trojan.vundo and hijack.shell keeps coming back

[addicted2karma]

ive ran malware-bytes over and over and these files keep coming back which i think is the source of my problems. heres my log from the scan. Im not sure what to do since i deleted the files over and over and i have the same problem of getting redirected from hotlinks..

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/3/2010 7:11:06 PM
mbam-log-2010-03-03 (19-11-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 194680
Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxyyvwsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khecdasys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khecdasys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[deltalima]

Hi addicted2karma,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for this issue on this machine.
  
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  
• If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  
• It's often worth reading through these instructions and printing them for ease of reference.
  
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.
  

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
  
• Under Output, ensure that Minimal Output is selected.
  
• Under Extra Registry section, select Use SafeList.
  
• Click the Scan All Users checkbox.
  
• Click on Run Scan at the top left hand corner.
  
• When done, two Notepad files will open.
  
  • OTL.txt <-- Will be opened
    
  • Extras.txt <-- Will be minimized
    

  [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  
• Run Gmer again and click on the Rootkit tab.
  
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  
• Note: If you have any problems, try running GMER in SAFE MODE
  

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

[addicted2karma]

thanks a lot deltalima. sorry i wouldve posted last night but gmer froze my computer when i tried to save the log and for some reason when i tried to post firefox kept giving me a connection error page so i had to use another computer to post.

here is the OTL.txt

OTL logfile created on: 3/4/2010 9:46:49 PM - Run 1

OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Mikey Luu\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.78 Gb Total Space | 2.13 Gb Free Space | 1.90% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MIKEY

Current User Name: Mikey Luu

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Mikey Luu\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)

PRC - C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)

PRC - C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)

PRC - C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)

PRC - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)

PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

PRC - C:\Program Files\AIM6\aim6.exe (AOL LLC)

PRC - C:\Program Files\Winamp\winamp.exe (Nullsoft)

PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

PRC - C:\Program Files\AIM6\aolsoftware.exe (AOL LLC)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)

PRC - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)

PRC - C:\Program Files\Synaptics\SynTP\Toshiba.exe (Synaptics, Inc.)

PRC - C:\Program Files\TOSHIBA\Tvs\TvsTray.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

PRC - C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TDispVol.exe (TOSHIBA Corporation)

PRC - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

PRC - C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)

PRC - C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Mikey Luu\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\Spyware Doctor\PCTGMhk.dll (PC Tools)

MOD - C:\Program Files\Spyware Doctor\smum32.dll (PC Tools)

MOD - C:\WINDOWS\system32\TDispVol.dll ()

========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)

SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)

SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)

SRV - (Browser Defender Update Service) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)

SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (TAPPSRV) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)

SRV - (DVD-RAM_Service) -- C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)

========== Driver Services (SafeList) ==========

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)

DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)

DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)

DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel

[deltalima]

Hi addicted2karma,

P2P Warning

I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

[addicted2karma]

heres the OTL..

All processes killed

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 85468 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Guest

->Temp folder emptied: 418999 bytes

->Temporary Internet Files folder emptied: 259348 bytes

->FireFox cache emptied: 16972399 bytes

->Flash cache emptied: 687 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 16815714 bytes

->Java cache emptied: 13 bytes

->Flash cache emptied: 5407 bytes

User: Mikey Luu

->Temp folder emptied: 2062080517 bytes

->Temporary Internet Files folder emptied: 4619387 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 268171175 bytes

->Flash cache emptied: 31641 bytes

User: NetworkService

->Temp folder emptied: 290748 bytes

->Temporary Internet Files folder emptied: 10412821 bytes

->Java cache emptied: 20156 bytes

->Flash cache emptied: 25507 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2402044 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 77915930 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 44866082 bytes

Total Files Cleaned = 2,389.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.1.34.0 log created on 03052010_153515

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

and heres the text from the tdsskiller

15:42:55:312 3200 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

15:42:55:312 3200 ================================================================================

15:42:55:312 3200 SystemInfo:

