[sajman]

I run spybot and it picks up Virtumonde and Virtumonde.dll but does not get rid of it, I also had the win32.netbooster and trojan downloader prompts I think I got rid of them. I thought that I maybe had a back doorvirus also. I looked through my HJT log and found some bad items but not sure how to get rid of them, I don't want to mess around too much without advice from the pros, I am new to this and have been working on it for 5 days now GRRRRRRR! Thanks guys!!!!!!


Here is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:43 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {081CCD1F-6294-4BD1-9230-902367A406C9} - (no file)
O2 - BHO: (no name) - {3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE} - (no file)
O2 - BHO: (no name) - {4144C0C4-2175-59DE-0260-2800C9BBDACB} - C:\WINDOWS\system32\megqcb.dll (file missing)
O2 - BHO: (no name) - {4410CD94-2674-058F-0260-2800C9BA809E} - C:\WINDOWS\system32\xdvmf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {74D16D2B-D495-48D4-9C1E-69895DCB1E67} - C:\WINDOWS\system32\efcASkhG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8AFA1B87-FB96-4E08-BD82-40ADB1F843A0} - (no file)
O2 - BHO: (no name) - {9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4} - C:\WINDOWS\system32\mpzseui.dll (file missing)
O2 - BHO: (no name) - {A84D7385-F2E8-40B3-A238-A464B65DEDF0} - C:\WINDOWS\system32\ssqRJdBu.dll (file missing)
O2 - BHO: (no name) - {AFBBB0B3-85A1-43F9-B7FD-040C0C129233} - C:\WINDOWS\system32\fccdbApM.dll (file missing)
O2 - BHO: (no name) - {C47E6704-A9C6-441F-BC50-0F8DF9FC8379} - C:\WINDOWS\system32\yayyYSli.dll (file missing)
O2 - BHO: (no name) - {C6CF5BA3-2D76-40D1-A07F-2A0D18540255} - (no file)
O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
O2 - BHO: (no name) - {EE7C25DE-5476-4473-A4E8-BE54B18C2ED9} - (no file)
O2 - BHO: (no name) - {F9A5830B-CF14-4363-B862-8344240C00F6} - C:\WINDOWS\system32\efcDUmnn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Ists] "C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Vdcxo] C:\WINDOWS\system32\T?sks\m?hta.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [cxzdqggm] C:\WINDOWS\system32\kxuzohkj.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6869 bytes

Edited by sajman, 22 April 2008 - 03:08 PM.

[Advertisements]

Hi sajman,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once you get the all clear.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

==================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

==================================================================

Needed in your next reply :

"C:\ComboFix.txt"

new HijackThis log

Also I didn’t see any Anti-Virus Protection, do you have any installed on you system?

[BHowett]

Hi sajman,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once you get the all clear.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

==================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

==================================================================

Needed in your next reply :

"C:\ComboFix.txt"

new HijackThis log

Also I didn’t see any Anti-Virus Protection, do you have any installed on you system?

[sajman]

I thought I had an antivirus with AVG but I guess not What do you suggest?
Here are my log files. I noticed that I do not have the recovery console, I have been having trouble updating sp1 ( I think thats what it is) it always says this "Setup cannot continue because the version of Windows on your computer is newer than the version you are trying to install".
it has been prompting me for a while to update it but it won't work, I think that's how this whole mess started, I was trying to download updates on microsoft and I also downloaded, download accelerator (oops)

I very much appreciate your help!!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:27 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {081CCD1F-6294-4BD1-9230-902367A406C9} - (no file)
O2 - BHO: (no name) - {3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE} - (no file)
O2 - BHO: (no name) - {4144C0C4-2175-59DE-0260-2800C9BBDACB} - C:\WINDOWS\system32\megqcb.dll (file missing)
O2 - BHO: (no name) - {4410CD94-2674-058F-0260-2800C9BA809E} - C:\WINDOWS\system32\xdvmf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {74D16D2B-D495-48D4-9C1E-69895DCB1E67} - C:\WINDOWS\system32\efcASkhG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8AFA1B87-FB96-4E08-BD82-40ADB1F843A0} - (no file)
O2 - BHO: (no name) - {9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4} - C:\WINDOWS\system32\mpzseui.dll (file missing)
O2 - BHO: (no name) - {A84D7385-F2E8-40B3-A238-A464B65DEDF0} - C:\WINDOWS\system32\ssqRJdBu.dll (file missing)
O2 - BHO: (no name) - {AFBBB0B3-85A1-43F9-B7FD-040C0C129233} - C:\WINDOWS\system32\fccdbApM.dll (file missing)
O2 - BHO: (no name) - {C47E6704-A9C6-441F-BC50-0F8DF9FC8379} - C:\WINDOWS\system32\yayyYSli.dll (file missing)
O2 - BHO: (no name) - {C6CF5BA3-2D76-40D1-A07F-2A0D18540255} - (no file)
O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
O2 - BHO: (no name) - {EE7C25DE-5476-4473-A4E8-BE54B18C2ED9} - (no file)
O2 - BHO: (no name) - {F9A5830B-CF14-4363-B862-8344240C00F6} - C:\WINDOWS\system32\efcDUmnn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Ists] "C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Vdcxo] C:\WINDOWS\system32\T?sks\m?hta.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [cxzdqggm] C:\WINDOWS\system32\kxuzohkj.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6903 bytes


