22 replies to this topic

[fmajor7th]

Hello Malwarebytes,

I've recently discovered your site. It is so encouraging to find a site dedicated to the task of eradicating malware with excellent advice and anti-malware programs.

In response to infection, I recently downloaded and ran some new anti-malware software including SuperAntiSpyware and Comodo Antivirus. SuperAntiSpyware usually finds 100+ items: ~XX.TMP.EXE files (where X represents a hexadecimal integer) located in localsettings\temp, _restore, prefetch and system32 folders; also one file in start up. Then I found your site; I read your 'how did I become infected' entry, and downloaded and ran your Malwarebytes anti-malware software. With a full scan, your software reported no issues so I ran Hijack This: this found 20 or so suspect tmp files as running processes, and two further suspect files which seem to me to be the root or residual parts of the malware (pls see logs below).

If this helps, I also ran Ad-aware some months ago: then, the logs recognised/classified the malware files into three main categories: win32. generic worm, win32.trojanproxy.bobax, and win32.trojan.killav. Both Adaware and SuperAntiSpyware remove or quarantine nearly all the files that they find, except these root files which appear to launch the tmp files each start up; these then show up on Task Manager alongside the usual 30-40 normal processes. The 'end process' facility in task manager is disabled. I often have to reload my anti-malware programs each time I wish to use them because they are often disabled (by the malware, I assume); occasionally, it does not allow them to be installed at all. I use Opera as my main browser, then Netscape, then on occasion, IE.

I would be interested to hear your comments, especially ones that fully/properly explain what is happening on my machine, and in doing so, offer or lead to potential solutions for locating/eradicating these root files and what I can do to further prevent them infecting my system in the future. Whatever, congratulations on operating a business/website in such a noble and worthwhile cause.

Fmajor7th


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:15, on 02/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~66.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~60.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~72.tmp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7A.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7B.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8F.tmp.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A1.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A3.tmp.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A2.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A5.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B0.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B4.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B6.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B8.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BC.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BF.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C0.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C3.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C5.tmp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [KHVUII_akXLNZ_J] C:\WINDOWS\system32\bdfyytlfshlqh.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\mzyypdobc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--
End of file - 7524 bytes

mbam-log-2009-02-02 (13-02-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143317
Time elapsed: 1 hour(s), 1 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

Well that is not the full log for MBAM so I can't tell the version of the program or definitions.

Please run the following program.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[fmajor7th]

Hello Malwarebytes,

Thank you for your prompt reply. Sorry about my hasty/sloppy C&P - failing to scroll up fully and thereby cutting off the top four lines of the mbam log text. Here is missing part:

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

02/02/2009 13:02:08
mbam-log-2009-02-02 (13-02-08).txt

Thanks for your instructions; I'm on the case now and will get back to you shortly.

Fmajor7th

[fmajor7th]

Hello Again Malwarebytes,

Continuing from last time... I followed your instructions re ComboFix: all very clear and straightforward. XP would not allow me to install the WRConsole manually from my XP CD prior to running ComboFix because of the XP version mismatch: my original XP disc is a four year old SP1 and I am running an updated XP SP3. However, I dont think this matters because WRC was installed satisfactorily as part of the ComboFix set up.

I tried to disable all my running Antivirus/spyware and firewall s/w prior to running CF. I uninstalled Comodo, and I exited SuperAntiSpyware but the latter still showed up on the logs; PCGuard is my ISP's firewall: on a recent update, it somehow was disabled (by the malware, I assume - I am waiting to install ZA) so I though this would be OK but again it showed up on the logs. I notice other old protection s/w also showed up in the logs even though they are (or I thought they were) not running 'on access'. I hope this isn't a problem.

Whatever, ComboFix seemed to run perfectly, executing all the pre-stated stages. I also ran HJT again as per your instructions - pls see the logs for both below. I realise I am not out of the woods yet and I don't wish to temp fate but... things look promising: in my present OS state, all the tmp (malware) processes have gone from Task manager and the end process facility is re-enabled, and my CPU is running a sweet hum at 0-4% in the background instead of the labouring 30+% and chasing its tail. I await your further comments/instructions with great anticipation. (Apologies, I have to go away for three days now - the machine will not be turned on or used at all during this period - I will be back Sat. 7th. ). Thank you once again.