15:42:55:312 3200 OS Version: 5.1.2600 ServicePack: 3.0

15:42:55:312 3200 Product type: Workstation

15:42:55:312 3200 ComputerName: MIKEY

15:42:55:312 3200 UserName: Mikey Luu

15:42:55:312 3200 Windows directory: C:\WINDOWS

15:42:55:312 3200 Processor architecture: Intel x86

15:42:55:312 3200 Number of processors: 2

15:42:55:312 3200 Page size: 0x1000

15:42:55:312 3200 Boot type: Normal boot

15:42:55:312 3200 ================================================================================

15:42:55:328 3200 UnloadDriverW: NtUnloadDriver error 2

15:42:55:328 3200 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

15:42:55:343 3200 Initialize success

15:42:55:343 3200

15:42:55:343 3200 Scanning Services ...

15:42:55:343 3200 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:42:55:343 3200 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:42:55:343 3200 wfopen_ex: Trying to KLMD file open

15:42:55:343 3200 wfopen_ex: File opened ok (Flags 2)

15:42:55:343 3200 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:42:55:343 3200 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:42:55:343 3200 wfopen_ex: Trying to KLMD file open

15:42:55:343 3200 wfopen_ex: File opened ok (Flags 2)

15:42:55:750 3200 GetAdvancedServicesInfo: Raw services enum returned 333 services

15:42:55:765 3200 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:42:55:765 3200 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:42:55:765 3200

15:42:55:765 3200 Scanning Kernel memory ...

