply with copy of OTL MovedFiles log

There will be much more to do later.

[Thundergod76]

Maurice,

During the OTL Scan/Fix, I was presented with 3 processing errors. Each had Cancel, Try Again or Continue for the options. I selected Continue as the option for each. After the run, it requested a reboot, which I did. The resulting .log file is as follows:

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11923b8c-4a08-4c8c-85d8-8346c26613b9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11923b8c-4a08-4c8c-85d8-8346c26613b9}\ deleted successfully.

C:\WINDOWS\system32\vihokaso.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yobilalir not found.

File C:\WINDOWS\System32\pabuzili.DLL not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:royotago.dll deleted successfully.

File pInit_DLLs: not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\pabuzili.dll deleted successfully.

File C:\WINDOWS\system32\pabuzili.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\hiwubeseh deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{906653c4-4756-40ba-857b-acf67cafb257}\ deleted successfully.

File C:\WINDOWS\system32\pabuzili.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{906653c4-4756-40ba-857b-acf67cafb257} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{906653c4-4756-40ba-857b-acf67cafb257}\ not found.

File C:\WINDOWS\system32\pabuzili.dll not found.

========== FILES ==========

File\Folder C:\WINDOWS\System32\pabuzili.dll not found.

File\Folder C:\WINDOWS\System32\susalade.dll not found.

File\Folder C:\WINDOWS\System32\vihokaso.dll not found.

C:\WINDOWS\System32\pamepusu.dll moved successfully.

C:\WINDOWS\System32\kulepive.dll moved successfully.

File\Folder C:\WINDOWS\System32\royotago.dll not found.

C:\WINDOWS\System32\levuhopu moved successfully.

C:\RECYCLER\S-1-5-21-661306667-4231697391-4088364140-1007 folder moved successfully.

C:\RECYCLER folder moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: HP_Administrator

->Temp folder emptied: 6541864 bytes

->Temporary Internet Files folder emptied: 12274134 bytes

->Java cache emptied: 10886082 bytes

User: LocalService

->Temp folder emptied: 65748 bytes

->Temporary Internet Files folder emptied: 245894 bytes

User: LogMeInRemoteUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 664 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 29.00 mb

Restore point Set: OTL Restore Point (64424509440)

OTL by OldTimer - Version 3.1.30.3 log created on 02272010_185052

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Maurice Naggar]

You've done well with the OTL run. That removed some remainders of Vundo infection; those that were visible from prior logs. I'd like for you to do a FULL scan with MBAM, which would be a good investment even if it takes a good bit of runtime. First, make sure you close/exit any user apps you may have started. Let these tools run un-interrupted.

Step 1

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At -this time- of posting, the current definitions are # 3805 and the latest program version is 1.44

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 2

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

• Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Download Sysclean Package

[*]Download Virus Pattern Files that will be a LPTxxx.ZIP file

[*]Download Spyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

[Thundergod76]

Maurice,

I am running the MBAM full scan now. Once done I will proceed to the next step in your instructions.

I will let you know when it has completed.

Thanks,

Steve

[Thundergod76]

The AVG Resident shield has been detecting the viruses in my System Volume Information\_restore directory.

I have attached a screen shot of the detection in .bmp format.

Should I do anything with these?

Thanks,

Steve

Sys_Restore.bmp

[Maurice Naggar]

Anything in system restore points is NOT active. So no need to be concerned about them.

Later we will flush old restore points.

Let the current scans run & finish and do not use the system to start other tasks.

I should have told you to disable AVG resident shield while running other scans.

Let the other jobs finish and then post the reports.

[Thundergod76]

OK! Both have completed. The following are the resulting logs:

Malwarebytes' Anti-Malware 1.44

Database version: 3806

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

2/28/2010 11:18:30 AM

mbam-log-2010-02-28 (11-18-30).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 284827

Time elapsed: 1 hour(s), 7 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

******************************************

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2010-02-28, 11:16:23, Auto-clean mode specified.

2010-02-28, 11:16:23, Initialized Rootkit Driver version 2.2.0.1004.