I x'd my name out not sure if thats ok or not
***Combofix log is:

ComboFix 08-04-22.1 -xxxxx xxxxx 2008-04-22 19:57:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -5:00]
Running from: C:\Documents and Settings\Cxxxx Cxxxx\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 09:59 . 2008-04-22 09:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-21 21:06 . 2008-04-21 21:06 <DIR> d-------- C:\VundoFix Backups
2008-04-21 16:20 . 2008-04-21 16:20 1,540,617 --ahs---- C:\WINDOWS\system32\plasuufm.ini
2008-04-21 16:01 . 2008-04-22 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 15:33 . 2008-04-21 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 14:26 . 2008-04-21 14:26 <DIR> d-------- C:\Documents and Settings\Cxxxx Cxxxx\Application Data\Uniblue
2008-04-20 19:14 . 2007-09-29 09:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 16:17 . 2008-04-21 08:52 294 --ahs---- C:\WINDOWS\system32\etqkmelt.ini
2008-04-20 16:12 . 2008-04-20 16:12 106,496 --a------ C:\WINDOWS\system32\unynsbob.exe
2008-04-19 16:21 . 2008-04-20 16:03 354 --ahs---- C:\WINDOWS\system32\cjtfujko.ini
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a--c--- C:\WINDOWS\system32\dllcache\gameenum.sys
2008-04-18 22:40 . 2008-04-21 22:23 2,978 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-18 21:23 . 2008-04-18 21:23 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-18 20:59 . 2008-04-18 20:59 <DIR> d-------- C:\Documents and Settings\Cxxxx Cxxxx\SmitfraudFix
2008-04-18 16:03 . 2008-04-18 16:03 94,208 --a------ C:\WINDOWS\system32\dazajqnq.exe
2008-04-18 13:24 . 2008-04-18 13:24 <DIR> d-------- C:\Documents and Settings\Cxxxx Cxxxx\Application Data\TmpRecentIcons
2008-04-18 10:35 . 2008-04-18 10:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\uvidodez
2008-04-18 10:35 . 2008-04-18 03:18 155,648 --a------ C:\WINDOWS\qtvglped.dll
2008-04-18 10:35 . 2008-04-18 10:35 98,304 --a------ C:\WINDOWS\system32\czyzwfqp.exe
2008-04-18 10:35 . 2008-04-18 03:18 94,208 --a------ C:\WINDOWS\npqtsrak.exe
2008-04-17 14:26 . 2008-04-18 11:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:22 . 2008-04-17 12:22 <DIR> d-------- C:\Program Files\Mailinfo
2008-04-17 12:22 . 2005-02-28 08:32 24,576 --a------ C:\WINDOWS\system32\IdleTrac1.dll
2008-04-17 11:44 . 2008-04-17 11:44 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-04-17 11:44 . 2008-04-17 11:44 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-04-17 11:44 . 2008-04-17 11:44 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-04-02 12:56 . 2008-04-02 12:56 <DIR> d-------- C:\Program Files\Google
2008-03-25 22:43 . 2008-03-25 22:43 <DIR> d-------- C:\Program Files\Safari
2008-03-23 21:32 . 1999-05-20 15:07 667,136 --a------ C:\WINDOWS\system32\oik32.ocx
2008-03-23 21:32 . 1998-11-16 18:44 284,160 --a------ C:\WINDOWS\system32\HDK3CTNT.DLL
2008-03-23 21:32 . 1998-09-21 11:27 177,152 --a------ C:\WINDOWS\system32\HDK3ANIM.DLL
2008-03-23 21:32 . 2001-03-13 14:49 140,288 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-03-23 21:32 . 1999-05-20 15:07 61,952 --a------ C:\WINDOWS\system32\twiz32.ocx
2008-03-23 21:32 . 1998-04-15 16:54 29,696 --a------ C:\WINDOWS\system32\HDK3HTML.DLL
2008-03-23 21:32 . 1999-09-14 18:01 2,156 --a------ C:\WINDOWS\DBCDLFMT.INI
2008-03-23 21:31 . 2008-03-23 21:31 <DIR> d-------- C:\Program Files\DATA BECKER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 19:36 --------- d-----w C:\Program Files\CFWebAdvancedU
2008-04-22 15:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 14:13 --------- d-----w C:\Program Files\Bonjour
2008-04-21 15:35 --------- d-----w C:\Documents and Settings\Cxxxx Cxxxx\Application Data\Lavasoft
2008-04-17 17:56 --------- d-----w C:\Program Files\Common Files\HP
2008-03-26 03:51 --------- d-----w C:\Documents and Settings\Cxxxx Cxxxx\Application Data\Apple Computer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 19:31 --------- d--h--r C:\Documents and Settings\Cxxxx Cxxxx\Application Data\yahoo!
2008-03-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 14:45 --------- d-----w C:\Documents and Settings\CxxxxCxxxx\Application Data\AdobeUM
2008-03-11 14:17 --------- d-----w C:\Program Files\iTunes
2008-03-11 14:17 --------- d-----w C:\Program Files\iPod
2008-03-11 14:13 --------- d-----w C:\Program Files\QuickTime
2008-03-11 13:46 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 03:35 92,064 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\mqdmmdm.sys
2008-02-22 03:35 9,232 ----a-w C:\Documents and Settings\CxxxxCxxxx\mqdmmdfl.sys
2008-02-22 03:35 79,328 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\mqdmserd.sys
2008-02-22 03:35 66,656 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\mqdmbus.sys
2008-02-22 03:35 6,208 ----a-w C:\Documents and Settings\CxxxxCxxxx\mqdmcmnt.sys
2008-02-22 03:35 5,936 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\mqdmwhnt.sys
2008-02-22 03:35 4,048 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\mqdmcr.sys
2008-02-22 03:35 25,600 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\usbsermptxp.sys
2008-02-22 03:35 22,768 ----a-w C:\Documents and Settings\Cxxxx Cxxxx\usbsermpt.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 21:44 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_11.50.07.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 16:36:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 20:25:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{081CCD1F-6294-4BD1-9230-902367A406C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4144C0C4-2175-59DE-0260-2800C9BBDACB}]
C:\WINDOWS\system32\megqcb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4410CD94-2674-058F-0260-2800C9BA809E}]
C:\WINDOWS\system32\xdvmf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74D16D2B-D495-48D4-9C1E-69895DCB1E67}]
C:\WINDOWS\system32\efcASkhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AFA1B87-FB96-4E08-BD82-40ADB1F843A0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4}]
C:\WINDOWS\system32\mpzseui.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A84D7385-F2E8-40B3-A238-A464B65DEDF0}]
C:\WINDOWS\system32\ssqRJdBu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFBBB0B3-85A1-43F9-B7FD-040C0C129233}]
C:\WINDOWS\system32\fccdbApM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C47E6704-A9C6-441F-BC50-0F8DF9FC8379}]
C:\WINDOWS\system32\yayyYSli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6CF5BA3-2D76-40D1-A07F-2A0D18540255}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE7C25DE-5476-4473-A4E8-BE54B18C2ED9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9A5830B-CF14-4363-B862-8344240C00F6}]
C:\WINDOWS\system32\efcDUmnn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ists"="C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" [ ]
"Vdcxo"="C:\WINDOWS\system32\T?sks\m?hta.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-17 18:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"cxzdqggm"="C:\WINDOWS\system32\kxuzohkj.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"PicasaNet"="C:\Program Files\Hello\Hello.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 IPIZWOCL;IPIZWOCL;C:\WINDOWS\System32\ipizwocl.xbg []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 21:42:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 20:00:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\IPIZWOCL]
"ImagePath"="\??\C:\WINDOWS\System32\ipizwocl.xbg"
.
Completion time: 2008-04-22 20:02:01
ComboFix-quarantined-files.txt 2008-04-23 01:01:56
ComboFix2.txt 2008-04-22 16:50:57