15:42:55:765 3200 Devices to scan: 2

15:42:55:765 3200

15:42:55:765 3200 Driver Name: Disk

15:42:55:765 3200 IRP_MJ_CREATE : F765DBB0

15:42:55:765 3200 IRP_MJ_CREATE_NAMED_PIPE : 804F9759

15:42:55:765 3200 IRP_MJ_CLOSE : F765DBB0

15:42:55:765 3200 IRP_MJ_READ : F7657D1F

15:42:55:765 3200 IRP_MJ_WRITE : F7657D1F

15:42:55:765 3200 IRP_MJ_QUERY_INFORMATION : 804F9759

15:42:55:765 3200 IRP_MJ_SET_INFORMATION : 804F9759

15:42:55:765 3200 IRP_MJ_QUERY_EA : 804F9759

15:42:55:765 3200 IRP_MJ_SET_EA : 804F9759

15:42:55:765 3200 IRP_MJ_FLUSH_BUFFERS : F76582E2

15:42:55:765 3200 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759

15:42:55:765 3200 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759

15:42:55:765 3200 IRP_MJ_DIRECTORY_CONTROL : 804F9759

15:42:55:765 3200 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759

15:42:55:765 3200 IRP_MJ_DEVICE_CONTROL : F76583BB

15:42:55:765 3200 IRP_MJ_INTERNAL_DEVICE_CONTROL : F765BF28

15:42:55:765 3200 IRP_MJ_SHUTDOWN : F76582E2

15:42:55:765 3200 IRP_MJ_LOCK_CONTROL : 804F9759

15:42:55:765 3200 IRP_MJ_CLEANUP : 804F9759

15:42:55:765 3200 IRP_MJ_CREATE_MAILSLOT : 804F9759

15:42:55:765 3200 IRP_MJ_QUERY_SECURITY : 804F9759

15:42:55:765 3200 IRP_MJ_SET_SECURITY : 804F9759

15:42:55:765 3200 IRP_MJ_POWER : F7659C82

15:42:55:765 3200 IRP_MJ_SYSTEM_CONTROL : F765E99E

15:42:55:765 3200 IRP_MJ_DEVICE_CHANGE : 804F9759

15:42:55:765 3200 IRP_MJ_QUERY_QUOTA : 804F9759

15:42:55:765 3200 IRP_MJ_SET_QUOTA : 804F9759

15:42:55:765 3200 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

15:42:55:765 3200 sion

15:42:55:765 3200 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

15:42:55:765 3200

15:42:55:765 3200 Driver Name: atapi

15:42:55:765 3200 IRP_MJ_CREATE : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_CREATE_NAMED_PIPE : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_CLOSE : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_READ : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_WRITE : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_QUERY_INFORMATION : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SET_INFORMATION : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_QUERY_EA : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SET_EA : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_FLUSH_BUFFERS : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_QUERY_VOLUME_INFORMATION : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SET_VOLUME_INFORMATION : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_DIRECTORY_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_FILE_SYSTEM_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_DEVICE_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SHUTDOWN : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_LOCK_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_CLEANUP : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_CREATE_MAILSLOT : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_QUERY_SECURITY : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SET_SECURITY : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_POWER : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SYSTEM_CONTROL : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_DEVICE_CHANGE : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_QUERY_QUOTA : 8AB7FCA1

15:42:55:765 3200 IRP_MJ_SET_QUOTA : 8AB7FCA1

15:42:55:765 3200 ihd: 0, 0, 0, 480, 3, 462, 1

15:42:55:765 3200 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:42:55:765 3200 TDL3_IrpHookCure: Invalid patch address

15:42:55:765 3200 cure failed

15:42:55:765 3200 Driver "atapi" StartIo handler infected by TDSS rootkit ... 15:42:55:765 3200 cured

15:42:55:765 3200 siohd: 0

15:42:55:765 3200 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean

15:42:55:765 3200

15:42:55:765 3200 Completed

15:42:55:765 3200

15:42:55:765 3200 Results:

15:42:55:765 3200 Memory objects infected / cured / cured on reboot: 2 / 1 / 0

15:42:55:765 3200 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:42:55:765 3200 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:42:55:765 3200

15:42:55:781 3200 KLMD(ARK) unloaded successfully

[addicted2karma]

also i have a question not sure if it regards to this problem or not. but whenever i reboot i get two sometimes three run dll error prompts saying that the specific module cannot be found for..

C:\WINDOWS\efohuhoneniqedu.dll

xxxvur.dll

and nynw.wmo

i've uploaded a portion of a print screen of the two that popped up on the last reboot.

[dramagrl46]

I'm kind of having the same problem. I ran the scan, and this virus called "Trojan.Vundo.H" kept coming up in 4 different files...I clicked "remove all", and it asked me to restart my computer so I did. But then I ran the scan again right after I restarted my computer and it came up again! I don't know why malwarebytes is unable t remove this virus...can someone please help me?

[deltalima]

Hi addicted2karma,

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

[addicted2karma]

combo fix log.

ComboFix 10-03-05.06 - Mikey Luu 03/06/2010 10:03:05.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2561 [GMT -8:00]

Running from: c:\documents and settings\Mikey Luu\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mikey Luu\Local Settings\Application Data\{600993FA-F11E-479D-8C47-DE0CCDCDD171}

c:\documents and settings\Mikey Luu\Local Settings\Application Data\{600993FA-F11E-479D-8C47-DE0CCDCDD171}\chrome.manifest

c:\documents and settings\Mikey Luu\Local Settings\Application Data\{600993FA-F11E-479D-8C47-DE0CCDCDD171}\chrome\content\_cfg.js

c:\documents and settings\Mikey Luu\Local Settings\Application Data\{600993FA-F11E-479D-8C47-DE0CCDCDD171}\chrome\content\overlay.xul

c:\documents and settings\Mikey Luu\Local Settings\Application Data\{600993FA-F11E-479D-8C47-DE0CCDCDD171}\install.rdf

c:\recycler\S-1-5-21-823518204-1770027372-1417001333-501

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\pst.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))

.