Fmajor7th


ComboFix 09-02-02.04 - User One 2009-02-03 21:58:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT 0:00]
Running from: c:\documents and settings\User One\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)
FW: PCguard Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\i

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 21:52 . 2009-02-03 21:52 43,520 --a------ c:\windows\system32\hdhgufd.exe
2009-02-03 17:43 . 2009-02-03 17:43 43,520 --a------ c:\windows\system32\pphednnflwgjxq.exe
2009-02-03 17:29 . 2009-02-03 17:29 43,520 --a------ c:\windows\system32\johjfcpftwddj.exe
2009-02-03 11:35 . 2009-02-03 11:35 43,520 --a------ c:\windows\system32\iiznw.exe
2009-02-02 15:44 . 2009-02-02 15:44 43,520 --a------ c:\windows\system32\upzwec.exe
2009-02-02 15:18 . 2009-02-02 15:18 43,520 --a------ c:\windows\system32\ahxjq.exe
2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 14:26 . 2009-02-02 14:26 43,520 --a------ c:\windows\system32\oesrlrow.exe
2009-02-02 11:12 . 2009-02-02 11:12 43,520 --a------ c:\windows\system32\fwwamhi.exe
2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun
2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes
2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod
2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml
2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-16 11:29 . 2009-01-19 01:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll
2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll
2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll
2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax
2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax
2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll
2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll
2009-01-15 17:13 . 2006-12-29 00:31 19,569 --a------ c:\windows\005146_.tmp
2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\JRE
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Java
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Common Files\Java
2009-01-14 20:48 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3
2009-01-14 19:44 . 2009-02-03 21:59 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys
2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-01-13 13:45 . 2004-07-17 11:40 19,528 --a------ c:\windows\002160_.tmp
2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome
2009-01-11 18:29 . 2009-01-11 18:29 75,776 --ah----- c:\windows\system32\gbrv.exe
2009-01-11 18:26 . 2009-01-11 18:26 75,776 --ah----- c:\windows\system32\jqwwpb.exe
2009-01-06 01:11 . 2009-01-06 01:11 68,608 --ah----- c:\windows\system32\hjuytd.exe
2009-01-04 23:05 . 2009-01-04 23:05 74,752 --ah----- c:\windows\system32\adgoms.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 21:52 39,936 ----a-w c:\windows\system32\wmfptc32.dll
2009-01-19 01:35 --------- d-----w c:\program files\iTunes
2009-01-16 13:08 121,344 ----a-w c:\windows\Internet Logs\xDB24C.tmp
2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster
2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-12 14:49 --------- d-----w c:\program files\Opera
2008-12-30 15:50 73,216 ---ha-w c:\windows\system32\okxfeof.exe
2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-19 1900544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]
"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]
"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]
"UeQaYzakOp"="c:\windows\system32\hdhgufd.exe" [2009-02-03 43520]
"Ptipbmf"="ptipbmf.dll" [2003-06-05 c:\windows\system32\ptipbmf.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\
OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]
R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]
R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [1/14/2009 7:44:07 PM 5109]
S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]
S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCAlertDriver
*Deregistered* - RushTopDevice
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-KHVUII_akXLNZ_J - c:\windows\system32\bdfyytlfshlqh.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
HKLM-Run-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 21:59:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\adsldpc.dll
.
Completion time: 2009-02-03 22:01:51
ComboFix-quarantined-files.txt 2009-02-03 22:01:49

Pre-Run: 79,794,221,056 bytes free
Post-Run: 80,398,155,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

180

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12:00, on 03/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\hdhgufd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--
End of file - 5763 bytes

[AdvancedSetup]

STEP 1
Please download this tool and run it and then post back the results. reglooks.exe

STEP 2
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.

• O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  
• O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  
• O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\hdhgufd.exe
  
• O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  
• O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dl
  Then Quit All Browsers including the one you're reading this in now.
  Then click on Fix checked and then quit HJT

STEP 3
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

STEP 4

Download and install CCleaner

• CCleaner
  
• Double-click on the downloaded file "ccsetup216.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts

STEP 5
Please download Avenger 2.0 from here
Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
NdisFileServices32

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISFILESERVICES32


Files to delete:
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\hdhgufd.exe
c:\windows\system32\pphednnflwgjxq.exe
c:\windows\system32\johjfcpftwddj.exe
c:\windows\system32\iiznw.exe
c:\windows\system32\upzwec.exe
c:\windows\system32\ahxjq.exe
c:\windows\system32\oesrlrow.exe
c:\windows\system32\fwwamhi.exe
c:\windows\005146_.tmp
c:\windows\system32\javacpl.cpl
c:\windows\002160_.tmp
c:\windows\system32\gbrv.exe
c:\windows\system32\jqwwpb.exe
c:\windows\system32\hjuytd.exe
c:\windows\system32\adgoms.exe
c:\windows\system32\wmfptc32.dll
c:\windows\Internet Logs\xDB24C.tmp
c:\windows\system32\okxfeof.exe

• Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  
• Close all other running applications
  
• After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.
Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.


STEP 6
Now let's see if you can run MBAM or not.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

[fmajor7th]

Hello malwarebytes,

Thank you again for your full and clear response; I appreciate the considerable time and effort you are dedicating to my case.

