[Katie_Harlow87]

Hi. First of all, I want to thank you guys ahead of time for helping me. I have tried to fix this myself, but I was hesitant to do things that might negatively alter registry files, etc. I successfully removed Vundo, or so it seemed, then Windows Defender found and killed it again, so it seems to be gone for now. I was also infected with TDSS...things, but Avast caught it and quarantined it. For a little while, I couldn't even open many applications...and when I tried to access Notepad files, it wouldn't let me, but now I can. Now...I have Tagasaurus, and potentially other things...and any help that you guys can give to me would be SO greatly appreciated... :] Thank you thank you!

Here is info about my computer:

Windows XP Home Edition Service Pack 2 (build 2600)
3.00 gigahertz Intel Pentium 4
80.02 Gigabytes Usable Hard Drive Capacity
61.60 Gigabytes Hard Drive Free Space
1024 Megabytes Installed Memory

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:25 AM, on 1/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166496963562
O17 - HKLM\System\CCS\Services\Tcpip\..\{A16447C3-1E1E-462E-9A78-AE0FFB4A023B}: NameServer = 4.2.2.2,4.2.2.1
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rakmdlkd83indfgnbu.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8501 bytes

[Advertisements]

Hi again,

Here is a bit more information which may prove useful:

Before that hijackthis log was created, I ran Malwarebytes Anti-Malware, as well as Avast. For some reason, AVG won't update, and...that may be related to a virus? I use AVG, Avast, and Windows Defender at the same time. I HAD a go.google redirect problem, but I did manage to get rid of it on my own...after HOURS of struggling with it.

Lastly, thanks to anyone that tries to help me.......... :]

[Katie_Harlow87]

Hi again,

Here is a bit more information which may prove useful:

Before that hijackthis log was created, I ran Malwarebytes Anti-Malware, as well as Avast. For some reason, AVG won't update, and...that may be related to a virus? I use AVG, Avast, and Windows Defender at the same time. I HAD a go.google redirect problem, but I did manage to get rid of it on my own...after HOURS of struggling with it.

Lastly, thanks to anyone that tries to help me.......... :]

[Transience]

Hello Katie and welcome to Geeks to Go! I'm Dave and I'll be helping you out with your computer problems. Let's get started:

1. ComboFix

Please download and save ComboFix from one of these locations:

Link 1 | Link 2 | Link 3

* It is very important that ComboFix is saved directly to your desktop.

Notes:

• Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here.
• ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates.
• Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, this is normal, don't worry.

Next:

• Double click on ComboFix.exe and follow the prompts.
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a serious problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

* Note: If the Recovery Console is already installed on your computer, ComboFix will ignore the installation routines and continue its malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else.

When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply.

[Katie_Harlow87]

Hi, I did what you told me to do, however, when I first ran the fix, Spybot Teatimer may have been running? Upon the subsequent reboot, I did disable it. Also, when it rebooted, it said that Avast was running...but I didn't know how to stop it from running, so I just uninstalled it. (I'll download it again today) So...I hope that the scan went well, in spite of the potential anti-virus things running. Anyway, here is the log, and if I have to rescan, just tell me: (for the sake of clarity, 'Andrew' was the former owner of this computer, and I haven't bothered to change that info after I bought the comp from him)

ComboFix 09-01-08.05 - Andrew 2009-01-09 14:54:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.642 [GMT -8:00]
Running from: c:\documents and settings\Andrew\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090109-0] *On-access scanning disabled* (Updated)
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\hxgienbk.ini
c:\windows\system32\TDSSitpe.dat
c:\windows\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:47 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 17:43 . 2009-01-08 17:43 33,832 --a------ c:\windows\system32\soafkvaw.exe
2009-01-08 14:48 . 2009-01-08 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 09:34 . 2009-01-08 09:34 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 21:30 --------- d-----w c:\documents and settings\Andrew\Application Data\AVG7
2009-01-09 06:02 --------- d-----w c:\documents and settings\Andrew\Application Data\.purple
2008-12-27 16:00 --------- d-----w c:\documents and settings\regular\Application Data\AVG7
2008-12-27 00:07 --------- d-----w c:\documents and settings\Andrew\Application Data\gtk-2.0
2008-12-15 01:43 --------- d-----w c:\program files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-10-15 1636864]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-27 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-11 219136]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-06-23 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=