Pre-Run: 100,376,080,384 bytes free
Post-Run: 100,364,816,384 bytes free

167 --- E O F --- 2008-04-22 13:39:37

Edited by sajman, 22 April 2008 - 07:38 PM.

[BHowett]

Hi sajman,

I have been having trouble updating sp1 ( I think thats what it is) it always says this "Setup cannot continue because the version of Windows on your computer is newer than the version you are trying to install".

You already have SP2 installed so you don’t need SP1.

Ok lets see what we can clean up here………


Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.


===============================================



Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.


O2 - BHO: (no name) - {081CCD1F-6294-4BD1-9230-902367A406C9} - (no file)
O2 - BHO: (no name) - {3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE} - (no file)
O2 - BHO: (no name) - {4144C0C4-2175-59DE-0260-2800C9BBDACB} - C:\WINDOWS\system32\megqcb.dll (file missing)
O2 - BHO: (no name) - {4410CD94-2674-058F-0260-2800C9BA809E} - C:\WINDOWS\system32\xdvmf.dll (file missing)
O2 - BHO: (no name) - {74D16D2B-D495-48D4-9C1E-69895DCB1E67} - C:\WINDOWS\system32\efcASkhG.dll (file missing)
O2 - BHO: (no name) - {8AFA1B87-FB96-4E08-BD82-40ADB1F843A0} - (no file)
O2 - BHO: (no name) - {9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4} - C:\WINDOWS\system32\mpzseui.dll (file missing)
O2 - BHO: (no name) - {A84D7385-F2E8-40B3-A238-A464B65DEDF0} - C:\WINDOWS\system32\ssqRJdBu.dll (file missing)
O2 - BHO: (no name) - {AFBBB0B3-85A1-43F9-B7FD-040C0C129233} - C:\WINDOWS\system32\fccdbApM.dll (file missing)
O2 - BHO: (no name) - {C47E6704-A9C6-441F-BC50-0F8DF9FC8379} - C:\WINDOWS\system32\yayyYSli.dll (file missing)
O2 - BHO: (no name) - {C6CF5BA3-2D76-40D1-A07F-2A0D18540255} - (no file)
O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
O2 - BHO: (no name) - {EE7C25DE-5476-4473-A4E8-BE54B18C2ED9} - (no file)
O2 - BHO: (no name) - {F9A5830B-CF14-4363-B862-8344240C00F6} - C:\WINDOWS\system32\efcDUmnn.dll (file missing)
O4 - HKCU\..\Run: [Ists] "C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Vdcxo] C:\WINDOWS\system32\T?sks\m?hta.exe
O4 - HKCU\..\Run: [cxzdqggm] C:\WINDOWS\system32\kxuzohkj.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


