As many seem to have reported at Geeks toGo, my PC seems to be infecteted with the vimax ads malware. I am seeing vimax ads in websites which has doubleclick.net ads as they are replaced and I occassionally see popup ads as well. This is a very new Windows Vista Ultimate SP1 installation. Please find my HijackThis log below:

------------------------------

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:09:05, on 23-12-2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\inteldh\common\SWUpdateClient.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Vtune\TBPANEL.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
C:\Windows\WindowsMobile\WmdSync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelSWUpdateClient] C:\Program Files\Intel\inteldh\common\SWUpdateClient.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Intel® Con. Management Engine Local Manageability Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: ME Services Manager - Intel® Corporation - C:\Program Files\Intel\inteldh\msm\MSM.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Software Services Manager - Intel® Corporation - C:\Program Files\Intel\inteldh\common\IntelDHSvcMgr.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a6dd3134\STacSV.exe

--
End of file - 5198 bytes

--------------------------------------------------------------------

I then ran Malwarebytes quick scan and it found infected objects and removed them:

-------------------------------

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

--------------------------------


Can anyone guide me what all I should do next to completely remove this nasty malware?

This post has been edited by ArunOnline: Dec 22 2008, 06:35 PM

Please find full scanlog:

Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 6.0.6001 Service Pack 1

23-12-2008 06:03:23
mbam-log-2008-12-23 (06-03-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117791
Time elapsed: 35 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\59617.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\79406.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\85317.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Arun\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AEIGH933\KuLightCadecPock3439[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\msqpdxkyruwurn.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\drivers\msqpdxnxesspxv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Attached. Thank you.