2010-03-05 23:35 . 2010-03-05 23:35 -------- d-----w- C:\_OTL

2010-03-05 23:27 . 2010-03-05 23:32 -------- d-----w- c:\windows\SxsCaPendDel

2010-03-05 01:22 . 2010-03-05 17:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-03-05 01:22 . 2010-03-05 17:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-03 10:49 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-03 10:48 . 2010-03-03 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-03 10:48 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-03 09:34 . 2010-03-03 09:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-03-03 07:42 . 2010-03-03 07:42 -------- d-----w- c:\windows\system32\wbem\Repository

2010-03-03 02:04 . 2010-03-03 02:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-03 02:00 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-03-03 01:48 . 2010-03-05 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-03 01:44 . 2010-03-03 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-03 01:44 . 2010-03-03 07:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-03 01:43 . 2010-03-03 10:56 -------- d-----w- c:\program files\Windows Defender

2010-03-03 00:21 . 2010-03-03 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-01 20:14 . 2010-03-01 20:14 -------- d-----w- c:\documents and settings\Mikey Luu\Local Settings\Application Data\Ahead

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-05 23:30 . 2009-07-11 07:05 -------- d-----w- c:\documents and settings\Mikey Luu\Application Data\SUPERAntiSpyware.com

2010-03-05 23:30 . 2009-07-11 07:05 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-05 23:27 . 2009-05-06 11:18 -------- d-----w- c:\documents and settings\Mikey Luu\Application Data\uTorrent

2010-03-03 06:40 . 2010-02-04 08:20 120 ----a-w- c:\windows\Itifoyopogi.dat

2010-03-03 06:40 . 2010-02-04 08:20 0 ----a-w- c:\windows\Erayi.bin

2010-03-03 02:13 . 2009-11-14 05:44 -------- d-----w- c:\program files\Bonjour

2010-03-03 02:03 . 2009-07-11 07:07 -------- d-----w- c:\program files\CCleaner

2010-02-12 06:56 . 2009-09-10 22:38 -------- d-----w- c:\documents and settings\Mikey Luu\Application Data\FrostWire

2010-02-04 08:16 . 2010-02-04 08:16 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat

2010-01-29 20:25 . 2009-05-06 09:50 34384 ----a-w- c:\documents and settings\Mikey Luu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-27 02:29 . 2009-05-06 09:20 -------- d-----w- c:\program files\Common Files\Java

2010-01-27 02:28 . 2010-01-27 02:28 503808 ----a-w- c:\documents and settings\Mikey Luu\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b14754c-n\msvcp71.dll

2010-01-27 02:28 . 2010-01-27 02:28 499712 ----a-w- c:\documents and settings\Mikey Luu\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b14754c-n\jmc.dll

2010-01-27 02:28 . 2010-01-27 02:28 348160 ----a-w- c:\documents and settings\Mikey Luu\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b14754c-n\msvcr71.dll

2010-01-27 02:28 . 2010-01-27 02:28 61440 ----a-w- c:\documents and settings\Mikey Luu\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ad960d5-n\decora-sse.dll

2010-01-27 02:28 . 2010-01-27 02:28 12800 ----a-w- c:\documents and settings\Mikey Luu\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ad960d5-n\decora-d3d.dll

2010-01-27 02:28 . 2009-05-06 09:20 -------- d-----w- c:\program files\Java

2010-01-26 00:33 . 2010-01-26 00:33 -------- d-----w- c:\program files\Statgraphics

2010-01-17 17:18 . 2010-01-17 17:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-01-17 17:17 . 2010-01-17 17:17 -------- d--h--w- c:\program files\CanonBJ

2010-01-12 01:51 . 2009-10-30 20:56 -------- d-----w- c:\program files\Steam

2009-12-31 16:50 . 2008-04-14 13:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2008-08-13 23:09 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-18 01:14 . 2009-06-29 16:59 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2009-05-06 08:26 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2008-04-14 13:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2008-04-14 13:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-07 23:44 . 2009-05-06 10:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.

------- Sigcheck -------

[-] 2008-08-13 . 5223357CDF638BFEBF9F3A87C7C562F7 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-11 1937408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"TPSMain"="TPSMain.exe" [2005-06-01 282624]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]

"TFncKy"="TFncKy.exe" [bU]

"TDispVol"="TDispVol.exe" [2005-03-11 73728]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-14 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-13 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-5-6 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

pxcpdt32 REG_SZ c:\windows\system32\autovaws.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Steam\\steamapps\\pyahhhh\\counter-strike\\hl.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"59054:TCP"= 59054:TCP:Pando Media Booster

"59054:UDP"= 59054:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 2:45 AM 108289]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-03-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mikey Luu\Application Data\Mozilla\Firefox\Profiles\sg4nfd66.default\

.