===============================================


Combofix Script.txt

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\plasuufm.ini
C:\WINDOWS\system32\etqkmelt.ini
C:\WINDOWS\system32\unynsbob.exe
C:\WINDOWS\system32\cjtfujko.ini
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\dazajqnq.exe
C:\Documents and Settings\All Users\Application Data\uvidodez
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\czyzwfqp.exe
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\system32\kxuzohkj.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

===============================================


Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================


Anti-Virus software

Looking over your log, it seems you don't have any evidence of an Anti-Virus software. Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer. An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are:

• AVG
• Avast
• AntiVir

It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

===============================================

Needed in your next reply:

Combofix.txt
Malwarebytes results
A new HijackThis log

[sajman]

I had AVG for an A/V program but I did not buy it because it said it just had added features, that's why I was under the assumption I had an A/V. which freeware is best?
Here are my logs....again THANK YOU!!!!

ComboFix 08-04-22.1 - Cheri Cross 2008-04-23 8:39:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Cheri Cross\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cheri Cross\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 09:59 . 2008-04-22 09:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-21 21:06 . 2008-04-21 21:06 <DIR> d-------- C:\VundoFix Backups
2008-04-21 16:20 . 2008-04-21 16:20 1,540,617 --ahs---- C:\WINDOWS\system32\plasuufm.ini
2008-04-21 16:01 . 2008-04-22 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 15:33 . 2008-04-21 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 14:26 . 2008-04-21 14:26 <DIR> d-------- C:\Documents and Settings\Cheri Cross\Application Data\Uniblue
2008-04-20 19:14 . 2007-09-29 09:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 16:17 . 2008-04-21 08:52 294 --ahs---- C:\WINDOWS\system32\etqkmelt.ini
2008-04-20 16:12 . 2008-04-20 16:12 106,496 --a------ C:\WINDOWS\system32\unynsbob.exe
2008-04-19 16:21 . 2008-04-20 16:03 354 --ahs---- C:\WINDOWS\system32\cjtfujko.ini
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a--c--- C:\WINDOWS\system32\dllcache\gameenum.sys
2008-04-18 22:40 . 2008-04-21 22:23 2,978 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-18 21:23 . 2008-04-18 21:23 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-18 20:59 . 2008-04-18 20:59 <DIR> d-------- C:\Documents and Settings\Cheri Cross\SmitfraudFix
2008-04-18 16:03 . 2008-04-18 16:03 94,208 --a------ C:\WINDOWS\system32\dazajqnq.exe
2008-04-18 13:24 . 2008-04-18 13:24 <DIR> d-------- C:\Documents and Settings\Cheri Cross\Application Data\TmpRecentIcons
2008-04-18 10:35 . 2008-04-18 10:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\uvidodez
2008-04-18 10:35 . 2008-04-18 03:18 155,648 --a------ C:\WINDOWS\qtvglped.dll
2008-04-18 10:35 . 2008-04-18 10:35 98,304 --a------ C:\WINDOWS\system32\czyzwfqp.exe
2008-04-18 10:35 . 2008-04-18 03:18 94,208 --a------ C:\WINDOWS\npqtsrak.exe
2008-04-17 14:26 . 2008-04-18 11:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:22 . 2008-04-17 12:22 <DIR> d-------- C:\Program Files\Mailinfo
2008-04-17 12:22 . 2005-02-28 08:32 24,576 --a------ C:\WINDOWS\system32\IdleTrac1.dll
2008-04-17 11:44 . 2008-04-17 11:44 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-04-17 11:44 . 2008-04-17 11:44 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-04-17 11:44 . 2008-04-17 11:44 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-04-02 12:56 . 2008-04-02 12:56 <DIR> d-------- C:\Program Files\Google
2008-03-25 22:43 . 2008-03-25 22:43 <DIR> d-------- C:\Program Files\Safari
2008-03-23 21:32 . 1999-05-20 15:07 667,136 --a------ C:\WINDOWS\system32\oik32.ocx
2008-03-23 21:32 . 1998-11-16 18:44 284,160 --a------ C:\WINDOWS\system32\HDK3CTNT.DLL
2008-03-23 21:32 . 1998-09-21 11:27 177,152 --a------ C:\WINDOWS\system32\HDK3ANIM.DLL
2008-03-23 21:32 . 2001-03-13 14:49 140,288 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-03-23 21:32 . 1999-05-20 15:07 61,952 --a------ C:\WINDOWS\system32\twiz32.ocx
2008-03-23 21:32 . 1998-04-15 16:54 29,696 --a------ C:\WINDOWS\system32\HDK3HTML.DLL
2008-03-23 21:32 . 1999-09-14 18:01 2,156 --a------ C:\WINDOWS\DBCDLFMT.INI
2008-03-23 21:31 . 2008-03-23 21:31 <DIR> d-------- C:\Program Files\DATA BECKER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 19:36 --------- d-----w C:\Program Files\CFWebAdvancedU
2008-04-22 15:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 14:13 --------- d-----w C:\Program Files\Bonjour
2008-04-21 15:35 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\Lavasoft
2008-04-17 17:56 --------- d-----w C:\Program Files\Common Files\HP
2008-03-26 03:51 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\Apple Computer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 19:31 --------- d--h--r C:\Documents and Settings\Cheri Cross\Application Data\yahoo!
2008-03-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 14:45 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\AdobeUM
2008-03-11 14:17 --------- d-----w C:\Program Files\iTunes
2008-03-11 14:17 --------- d-----w C:\Program Files\iPod
2008-03-11 14:13 --------- d-----w C:\Program Files\QuickTime
2008-03-11 13:46 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 03:35 92,064 ----a-w C:\Documents and Settings\Cheri Cross\mqdmmdm.sys
2008-02-22 03:35 9,232 ----a-w C:\Documents and Settings\Cheri Cross\mqdmmdfl.sys
2008-02-22 03:35 79,328 ----a-w C:\Documents and Settings\Cheri Cross\mqdmserd.sys
2008-02-22 03:35 66,656 ----a-w C:\Documents and Settings\Cheri Cross\mqdmbus.sys
2008-02-22 03:35 6,208 ----a-w C:\Documents and Settings\Cheri Cross\mqdmcmnt.sys
2008-02-22 03:35 5,936 ----a-w C:\Documents and Settings\Cheri Cross\mqdmwhnt.sys
2008-02-22 03:35 4,048 ----a-w C:\Documents and Settings\Cheri Cross\mqdmcr.sys
2008-02-22 03:35 25,600 ----a-w C:\Documents and Settings\Cheri Cross\usbsermptxp.sys
2008-02-22 03:35 22,768 ----a-w C:\Documents and Settings\Cheri Cross\usbsermpt.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 21:44 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_11.50.07.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 16:36:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 12:57:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-17 18:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"PicasaNet"="C:\Program Files\Hello\Hello.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 IPIZWOCL;IPIZWOCL;C:\WINDOWS\System32\ipizwocl.xbg []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 21:42:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 08:42:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\IPIZWOCL]
"ImagePath"="\??\C:\WINDOWS\System32\ipizwocl.xbg"
.
Completion time: 2008-04-23 8:44:09
ComboFix-quarantined-files.txt 2008-04-23 13:44:03
ComboFix2.txt 2008-04-23 01:02:06
ComboFix3.txt 2008-04-22 16:50:57