R3 pnicII;Linksys Fast Ethernet PCI Card;c:\windows\system32\drivers\LNE100.SYS [2000-02-10 20573]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\hezzewxn.job
- c:\windows\system32\rundll32.exe [2004-08-03 23:56]

2009-01-09 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {A16447C3-1E1E-462E-9A78-AE0FFB4A023B} = 4.2.2.2,4.2.2.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 15:15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
c:\windows\hh.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 15:16:59 - machine was rebooted [Andrew]
ComboFix-quarantined-files.txt 2009-01-09 23:16:56

Pre-Run: 61,875,404,800 bytes free
Post-Run: 62,469,173,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

132 --- E O F --- 2009-01-09 02:36:47

[Katie_Harlow87]

Also, (in case this is of help) the main thing that is BUGGING me is still there. Spybot S&D blocks a bad URL, and that pop-up appears very often, and sometimes, it closes other windows that are active... (SO frustrating)

The URL that comes up is this: http://ad.yielmanage...t?ad_type=ifram and then it cuts off there. It is identified as: 'TagASaurus'.

Thanks a lot for your help so far, I SO look forward to getting rid of this stuff...

Thanks!!!

[Transience]

Hello Katie -

That looks a bit better, still a couple thing to take care of. First off a quick warning:

I see you're using or have in the past used p2p software such as Soulseek. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here.

Please go to Add/Remove Programs in your Control Panel (Programs and Features if you are a Vista user). Select and remove the following:

TagASaurus - An annoying adware program that installs without your consent and displays popup ads.
Any p2p programs you wish to remove

Next:

1. Run a ComboFix script

• Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
• Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
• Change the Save as Type to All Files.
• Save it directly on your desktop.

File::
c:\windows\Tasks\hezzewxn.job
c:\windows\system32\soafkvaw.exe

SysRst::

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

In your next reply I just need the new CF log .

Cheers,
Dave

[Katie_Harlow87]

Tagasaurus isn't in the area you specified, should I just continue to the next step? Also, although slsk is there, I haven't used it for several months, and when I did, I was very careful when getting music from friends or whatever. Is there any other place that Tagasaurus might be hiding?

[Transience]

If it's not in the uninstall list then it's probably some orphaned loading point leftover that's giving you that bugger of an error message, our final scans should root it out no problem. Go ahead with the ComboFix step.

[Katie_Harlow87]

This may be useless info, but as it was preparing the log report, it said: 'FINDSTR: cannot open temp01' I dunno what that means, if anything.

Here is the log:


ComboFix 09-01-08.05 - Andrew 2009-01-09 16:59:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.643 [GMT -8:00]
Running from: c:\documents and settings\Andrew\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\soafkvaw.exe
c:\windows\Tasks\hezzewxn.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\soafkvaw.exe
c:\windows\Tasks\hezzewxn.job

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:47 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:48 . 2009-01-08 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 09:34 . 2009-01-08 09:34 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 21:30 --------- d-----w c:\documents and settings\Andrew\Application Data\AVG7
2009-01-09 06:02 --------- d-----w c:\documents and settings\Andrew\Application Data\.purple
2008-12-27 16:00 --------- d-----w c:\documents and settings\regular\Application Data\AVG7
2008-12-27 00:07 --------- d-----w c:\documents and settings\Andrew\Application Data\gtk-2.0
2008-12-15 01:43 --------- d-----w c:\program files\Java
2008-11-10 13:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\avenger\ssqPfcDu.dll
2009-01-08 05:02 297984 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP879\A0133952.dll

c:\avenger\urqQjkjH.dll
2009-01-08 04:56 57856 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP879\A0133954.dll

c:\documents and settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\backup\avgabout.dll
2008-10-16 10:44 17723904 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP838\A0118149.dll

c:\documents and settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\install.1\avgabout.dll
2008-11-29 09:53 17754112 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP837\A0118121.dll

c:\documents and settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\install.1\avgchk75.exe
2008-11-29 09:53 120064 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP837\A0118122.exe