Can you post it instead of attaching

ComboFix 08-12-24.01 - Arun 2008-12-25 19:02:18.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3067.2049 [GMT 5.5:30]
Running from: c:\users\Arun\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\hpowiax7.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-25 18:56 . 2008-12-25 18:55 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-25 18:55 . 2008-12-25 18:55 <DIR> d-------- c:\program files\Java
2008-12-25 16:52 . 2008-12-25 16:52 <DIR> d-------- c:\users\Arun\AppData\Roaming\FlashGet
2008-12-25 16:44 . 2008-12-25 16:52 <DIR> d-------- c:\program files\FlashGet
2008-12-25 16:21 . 2008-12-25 16:21 0 --ah----- c:\windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-12-25 04:32 . 2008-12-25 04:32 <DIR> d-------- c:\users\All Users\WEBREG
2008-12-25 04:32 . 2008-12-25 04:32 <DIR> d-------- c:\programdata\WEBREG
2008-12-25 03:00 . 2008-12-25 04:38 <DIR> d-------- c:\users\Arun\AppData\Roaming\HP
2008-12-25 02:57 . 2008-12-25 02:57 <DIR> d-------- c:\users\All Users\HP Product Assistant
2008-12-25 02:57 . 2008-12-25 02:57 <DIR> d-------- c:\programdata\HP Product Assistant
2008-12-25 02:57 . 2008-12-25 02:57 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-25 02:56 . 2008-12-25 02:56 <DIR> d-------- c:\program files\Common Files\HP
2008-12-25 02:56 . 2008-12-25 02:56 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-25 02:55 . 2008-12-25 02:57 <DIR> d-------- c:\program files\HP
2008-12-25 02:52 . 2008-12-25 04:33 157,556 --a------ c:\windows\hpoins28.dat
2008-12-25 02:51 . 2008-12-25 02:57 <DIR> d-------- c:\users\All Users\HP
2008-12-25 02:51 . 2008-12-25 02:51 <DIR> d-------- c:\users\All Users\Hewlett-Packard
2008-12-25 02:51 . 2008-12-25 02:57 <DIR> d-------- c:\programdata\HP
2008-12-25 02:51 . 2008-12-25 02:51 <DIR> d-------- c:\programdata\Hewlett-Packard
2008-12-25 02:51 . 2007-11-08 20:26 271,704 --a------ c:\windows\System32\hpzids01.dll
2008-12-25 02:51 . 2007-10-20 18:25 118,272 --a------ c:\windows\System32\hpz3l5mu.dll
2008-12-25 02:49 . 2007-10-21 22:15 581,632 --a------ c:\windows\System32\hpotscl6.dll
2008-12-25 02:49 . 2007-10-30 14:55 372,736 --a------ c:\windows\System32\hppldcoi.dll
2008-12-25 02:49 . 2007-10-21 22:15 303,104 --a------ c:\windows\System32\hpovst15.dll
2008-12-24 20:35 . 2008-12-24 20:36 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-12-24 20:34 . 2008-12-24 20:35 <DIR> d-------- c:\program files\Microsoft IntelliType Pro
2008-12-23 05:20 . 2008-12-23 05:20 <DIR> d-------- c:\users\Arun\AppData\Roaming\Malwarebytes
2008-12-23 05:20 . 2008-12-23 05:20 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-23 05:20 . 2008-12-23 05:20 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-23 05:20 . 2008-12-23 05:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 05:20 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-23 05:20 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-23 05:08 . 2008-12-23 05:08 <DIR> d-------- c:\program files\Trend Micro
2008-12-23 04:48 . 2008-12-23 04:48 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-12-23 03:09 . 2008-12-23 03:09 <DIR> d-------- c:\users\All Users\Messenger Plus!
2008-12-23 03:09 . 2008-12-23 03:09 <DIR> d-------- c:\programdata\Messenger Plus!
2008-12-22 14:21 . 2008-12-22 14:21 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-12-22 12:01 . 2008-12-22 13:31 <DIR> d-------- c:\users\All Users\WLInstaller
2008-12-22 12:01 . 2008-12-22 13:31 <DIR> d-------- c:\programdata\WLInstaller
2008-12-22 12:01 . 2008-12-22 14:17 <DIR> d-------- c:\program files\Windows Live
2008-12-22 12:01 . 2008-12-22 12:02 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-22 11:54 . 2008-12-23 06:18 <DIR> d-------- c:\users\All Users\Yahoo!
2008-12-22 11:54 . 2008-12-23 06:18 <DIR> d-------- c:\programdata\Yahoo!
2008-12-22 11:54 . 2008-12-22 11:54 <DIR> d-------- c:\program files\Yahoo!
2008-12-22 09:54 . 2008-12-22 09:54 40 --ah----- c:\windows\System32\ivireg.ivr
2008-12-22 09:22 . 2008-12-22 09:26 <DIR> d-------- c:\users\Arun\AppData\Roaming\Corel
2008-12-22 09:22 . 2008-12-25 01:33 3,350 --ahs---- c:\users\All Users\KGyGaAvL.sys
2008-12-22 09:22 . 2008-12-25 01:33 3,350 --ahs---- c:\programdata\KGyGaAvL.sys
2008-12-22 09:22 . 2008-12-22 09:26 88 -r-hs---- c:\users\All Users\9244613EB1.sys
2008-12-22 09:22 . 2008-12-22 09:26 88 -r-hs---- c:\programdata\9244613EB1.sys
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\users\All Users\Corel
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\programdata\Corel
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\program files\InterVideo
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\program files\Corel
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\program files\Common Files\Protexis
2008-12-22 09:20 . 2008-12-22 09:20 <DIR> d-------- c:\program files\Common Files\InterVideo
2008-12-22 08:04 . 2008-12-22 08:06 <DIR> d-------- c:\users\All Users\Apple Computer
2008-12-22 08:04 . 2008-12-22 08:06 <DIR> d-------- c:\programdata\Apple Computer
2008-12-22 08:04 . 2008-12-22 08:04 <DIR> d-------- c:\program files\QuickTime
2008-12-22 08:04 . 2008-12-22 08:04 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-22 08:03 . 2008-12-22 08:03 <DIR> d-------- c:\users\All Users\Apple