Pre-Run: 100,364,652,544 bytes free
Post-Run: 100,353,286,144 bytes free

141 --- E O F --- 2008-04-22 13:39:37

*****************************************


Malwarebytes' Anti-Malware 1.11
Database version: 673

Scan type: Quick Scan
Objects scanned: 32128
Time elapsed: 11 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8a6be39f-b3ac-4f1f-b837-7cfa378788ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cfd245bd-52ae-4af0-b891-812470b45f78} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{65c76a0a-b5a4-4170-8f62-947a0145677c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.bbnf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\czyzwfqp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dazajqnq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\unynsbob.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\npqtsrak.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qtvglped.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


***************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:19 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5214 bytes

[BHowett]

Hi sajman,

Logs are looking pretty good, but I still don’t see any anti-virus running in your HijackThis log? Please make sure you install one right away!! having an Anti-Virus product is a necessity not an option. So before moving to the next step, select an anti-virus from my last post and install it on your system.



Lets take a look at one more thing…….


ATF Cleaner


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

===============================================


Needed in your next reply:

Kaspersky WebScanner results

New HijackThis log

And let me know haw everything is running now

[sajman]

I downloaded AVAST for an A/V I ran the ATF cleaner it worked, but I cannot get Kaspersky to work right, it would only work with internet explorer, it scans but will not let me save as text (no option) it says error on page line: 323 char:2 error:object doesn't support this property or method... but it finishes the scan and says there are 24 objects found. It also asks me to download GUI? I will keep trying, I'm not sure what to do....Thank you for your patience

Edited by sajman, 24 April 2008 - 12:02 PM.

[BHowett]

Hello again,

Thats ok, we can try another online scan....

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[sajman]

Hello again, here are my new logs. Just an FYI (if you don't already know) At first when I tried to scan on panda I kept getting a virus alert from AVAST it would say that I loaded worm win32.ctx, I did some checking around and it is not a worm, AVAST picks it up because panda's website is not encrypted, sound right??? Also I think that when I did the smitfraud fix and virtumonde be gone I picked up some junk ( according to the log)Just thought I'd point that out in case anyone reads this, please correct me if I'm wrong. You are a great teacher, this must take a lot of patience, it's great to have your help...Thanks again BHowett!!!!!