Report:

STEP 1: reglooks: d/l OK; on running, the program reported a number of 'could not find' and 'does not exist' warnings on its screen; otherwise, it seemed to run and finish OK. Logs pasted below as requested.
STEP 2: HJT: did a scan and checked the 5 items you specified, as requested (of course, the name of the exe file associated with UeQaYzakOp entry changes on every start up, so the file in the list I checked to be fixed had, of course, a different exe name to the one shown in your statement). Clicked fix; seemed to run OK - these items specified were accurately listed in the backups log on completion (did not delete them). IMPORTANT, PLEASE NOTE: a new entry: O4 - HKLM\..\RunServices: [UeQaYzakOp] C:\WINDOWS\system32\nlqpj.exe was generated by the scan; I did NOT check and fix this – but thinking further about it (as I believe UeQaYzakOp is the/a malware) perhaps I should have done?
STEP 3: Java removal; removed Java and Java 6 update 7 via Windows Add/Remove; d/l and ran JavaRa (logs below) seemed OK; later manually deleted, as requested, lots of small files and then folders in C:\Docsandset\username\appdata\Sun\Java – , plus a .java folder. Seems to have worked – not present in later logs. Cant find/see any further java.
STEP 4: CCleaner. d/l and installed to desktop OK (unchecked boxes to leave 'make desktop icon' only in set up). All OK, however, app. would not run: on d/clicking, program loaded and showed its first page normally but only for c. 3 seconds then disappeared from the screen. So, this program was NOT executed at this time. Your comments would be most welcome here.
STEP 5: Avenger: d/l OK; copied and pasted your code as requested into main page. Unchecked roots option as requested and clicked execute. It reported that it had prepared successfully and was ready to execute on rebooting; then did so. System rebooted normally but no sign of Avenger or any report; I cannot be certain that this application ran OK or what the results were.
STEP 6: MBAM: seemed to run OK logs below as requested; HJT: ran OK log below as requested.

Other notes/noticings: 20 or so tmp files remain in Task Manager processes and end process remains disabled; probably not relevant but something odd was happening with Netscape during above step sequence: the icon was replaced by an IE icon; and it was replaced by IE as my default browser.

Thank you once again for your ongoing efforts; it may be cornered but it looks like our malware is not giving up without a fight! A little knowledge is probably a dangerous thing but I'm thinking, by not checking/fixing that other new UeQaYzakOp runservices entry above in Step 2, I may have allowed the malware to slip through again. Please advise.

Fmajor7th



REGLOOKS logfile

version 0.977
08/02/2009 18:18:49.46
running from: "C:\Documents and Settings\User One\My Documents\My Pictures"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"dimsntfy" "DllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- PENDINGFILERENAMEOPERATIONS regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Pendingfilerenameoperations= \??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe.tmp\0\??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"B'sCLiP"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"PCguardadvisor.exe"="\"C:\\Program Files\\blueyonder\\PCguard advisor\\PCguardadvisor.exe\""
"PCguard"="\"C:\\Program Files\\blueyonder\\PCguard\\Rps.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKLM RunServicesOnce keys found


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKCU RunServicesOnce keys found


--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regkey does not exist


--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regkey does not exist


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll"
"{3C060EA2-E6A9-4E49-A530-D4657B8C449A}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\pkR.dll"
"{53707962-6F74-2D53-2644-206D7942484F}" FILE ="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"
"{56071E0D-C61B-11D3-B41C-00E02927A304}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\FBHR.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_07\\bin\\ssv.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
no toolbars found


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"yEnc32" CLSID ={8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1} FILE ="C:\\Program Files\\eSite Media\\yEnc32\\yEnc32Shell.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"
"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"
"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"
"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avgntdd
"DisplayName"="avgntdd"
\??\C:\Program Files\AVPersonal\AVGNTDD.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVWUpSrv
"DisplayName"="AntiVir Update"
"C:\Program Files\AVPersonal\AVWUPSRV.EXE"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsStor
"DisplayName"="B.H.A Storage Helper Driver"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsUDF
"DisplayName"="B.H.A UDF Filesystem"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSS DVP
"DisplayName"="CSS DVP"
System32\DRIVERS\css-dvp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DVD-RAM_Service
"DisplayName"="DVD-RAM_Service"
C:\WINDOWS\System32\DVDRAMSV.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dvpapi
"DisplayName"="DvpApi"
C:\Program Files\Common Files\Command Software\dvpapi.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E1000
"DisplayName"="Intel® PRO/1000 Adapter Driver"
System32\DRIVERS\e1000325.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fasttx2k
system32\drivers\fasttx2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Freedom
"DisplayName"="Freedom Miniport"
System32\DRIVERS\FREEDOM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FreeTdi
"DisplayName"="Radialpoint Filter"
System32\Drivers\FreeTdi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GMSIPCI
"DisplayName"="GMSIPCI"
\??\D:\INSTALL\GMSIPCI.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HCF_MSFT
System32\DRIVERS\HCF_MSFT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InternetClient
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\meiudf
"DisplayName"="meiudf"
System32\Drivers\meiudf.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCAlertDriver
"DisplayName"="PCAlertDriver"
\??\C:\Program Files\MSI\Core Center\NTGLM7X.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RP_FWS
"DisplayName"="PCguard Firewall"
C:\Program Files\blueyonder\PCguard\fws.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RushTopDevice
"DisplayName"="RushTopDevice"
\??\C:\Program Files\MSI\Core Center\RushTop.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3legacy
System32\DRIVERS\s3legacy.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
"DisplayName"="SASDIFSV"
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM
"DisplayName"="SASENUM"
\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
"DisplayName"="SASKUTIL"
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{39993C85-56C8-4EA1-A198-F9864F0EAFCB}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{5F161803-BD67-4794-A14E-D67C1A3C0252}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0wscsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
HTTPFilter: HTTPFilter\0\0
DcomLaunch: DcomLaunch\0TermService\0\0
eapsvcs: eaphost\0\0
dot3svc: dot3svc\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- DNS SERVER regkeys ---