2008-12-22 08:03 . 2008-12-22 08:03 <DIR> d-------- c:\programdata\Apple
2008-12-22 08:03 . 2008-12-22 08:03 <DIR> d-------- c:\program files\Apple Software Update
2008-12-22 07:49 . 2008-12-22 07:49 <DIR> d-------- c:\users\Arun\AppData\Roaming\DivX
2008-12-22 07:48 . 2008-12-22 07:48 <DIR> d-------- c:\program files\DivX
2008-12-22 07:48 . 2008-12-22 07:48 <DIR> d-------- c:\program files\Common Files\PX Storage Engine
2008-12-22 07:32 . 2008-12-22 07:33 <DIR> d-------- c:\users\All Users\WinZip
2008-12-22 07:32 . 2008-12-22 07:33 <DIR> d-------- c:\programdata\WinZip
2008-12-22 07:22 . 2008-12-22 07:22 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2008-12-22 06:51 . 2008-12-22 06:51 <DIR> d-------- c:\program files\Zone Labs
2008-12-22 06:47 . 2008-12-22 06:51 <DIR> d-------- c:\windows\Internet Logs
2008-12-22 06:47 . 2008-12-22 06:47 <DIR> d-------- c:\users\All Users\CheckPoint
2008-12-22 06:47 . 2008-12-22 06:47 <DIR> d-------- c:\programdata\CheckPoint
2008-12-21 21:03 . 2008-08-17 16:03 678,408 --a------ c:\windows\System32\gpprefcl.dll
2008-12-21 20:51 . 2008-12-21 07:45 <DIR> d-------- c:\windows\Panther
2008-12-21 20:44 . 2008-12-21 20:44 <DIR> d--h----- C:\$WINDOWS.~Q
2008-12-21 20:44 . 2008-12-21 20:44 <DIR> d--h----- C:\$INPLACE.~TR
2008-12-21 19:59 . 2008-12-21 20:51 <DIR> d--hs---- C:\Boot
2008-12-21 19:59 . 2008-01-21 07:52 333,203 -rahs---- C:\bootmgr
2008-12-21 19:59 . 2008-12-21 20:51 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-12-21 16:52 . 2008-12-21 16:52 <DIR> d-------- C:\Temp
2008-12-21 16:01 . 2007-07-20 05:25 233,888 --a------ c:\windows\System32\DreamScene.dll
2008-12-21 11:32 . 2008-12-21 11:32 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-21 11:08 . 2008-08-05 15:19 428,544 --a------ c:\windows\System32\EncDec.dll
2008-12-21 11:08 . 2008-08-05 15:19 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-12-21 11:08 . 2008-08-05 15:18 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-12-21 11:08 . 2008-08-05 15:18 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-12-21 11:08 . 2008-08-05 15:18 80,896 --a------ c:\windows\System32\MSNP.ax
2008-12-21 11:08 . 2008-04-23 10:11 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2008-12-21 11:04 . 2008-06-26 07:15 12,240,896 --a------ c:\windows\System32\NlsLexicons0007.dll
2008-12-21 11:04 . 2008-06-26 07:15 2,644,480 --a------ c:\windows\System32\NlsLexicons0009.dll
2008-12-21 11:04 . 2008-06-26 08:59 801,280 --a------ c:\windows\System32\NaturalLanguage6.dll
2008-12-21 10:47 . 2008-12-21 10:47 <DIR> d-------- c:\program files\BitLocker
2008-12-21 10:45 . 2008-10-02 07:02 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-21 10:42 . 2008-10-22 06:52 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-21 10:41 . 2007-02-22 07:56 1,171,848 --a------ c:\windows\System32\SecureKeyBackupCPL.dll
2008-12-21 10:41 . 2006-12-21 06:28 711 --a------ c:\windows\System32\CPSOKBTasks.xml
2008-12-21 10:33 . 2008-10-16 10:17 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-21 10:32 . 2008-11-01 06:51 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-21 10:32 . 2008-03-08 09:51 1,695,744 --a------ c:\windows\System32\gameux.dll
2008-12-21 10:32 . 2008-11-01 09:14 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-21 10:28 . 2008-09-18 10:39 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-12-21 10:28 . 2008-09-18 10:39 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-12-21 10:27 . 2008-02-29 12:41 988,216 --a------ c:\windows\System32\winload.exe
2008-12-21 10:27 . 2008-02-29 12:41 927,288 --a------ c:\windows\System32\winresume.exe
2008-12-21 10:27 . 2008-02-22 10:35 615,992 --a------ c:\windows\System32\ci.dll
2008-12-21 10:27 . 2008-02-29 12:23 378,368 --a------ c:\windows\System32\srcore.dll
2008-12-21 10:27 . 2008-02-29 09:42 318,464 --a------ c:\windows\System32\rstrui.exe
2008-12-21 10:27 . 2008-02-29 12:23 46,592 --a------ c:\windows\System32\setbcdlocale.dll
2008-12-21 10:27 . 2008-02-29 12:23 40,960 --a------ c:\windows\System32\srclient.dll
2008-12-21 10:27 . 2008-02-29 12:44 19,000 --a------ c:\windows\System32\kd1394.dll
2008-12-21 10:27 . 2008-02-29 09:42 14,848 --a------ c:\windows\System32\srdelayed.exe
2008-12-21 10:27 . 2008-02-29 12:05 6,656 --a------ c:\windows\System32\kbd106n.dll
2008-12-21 10:25 . 2008-06-23 07:29 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-21 10:25 . 2008-06-23 07:29 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-21 10:25 . 2008-06-23 07:28 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-21 10:23 . 2008-04-26 13:38 1,314,816 --a------ c:\windows\System32\quartz.dll
2008-12-21 10:22 . 2008-10-29 11:59 2,927,104 --a------ c:\windows\explorer.exe
2008-12-21 10:22 . 2008-09-18 07:46 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-12-21 10:22 . 2008-09-05 10:44 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-12-21 10:22 . 2008-04-26 13:56 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2008-12-21 10:22 . 2008-04-12 09:02 784,896 --a------ c:\windows\System32\rpcrt4.dll
2008-12-21 10:22 . 2008-08-12 09:09 443,392 --a------ c:\windows\System32\win32spl.dll
2008-12-21 10:22 . 2008-08-27 06:35 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-12-21 10:22 . 2008-04-05 06:51 72,192 --a------ c:\windows\System32\drivers\pacer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 15:20 --------- d-----w c:\program files\Windows Mail