;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-25 00:07:56
PROTECTIONS: 1
MALWARE: 22
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
avast! antivirus 4.8.1169 [VPS 080424-0] 4.8.1169 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00045952 spyware/media-motor Spyware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\media-motor
00045952 spyware/media-motor Spyware No 1 Yes No c:\windows\ubber60.ini
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0073482.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP868\A0072251.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Cheri Cross\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP863\A0071095.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Cheri Cross\SmitfraudFix\Process.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP863\A0071097.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0073484.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Cheri Cross\SmitfraudFix\restart.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Cheri Cross\Desktop\VirtumundoBeGone.exe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0073475.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Cheri Cross\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0072534.EXE
01240491 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP748\A0064385.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP863\A0071096.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0073483.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Cheri Cross\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0072517.sys
02910094 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP866\A0071122.exe
02923747 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0072501.dll
02923747 Generic Malware Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nnnkIaAQ.dll.vir
02927717 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\uvidodez\yhsrijid.exe
02929267 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP868\A0072271.dll
02929271 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP858\A0070917.dll
02929274 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP858\A0070941.dll
02929274 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP856\A0069725.dll
02929274 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP857\A0070869.dll
02929298 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP862\A0071028.dll
02929604 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP858\A0070919.dll
02930349 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP858\A0070918.dll
02932471 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\fyufxmda.dll.vir
02932471 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP872\A0072500.dll
02932515 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Cheri Cross\Desktop\SmitfraudFix.exe
02932564 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{2D826147-E0F7-4413-854E-7B5F48BCB38F}\RP868\A0072269.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location

;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description

;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:12 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {081CCD1F-6294-4BD1-9230-902367A406C9} - (no file)
O2 - BHO: (no name) - {3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE} - (no file)
O2 - BHO: (no name) - {4144C0C4-2175-59DE-0260-2800C9BBDACB} - (no file)
O2 - BHO: (no name) - {4410CD94-2674-058F-0260-2800C9BA809E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {74D16D2B-D495-48D4-9C1E-69895DCB1E67} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8AFA1B87-FB96-4E08-BD82-40ADB1F843A0} - (no file)
O2 - BHO: (no name) - {9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4} - (no file)
O2 - BHO: (no name) - {A84D7385-F2E8-40B3-A238-A464B65DEDF0} - (no file)
O2 - BHO: (no name) - {AFBBB0B3-85A1-43F9-B7FD-040C0C129233} - (no file)
O2 - BHO: (no name) - {C47E6704-A9C6-441F-BC50-0F8DF9FC8379} - (no file)
O2 - BHO: (no name) - {C6CF5BA3-2D76-40D1-A07F-2A0D18540255} - (no file)
O2 - BHO: (no name) - {EE7C25DE-5476-4473-A4E8-BE54B18C2ED9} - (no file)
O2 - BHO: (no name) - {F9A5830B-CF14-4363-B862-8344240C00F6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Ists] "C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Vdcxo] C:\WINDOWS\system32\T?sks\m?hta.exe
O4 - HKCU\..\Run: [cxzdqggm] C:\WINDOWS\system32\kxuzohkj.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7406 bytes

Edited by sajman, 24 April 2008 - 11:34 PM.

[BHowett]

Hi sajman,

Yes its common for Panda to be picked up by antivirus, and most of the stuff found was in quarantine from the tools you used and your system restore points, but don’t worry we will clean them out at the end.

We still have a few more things in your logs to deal with, so please follow the below instructions….


Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

===============================================

Combofix Script.txt
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\ubber60.ini
C:\WINDOWS\system32\plasuufm.ini
C:\WINDOWS\system32\etqkmelt.ini
C:\WINDOWS\system32\unynsbob.exe
C:\WINDOWS\system32\cjtfujko.ini
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\dazajqnq.exe
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\czyzwfqp.exe
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\system32\kxuzohkj.exe
C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe
Folder::
C:\Documents and Settings\All Users\Application Data\uvidodez
Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ists"=-
"Vdcxo"=-   
"cxzdqggm"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

===============================================


Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {081CCD1F-6294-4BD1-9230-902367A406C9} - (no file)
O2 - BHO: (no name) - {3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE} - (no file)
O2 - BHO: (no name) - {4144C0C4-2175-59DE-0260-2800C9BBDACB} - (no file)
O2 - BHO: (no name) - {4410CD94-2674-058F-0260-2800C9BA809E} - (no file)
O2 - BHO: (no name) - {74D16D2B-D495-48D4-9C1E-69895DCB1E67} - (no file)
O2 - BHO: (no name) - {8AFA1B87-FB96-4E08-BD82-40ADB1F843A0} - (no file)
O2 - BHO: (no name) - {9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4} - (no file)
O2 - BHO: (no name) - {A84D7385-F2E8-40B3-A238-A464B65DEDF0} - (no file)
O2 - BHO: (no name) - {AFBBB0B3-85A1-43F9-B7FD-040C0C129233} - (no file)
O2 - BHO: (no name) - {C47E6704-A9C6-441F-BC50-0F8DF9FC8379} - (no file)
O2 - BHO: (no name) - {C6CF5BA3-2D76-40D1-A07F-2A0D18540255} - (no file)
O2 - BHO: (no name) - {EE7C25DE-5476-4473-A4E8-BE54B18C2ED9} - (no file)
O2 - BHO: (no name) - {F9A5830B-CF14-4363-B862-8344240C00F6} - (no file)
O4 - HKCU\..\Run: [Ists] "C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [cxzdqggm] C:\WINDOWS\system32\kxuzohkj.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} -