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{037D73CE-3DEE-49F9-B06E-17C65612C8CF}\mpengine.dll
2008-09-23 16:33 3834960 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP813\A0105775.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{0718E44C-96F2-4A99-8C73-51223648BA3A}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP848\A0124361.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1040CF13-3654-4FAA-83AD-8EE674229239}\mpengine.dll
2008-10-31 16:23 3953560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP836\A0118088.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{22ED31DA-B01F-4FE7-BF84-18F636A25112}\mpengine.dll
2008-10-31 16:23 3953560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP818\A0109846.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{34534A0A-DD93-4238-9536-D5C8389E3712}\mpengine.dll
2008-10-31 16:23 3953560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP843\A0119287.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3476C8A9-72FA-4BC9-978C-FCEAB223A847}\mpengine.dll
2008-09-23 16:33 3834960 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP797\A0103550.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3C741C10-2FBE-45E1-90C7-9B5AE89FA53D}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP876\A0132919.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4281F9FB-4BB0-4322-B408-1A60F319837F}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP857\A0124704.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{465D4820-EC41-47E3-9CAB-74FE03D862B5}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP874\A0132876.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{505977A4-0370-4B25-8A24-A4446B0F916F}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP880\A0133971.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{649771EB-11C7-4A76-BC60-F16B270D87F6}\mpengine.dll
2008-11-26 17:47 4141976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP862\A0124796.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6552C5EE-CA6C-47BD-A7D1-A856B831DDD5}\mpengine.dll
2008-10-31 16:23 3953560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP828\A0115963.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6C0F5BAA-9A75-4084-AE8A-60611F6F6327}\mpengine.dll
2008-10-31 16:23 3953560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP840\A0118197.dll

c:\documents and settings\All Users\Application Data\Microsoft\Windows Defe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-10-15 1636864]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-27 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-11 219136]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-06-23 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=

R3 pnicII;Linksys Fast Ethernet PCI Card;c:\windows\system32\drivers\LNE100.SYS [2000-02-10 20573]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {A16447C3-1E1E-462E-9A78-AE0FFB4A023B} = 4.2.2.2,4.2.2.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 17:00:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-09 17:02:10
ComboFix-quarantined-files.txt 2009-01-10 01:02:09
ComboFix2.txt 2009-01-09 23:17:00

Pre-Run: 62,455,083,008 bytes free
Post-Run: 62,449,053,696 bytes free

159 --- E O F --- 2009-01-09 02:36:47

[Katie_Harlow87]

Ok, the Tagasaurus BAD URL pop-up thing still shows up the same as before: http://ad.yielmanage...t?ad_type=ifram and then it cuts off there. It is identified as: 'TagASaurus'.

Regardless of the fact that it's still there, I REALLY appreciate the help you've given me so far, and once it's gone, I am going to be SO happy! Thank you very much. :]

What should I do next?

Also, should I re-download Avast later on tonight, or now? Or is AVG and Spybot good enough for the time being?

[Katie_Harlow87]

Also, I get a pop-up that says: 'Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.' blah blah blah... and at the bottom there are 2 buttons to click on, one says 'Send Error Report', and the other says 'Don't Send'. No matter what I do, when I get rid of the pop-up, one of the pages that I have opened disappears...and sometimes many pages disappear. :[

[Transience]

Let's run a final check, this should take care of any leftover orphans that are still causing you trouble:

1. ATF Cleaner

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• Note: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• Note: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here or here.

Doubleclick mbam-setup.exe to install the program.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan, then click Scan.
• The scan will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
• Copy & Paste the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so and allow MBAM to finish.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

• Follow this link to the Kaspersky WebScanner
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

So post back with the logs from MBAM and Kaspersky and give me an update on how the PC is running, and we should have you on your way .

- Dave

[Katie_Harlow87]

Below is the Malwarebytes log, and in the meantime, I will move onto the next step. which is to update Java. Also, the Tagasaurus thing is still there...but I am very hopeful, and I think I'll win the day with your awesome help. :]

Malwarebytes' Anti-Malware 1.32
Database version: 1636
Windows 5.1.2600 Service Pack 2

1/9/2009 7:04:42 PM
mbam-log-2009-01-09 (19-04-42).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 95920
Time elapsed: 51 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Katie_Harlow87]

Also, should I install IE 7 as well? Might that help me? I still have 6 I think. I was wary of Firefox, because I'm not greatly computer savvy.

[Transience]

If you're in the middle of the Kaspersky scan right now don't terminate it, let it finish and then update to IE7 as soon as possible afterwards. Browsing with IE6 still is practically suicide because of the security vulnerabilities in it. Update to IE7 after the Kaspersky scan has finished for now, and then we can discuss alternative browsers like Firefox (my personal favorite) after you're clean. I'll await the log from Kaspersky.

Cheers,
Dave