2008-12-21 10:29 --------- d-----w c:\program files\Microsoft Games
2008-12-21 04:25 --------- d-----w c:\program files\MSBuild
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-27 21:44 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-10-27 21:42 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-10-27 21:42 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-10-27 21:41 86,016 ----a-w c:\windows\System32\dpl100.dll
2008-10-27 21:41 593,920 ----a-w c:\windows\System32\dpuGUI11.dll
2008-10-27 21:41 57,344 ----a-w c:\windows\System32\dpv11.dll
2008-10-27 21:41 344,064 ----a-w c:\windows\System32\dpus11.dll
2008-10-27 21:41 294,912 ----a-w c:\windows\System32\dpu11.dll
2008-10-27 21:41 200,704 ----a-w c:\windows\System32\dtu100.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-09-30 11:13 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-01-21 02:41 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 145944]
"IntelSWUpdateClient"="c:\program files\Intel\inteldh\common\SWUpdateClient.exe" [2008-06-23 129424]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FE0B8DF1-D2D5-4307-9082-9A1E709FBCCE}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{DF2B210D-C061-49A1-A7D1-371391BD22FE}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{03E67F56-679D-41E1-8BB7-1F23484FC9B7}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A6BEF93C-67C8-4EDE-993F-5E81088C0555}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BDF30C24-3288-4238-B5C0-60464FC9ABD1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{68E9B924-1BD7-46E2-91B8-621C27739376}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{86D8315C-8A25-439C-830D-340B3F9AFE54}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{054460FC-F91F-453E-9836-A81B1B63FDB5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{5264C046-1494-4BB2-A7A8-020FF1252A51}"= UDP:990:LocalSubnet:LocalSubnet|IF={BC68FAAD-6B5C-48F1-919D-01CA6F02EF9F}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{540CC31B-92AD-46DC-B38E-EA37C4D63252}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{F269B38E-D946-4D45-B2B4-6B4040B6B69B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{A845CA84-E13D-457D-B566-17243A3390BF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{6267ED68-1DD5-438C-990C-A0C3CEE62E50}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{80B86243-1FF5-4501-95B0-9060E2152E95}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{D6C92274-0CB9-4A1D-94F0-28B17FF1B2A7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{3AAAFEF6-6173-4165-B394-9EA8D4085574}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{2BE66A00-7AFF-4A91-8C7F-95DF5CCF717D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{BC8B7073-6855-447D-B727-D4316A993B97}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{3AE88023-B73D-4FB0-A4B3-278850A1841E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{19666ED0-A5B6-4A48-B4B6-48049AA159EC}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{8D33A457-6129-40F6-8D6C-E33EBED4FA1F}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 ME Services Manager;ME Services Manager;"c:\program files\Intel\inteldh\msm\MSM.exe" [2008-06-23 1628560]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R2 Software Services Manager;Software Services Manager;"c:\program files\Intel\inteldh\common\IntelDHSvcMgr.exe" [2008-06-23 51088]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-12-21 224384]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-21 113664]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-08-05 29184016]
S3 wbondir;Winbond CIR Transceiver;c:\windows\system32\DRIVERS\wbondir.sys [2007-03-20 49664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb273165-cf0f-11dd-8dbc-001cc07d43bc}]
\shell\AutoRun\command - e:\autorun\AutoStart.exe
\shell\Explore\Command - e:\autorun\AutoStart.exe
\shell\Open\Command - e:\autorun\AutoStart.exe

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\User_Feed_Synchronization-{CE022EF8-DFF3-4AAD-9D73-6A24A44127AA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 07:53]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 19:03:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Arun\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-25 19:08:10
ComboFix-quarantined-files.txt 2008-12-25 13:38:08

Pre-Run: 155,641,249,792 bytes free
Post-Run: 158,929,973,248 bytes free

255 --- E O F --- 2008-12-25 10:51:26

I'm not sure why it deleted "hpowiax7.dll' which I think is related to the HP Deskjet-All-in-one. Also, isn't Autorun.inf required for Windows? Were those files quarantined somewhere and is there a folder to check them?

hello

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum in the Comments Or Further Info: box
• Copy and paste the link to this thread in the Topic Where File Was Requested: box
• Browse for this filename: C:\Qoobox\Quarantine\c\windows\system32\hpowiax7.dll
• In the comments, please mention that I asked you to upload this file
• Click on Send File

I have submitted both files now and awaiting result. Meanwhile what do you think of my ComboFix log?

hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb273165-cf0f-11dd-8dbc-001cc07d43bc}]
  
  :Files
  
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.