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


===============================================

findfile.bat

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\T?sks\m?hta.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

===============================================

Needed in your next reply:


ComboFix log

contents of findfile.bat

Fresh hijackThis log

[sajman]

Hi BHowett, here is the HJT log and CFL log, I cannot get that find file to work it says that the filename, directory name, or volume label synax is incorrect.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:12 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6429 bytes






ComboFix 08-04-22.1 - Cheri Cross 2008-04-25 8:44:28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.60 [GMT -5:00]
Running from: C:\Documents and Settings\Cheri Cross\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cheri Cross\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\PROGRA~1\COMMON~1\DOBE~1\chkdsk.exe
C:\WINDOWS\npqtsrak.exe
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\cjtfujko.ini
C:\WINDOWS\system32\czyzwfqp.exe
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\dazajqnq.exe
C:\WINDOWS\system32\etqkmelt.ini
C:\WINDOWS\system32\kxuzohkj.exe
C:\WINDOWS\system32\plasuufm.ini
C:\WINDOWS\system32\unynsbob.exe
c:\windows\ubber60.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\uvidodez
C:\Documents and Settings\All Users\Application Data\uvidodez\yhsrijid.exe
C:\WINDOWS\system32\cjtfujko.ini
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\etqkmelt.ini
C:\WINDOWS\system32\plasuufm.ini
c:\windows\ubber60.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 18:02 . 2008-04-24 18:12 <DIR> d-------- C:\Program Files\Panda Security
2008-04-24 13:23 . 2008-04-24 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-24 13:23 . 2008-04-24 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 21:32 . 2008-04-23 21:32 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-23 08:56 . 2008-04-23 08:56 <DIR> d-------- C:\Documents and Settings\Cheri Cross\Application Data\Malwarebytes
2008-04-23 08:56 . 2008-04-23 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 09:59 . 2008-04-22 09:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-21 21:06 . 2008-04-21 21:06 <DIR> d-------- C:\VundoFix Backups
2008-04-21 16:01 . 2008-04-22 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 15:33 . 2008-04-21 15:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 14:26 . 2008-04-21 14:26 <DIR> d-------- C:\Documents and Settings\Cheri Cross\Application Data\Uniblue
2008-04-20 19:14 . 2007-09-29 09:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-04-19 16:17 . 2004-08-04 00:08 10,624 --a--c--- C:\WINDOWS\system32\dllcache\gameenum.sys
2008-04-18 22:40 . 2008-04-21 22:23 2,978 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-18 20:59 . 2008-04-18 20:59 <DIR> d-------- C:\Documents and Settings\Cheri Cross\SmitfraudFix
2008-04-18 13:24 . 2008-04-18 13:24 <DIR> d-------- C:\Documents and Settings\Cheri Cross\Application Data\TmpRecentIcons
2008-04-17 14:26 . 2008-04-18 11:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:22 . 2008-04-17 12:22 <DIR> d-------- C:\Program Files\Mailinfo
2008-04-17 12:22 . 2005-02-28 08:32 24,576 --a------ C:\WINDOWS\system32\IdleTrac1.dll
2008-04-17 11:44 . 2008-04-17 11:44 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-04-17 11:44 . 2008-04-17 11:44 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-04-17 11:44 . 2008-04-17 11:44 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-04-02 12:56 . 2008-04-02 12:56 <DIR> d-------- C:\Program Files\Google
2008-03-25 22:43 . 2008-03-25 22:43 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 19:36 --------- d-----w C:\Program Files\CFWebAdvancedU
2008-04-22 15:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 14:13 --------- d-----w C:\Program Files\Bonjour
2008-04-21 15:35 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\Lavasoft
2008-04-17 17:56 --------- d-----w C:\Program Files\Common Files\HP
2008-03-26 03:51 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\Apple Computer
2008-03-24 02:31 --------- d-----w C:\Program Files\DATA BECKER
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 19:31 --------- d--h--r C:\Documents and Settings\Cheri Cross\Application Data\yahoo!
2008-03-12 15:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 14:45 --------- d-----w C:\Documents and Settings\Cheri Cross\Application Data\AdobeUM
2008-03-11 14:17 --------- d-----w C:\Program Files\iTunes
2008-03-11 14:17 --------- d-----w C:\Program Files\iPod
2008-03-11 14:13 --------- d-----w C:\Program Files\QuickTime
2008-03-11 13:46 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 03:35 92,064 ----a-w C:\Documents and Settings\Cheri Cross\mqdmmdm.sys
2008-02-22 03:35 9,232 ----a-w C:\Documents and Settings\Cheri Cross\mqdmmdfl.sys
2008-02-22 03:35 79,328 ----a-w C:\Documents and Settings\Cheri Cross\mqdmserd.sys
2008-02-22 03:35 66,656 ----a-w C:\Documents and Settings\Cheri Cross\mqdmbus.sys
2008-02-22 03:35 6,208 ----a-w C:\Documents and Settings\Cheri Cross\mqdmcmnt.sys
2008-02-22 03:35 5,936 ----a-w C:\Documents and Settings\Cheri Cross\mqdmwhnt.sys
2008-02-22 03:35 4,048 ----a-w C:\Documents and Settings\Cheri Cross\mqdmcr.sys
2008-02-22 03:35 25,600 ----a-w C:\Documents and Settings\Cheri Cross\usbsermptxp.sys
2008-02-22 03:35 22,768 ----a-w C:\Documents and Settings\Cheri Cross\usbsermpt.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 21:44 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_11.50.07.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 16:36:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 13:36:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 23:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 18:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-03-29 18:45:49 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-03-29 18:23:22 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-03-29 18:26:52 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-03-29 18:35:49 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-01-17 15:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-03-29 18:35:21 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-03-29 18:29:08 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-03-29 18:31:34 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-03-29 18:27:33 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-04-25 13:36:37 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_484.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{081CCD1F-6294-4BD1-9230-902367A406C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CFBA2B9-445D-32FE-2C02-4EB67C6FA7CE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4144C0C4-2175-59DE-0260-2800C9BBDACB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4410CD94-2674-058F-0260-2800C9BA809E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74D16D2B-D495-48D4-9C1E-69895DCB1E67}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AFA1B87-FB96-4E08-BD82-40ADB1F843A0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BE7AB2C-429B-6A6A-EC2E-4C766E4900C4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A84D7385-F2E8-40B3-A238-A464B65DEDF0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFBBB0B3-85A1-43F9-B7FD-040C0C129233}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C47E6704-A9C6-441F-BC50-0F8DF9FC8379}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6CF5BA3-2D76-40D1-A07F-2A0D18540255}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE7C25DE-5476-4473-A4E8-BE54B18C2ED9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9A5830B-CF14-4363-B862-8344240C00F6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-17 18:13 3810544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"PicasaNet"="C:\Program Files\Hello\Hello.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S2 IPIZWOCL;IPIZWOCL;C:\WINDOWS\System32\ipizwocl.xbg []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 21:42:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 08:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\IPIZWOCL]
"ImagePath"="\??\C:\WINDOWS\System32\ipizwocl.xbg"
.
Completion time: 2008-04-25 8:49:44
ComboFix-quarantined-files.txt 2008-04-25 13:49:38
ComboFix2.txt 2008-04-23 13:44:12
ComboFix3.txt 2008-04-23 01:02:06
ComboFix4.txt 2008-04-22 16:50:57