2010-02-28, 11:16:23, Running scanner "C:\DCE\TSC.BIN"...

2010-02-28, 11:16:49, Scanner "C:\DCE\TSC.BIN" has finished running.

2010-02-28, 11:16:49, TSC Log:

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Thudergod76 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

TrendMicro identifies Spyspotter as a trojan. This 2nd step below will remove it. And I'd like for you to get & run a new Combofix.

Step 1

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

Step 2

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :files
  C:\Program Files\SpySpotter\SpySpotterInstall.exe
  C:\Program Files\SpySpotter
  :Commands
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT]
  *****************************************************************
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the OTL MovedFiles log and

C:\Combofix.txt

[Thundergod76]

Maurice,

The logs produced are as follows:

OTL Log:

All processes killed

========== FILES ==========

File\Folder C:\Program Files\SpySpotter\SpySpotterInstall.exe not found.

C:\Program Files\SpySpotter folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator

->Temp folder emptied: 3106697 bytes

->Temporary Internet Files folder emptied: 39406694 bytes

->Java cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LogMeInRemoteUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 664 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 2248931327 bytes

Total Files Cleaned = 2,185.00 mb

Restore point Set: OTL Restore Point (64424509440)

OTL by OldTimer - Version 3.1.30.3 log created on 02282010_151845

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

*****************************************************

ComboFix 10-02-27.04 - HP_Administrator 02/28/2010 15:33:53.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1492 [GMT -6:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))

.

2010-02-28 17:14 . 2010-02-28 20:33 -------- d-----w- C:\DCE

2010-02-28 16:01 . 2010-02-28 16:01 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-28 00:50 . 2010-02-28 00:50 -------- d-----w- C:\_OTL

2010-02-28 00:44 . 2010-02-28 00:44 -------- d-----w- c:\program files\ERUNT

2010-02-27 20:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-27 20:09 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 05:00 . 2010-02-27 20:06 0 ----a-w- c:\windows\Dvomericoxe.bin

2010-02-25 05:00 . 2010-02-26 15:48 120 ----a-w- c:\windows\Dcinucipisozo.dat

2010-02-25 04:53 . 2010-02-28 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-28 21:00 . 2006-11-12 04:10 -------- d-----w- c:\program files\Quicken

2010-02-28 14:51 . 2009-12-18 22:52 -------- d-----w- c:\program files\LogMeIn

2010-02-27 20:14 . 2009-06-20 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-02-25 04:07 . 2007-03-31 19:29 -------- d-----w- c:\program files\Lavasoft

2010-02-25 04:07 . 2007-03-31 20:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Lavasoft

2010-02-21 21:38 . 2007-03-31 19:32 -------- d-----w- c:\program files\PokerStars.NET

2010-02-12 03:48 . 2010-01-11 03:38 1105536 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-01-10 20:17 . 2006-11-12 04:03 59736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-10 20:17 . 2010-01-10 20:17 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-01-10 20:14 . 2006-11-12 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit

2010-01-10 20:12 . 2006-11-12 04:10 -------- d-----w- c:\program files\Common Files\Intuit

2010-01-10 20:12 . 2007-01-07 21:07 -------- d-----w- c:\program files\TurboTax

2010-01-05 10:00 . 2004-08-10 04:00 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2009-05-18 14:40 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2004-08-10 04:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2004-08-10 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2004-08-10 04:00 343040 ------w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2004-08-10 11:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-10 11:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-10 04:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2004-05-24 05:08 . 2004-05-24 05:08 11079 ---ha-w- c:\program files\folder.htt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@="{7D688A77-C613-11D0-999B-00C04FD655E1}"

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2008-06-17 19:02 8461312 ----a-w- c:\windows\system32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-14 282624]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"nwiz"="nwiz.exe" [2006-05-09 1519616]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-12 180269]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-11 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-11 27136]

c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-11 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-11 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"PCDrProfiler"=

"DeviceDiscovery"=c:\program files\HP\Digital Imaging\bin\hpotdd01.exe

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2009 9:19 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2009 9:18 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/20/2009 9:18 AM 297752]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/18/2009 4:52 PM 47640]