- - - - ORPHANS REMOVED - - - -

BHO-{b658e9d6-c186-4fff-82be-1a8c8fad6538} - fefiweta.dll

HKCU-Run-Aim6 - (no file)

HKLM-Run-Hpoxugu - c:\windows\efohuhoneniqedu.dll

HKLM-Run-ssqqrpsys - xxxvur.dll

HKU-Default-Run-cbyyyasys - xxxvur.dll

AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files\Pando Networks\Media Booster\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-06 10:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4088)

c:\windows\system32\WININET.dll

c:\windows\system32\TDispVol.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\DVDRAMSV.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\TPSMain.exe

c:\windows\system32\TDispVol.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\windows\system32\TPSBattM.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2010-03-06 10:15:03 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-06 18:15

Pre-Run: 5,119,483,904 bytes free

Post-Run: 5,121,024,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9E9F854585EF1E04E3FF988FB91F47FF

[deltalima]

Hi addicted2karma,

Run OTL Script

• Double-click OTL.exe to start the program.
  
• Copy and Paste the following code into the textbox. Do not include the word Code
  

   :otl
  O2 - BHO: (no name) - {b658e9d6-c186-4fff-82be-1a8c8fad6538} - File not found
  O30 - LSA: Authentication Packages - (xxxvur.dll) - File not found
  O4 - HKLM..\Run: [Hpoxugu] C:\WINDOWS\efohuhoneniqedu.DLL File not found
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
  "FirstRunDisabled" = 0

  
  

• Then click the Run Fix button at the top.
  
• Click .
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
  

Now please run a scan with Malwarebytes Antimalware and post the log back here along with the OTL log and let me know how the computer is running now.

[addicted2karma]

heres the OTL log

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b658e9d6-c186-4fff-82be-1a8c8fad6538}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b658e9d6-c186-4fff-82be-1a8c8fad6538}\ not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:xxxvur.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Hpoxugu not found.

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirstRunDisabled" | 0 /E : value set successfully!

OTL by OldTimer - Version 3.1.34.0 log created on 03062010_134840

mbam log

Malwarebytes' Anti-Malware 1.44

Database version: 3817

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/6/2010 2:28:46 PM

mbam-log-2010-03-06 (14-28-46).txt

Scan type: Full Scan (C:\|)

Objects scanned: 182909

Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

so far everything seems to be good i no longer get redirected from a few searches i did on google and the error prompts are gone now. thanks a lot deltalima! if anything does reoccur ill be sure to post it back onto this thread.

[deltalima]

Hi addicted2karma,

so far everything seems to be good i no longer get redirected

That's good, some final checks to make sure.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
     

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply

[addicted2karma]

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, March 8, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, March 08, 2010 18:01:31

Records in database: 3740411

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 51275

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 01:14:09

No threats found. Scanned area is clean.

Selected area has been scanned.

[deltalima]

Hi addicted2karma,

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world.Firewalls protect against hackers and malicious intruders. I would like you to download and install the free firewall from

Online-Armor by Tall Emu

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

• Download the latest version of Java Runtime Environment (JRE) 6 Here
  
• Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  
• Click the orange Download JRE button to the right
  
• Select the Windows platform from the dropdown menu
  
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  
• Click on the link to download Windows Offline Installation & save the file to your desktop
  
• Close any programs you may have running - especially your web browser
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions
  
• Reboot your computer once all Java components are removed
  
• Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version
  

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please delete the TDSSKiller icon, folder and log file from your desktop.

Remove GMER

Delete the GMER icon from your desktop, it will be named 4k2f5cyt.exe.exe

Uninstall ComboFix

• Click START then RUN
  
• Now type Combofix /Uninstall in the runbox and click OK
  

Clean up with OTL

• Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  
• Close all other programs apart from OTL as this step will require a reboot
  
• On the OTL main screen, press the CleanUp! button
  
• Say Yes to the prompt and then allow the program to reboot your computer.
  

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!