Pre-Run: 100,010,926,080 bytes free
Post-Run: 99,998,441,472 bytes free

185 --- E O F --- 2008-04-25 05:37:46

[BHowett]

Hi sajman,

I cannot get that find file to work it says that the filename, directory name, or volume label synax is incorrect.

That’s ok we got it with combofix, I just wanted to do the findfile.bat incase we didn’t get it on the first try….

Your logs are looking good, how are things running, are you having any problems?

Now for a little clean up…..

ComboFix Removal

• Follow these steps to uninstall Combofix and tools used in the removal of malware
  [List]
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

===============================================

Needed in your next reply:

Just let me know how things are running, and if you have any problems or questions .

[sajman]

I have just a few questions:
should I run the atf cleaner on occasion

is it ok to have spybot and AVAST on the same pc - I often get confused with spybot not sure what changes to allow, I'm thinking that if there are changes coming here and there not to allow unless I make the change myself.

what scanner should I use and how often

my pc keeps telling me that updates are ready and it's Microsoft .NET Framework 1.1 Service Pack how do I stop this?

I didn't mess around too much, but I think everything is GREAT!!!! I can let you know more as I work.

I cannot thank you enough, I greatly respect your knowledge and prompt attention, it takes a lot to do what you do and it's AWESOME to know that there are good people as yourself helping to fight the jackasxxx in the world creating this garbage, it's not like life isn't busy enough and then to have to deal with this.
Without your help I would have been screwed. If I ever have problems again I will be sure to look you up if that's ok. THANK YOU AGAIN!!!!!!!!!

Edited by sajman, 25 April 2008 - 09:42 AM.

[BHowett]

I have just a few questions:

should I run the atf cleaner on occasion

I run ATF Cleaner about every two to three days, it’s a great tool for cleaning out the temps, cookies, and other stuff you don’t really need.

is it ok to have spybot and AVAST on the same pc - I often get confused with spybot not sure what changes to allow, I'm thinking that if there are changes coming here and there not to allow unless I make the cange myself.

Spybot and Avast are fine running together… in my post below I and going to give you some tips and tricks to help keep you clean, and that will explain the things that can run together kind of like layers to protect you. The onny thing you can’t run together is more then one Anti-virus or firewall.

what scanner should I use and how often

Again, in my post below I and going to give you some tips and tricks to help keep you clean,


I cannot thank you enough, I greatly respect your knowledge and prompt attention, it takes a lot to do what you do and it's AWESOME to know that there are good people as yourself helping to fight the [bleep]es in the world creating this garbage, it's not like life isn't busy enough and then to have to deal with this.
Without your help I would have been screwed. If I ever have problems again I will be sure to look you up if that's ok. THANK YOU AGAIN!!!!!!!!!

You’re welcome, glad I could help and you can look me any time you need help …..
Have a look around the site, and check out all the other forums. There are lots of good people, and information here.


See you around, and safe surfing

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have.

Please disregard any items below that you all ready have, like antivirus or spybot etc…


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!

[BHowett]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.