S2 hpdj5600;hpdj5600;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\hpdj5600.exe -servicerunning=true -uninstall=hp deskjet 5600 series -product=5600 --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\hpdj5600.exe -servicerunning=true -uninstall=hp deskjet 5600 series -product=5600 [?]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [5/3/2006 9:19 AM 4736]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [5/3/2006 9:19 AM 8960]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_LinkBar_URLs]

1999-04-24 04:22 45056 ----a-w- c:\windows\COMMAND\SULFNBK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A8D6EE0-3E18-11D0-821E-444553540000}]

2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4395}]

2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]

2004-05-24 06:28 7168 ----a-w- c:\windows\system32\updcrl.exe

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mStart Page = about:blank

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

Trusted Zone: trymedia.com

DPF: DirectAnimation Java Classes

DPF: Internet Explorer Classes for Java - file://c:\windows\system32\iejava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} - hxxp://206.222.17.187/images/PopupSh.ocx

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/iwincarambadeluxe/zylomgamesplayer.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-28 15:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3248)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\arservice.exe

c:\windows\RTHDCPL.EXE

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2010-02-28 15:44:08 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-28 21:44

ComboFix2.txt 2010-02-27 20:35

Pre-Run: 267,492,540,416 bytes free

Post-Run: 267,458,465,792 bytes free

- - End Of File - - 2896AA99F86518053C9188B777299B81

[Maurice Naggar]

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now

[Thundergod76]

I am running the Kaspersky scan now. System seems to be back to normal. I have not had any pop-ups in a while.

I will post the results of the scan when it completes.

Thanks,

Steve

[Thundergod76]

Maurice,

Here is the Kaspersky report:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, February 28, 2010

Infected: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, February 28, 2010 17:54:24

Records in database: 3671757

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Infected: : yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 121154

Threats found: 2

Infected objects found: 3

Suspicious objects found: 0

Scan duration: 02:10:52

File name / Threat / Threats count

C:\WINDOWS\system32\Popular Screensavers.scr Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1

D:\I386\APPS\APP03995\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

D:\I386\APPS\APP03995\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

Thanks,

Steve

[Maurice Naggar]

I would suggest you delete this screensaver C:\WINDOWS\system32\Popular Screensavers.scr

Other than that, the Kaspersky scan result is very encouraging.

You had managed to run MBAM before this.

Except for final cleanup-of-tools, I think we can likely wrap this up.

[Thundergod76]

Maurice,

Popular Screensavers.scr has been deleted from the system32 directory.

Thanks,

Steve

[Maurice Naggar]

Hello Steve,

We're ready to wrap this up.

I see that you are clear of your original issues. You had a Vundo malware infection.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.

The "/uninstall" in the line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run. Then type in

  CMD

  and press Enter-key.
  This will open a command-prompt window.
  In the command box that opens, type or copy/paste
  c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe /uninstall
  and then click OK.
  

Close the command window.

Proceed to the next steps, even if the uninstall has a hitch. OTL Cleanup will remove traces of Combofix.

• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

• Go to Control Panel and Add-or-Remove programs.
  Look for Kaspersky Online and click the line for it. Select Change/Remove to de-install it.
  OK & Exit out of Control Panel
  
• Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP
  http://bertk.mvps.org/html/diskclean.html
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.

[Thundergod76]

Maurice,

Thanks for all your help and advice. This is actually my father-in-law's computer. I can tell you he is extremely happy to have his computer running as it should. He thanks you as well.

I have preached the importance of not downloading these things in the past to him and my brother-in-law as they both use this PC. I am hoping that this will reinforce that fact to them. I will have them read the articles you have suggested and follow the suggestions you laid forth as well.

Thanks again!

Steve

[Maurice Naggar]

Steve,

Glad I could help. Glad it worked out well. You may want to suggest a purchase of MBAM if this pc doesn't already have it, so that the protection module would help prevent similar infections.

My best to you and your relatives.

This case is resolved and is now closed.

Other members who have similar issues & need assistance please start your own topic in a new thread. Thanks!