no "NameServer" values found


--- STARTUP FOLDERS ---

C:\Documents and Settings\User One\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnk
C:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk


--- TASK SCHEDULER JOBS ---

no .job files found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED
-----------------------------------------------------
JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Feb 08 18:45:17 2009

Found and removed: C:\Program Files\JavaSoft

------------------------------------

Finished reporting.
------------------------------------
Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 3

08/02/2009 20:55:50
mbam-log-2009-02-08 (20-55-50).txt

Scan type: Quick Scan
Objects scanned: 46118
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptipbmf (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:27, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3A.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3B.tmp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4B.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~41.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4A.tmp.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\RAMASST.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5D.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5E.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~70.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~71.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~74.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~78.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7F.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~80.tmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~83.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~85.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~87.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~88.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8D.tmp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\untoevl.exe
O4 - HKLM\..\RunServices: [UeQaYzakOp] C:\WINDOWS\system32\untoevl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--
End of file - 6283 bytes

[AdvancedSetup]

Yeah something still there. Please run this tool.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[fmajor7th]

Hello again,

Thank you for your reply. I followed your instructions: ComboFix (downloaded/run previously with WRC) ran OK - all 50stages. It produced a set of logs, pasted below. Since the infection of my machine some months ago, I have run maybe 10-12 different antivirus/spyware programs. ComboFix is the only one that removes the malware tmp files (as the logs for HJT - run immediately after - show) and in doing so, returns my system temporarily to a state of operating and CPU normality. However, the logs also show that what I assume to be the root/spawner of those files - UeQaYzakOp - remains in the system as an HKLM\ \Run entry and an HKLM\ \Runservices entry, ready to do its work again on next start up.

In your previous reply instructions, you asked me to check and fix 5 items in the HJT scan including the UeQaYzakOp entry; I notice that all the other four items have been removed; only this entry was not removed (or has returned). Should I try to check and fix these two items?

CCleaner, loaded as per your instructions last time, still fails to run; the desktop short-cut was also disabled, so I have had to reload the program but with same results. Is this the malware?

Thank you once again for your continued efforts; I look forward to your reply.

Fmajor7th


ComboFix 09-02-02.04 - User One 2009-02-09 21:06:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.734 [GMT 0:00]
Running from: c:\documents and settings\User One\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)
FW: PCguard Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-09 17:40 . 2009-02-09 17:40 43,520 --a------ c:\windows\system32\yhixl.exe
2009-02-08 20:43 . 2009-02-09 21:08 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys
2009-02-08 20:41 . 2009-02-08 20:41 3,453 --a------ C:\backup.reg
2009-02-08 19:43 . 2009-02-09 19:19 <DIR> d-------- c:\program files\CCleaner
2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun
2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes
2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod
2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml
2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll
2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll
2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll
2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax
2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax
2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll
2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll
2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3
2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 17:39 39,936 ----a-w c:\windows\system32\wmfptc32.dll
2009-02-09 14:01 --------- d-----w c:\program files\True Sword 4
2009-01-19 01:35 --------- d-----w c:\program files\iTunes
2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster
2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-12 14:49 --------- d-----w c:\program files\Opera
2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe
+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe
- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe
+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe
- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe
+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe
- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe
+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe
- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe
+ 2009-02-09 21:06:56 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec8.dat
- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe
+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe
- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe
+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]
"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]
"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]
"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\
OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]
R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]
R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [2/8/2009 8:43:34 PM 5109]
S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]
S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCAlertDriver
*Deregistered* - RushTopDevice
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 21:07:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-09 21:09:58
ComboFix-quarantined-files.txt 2009-02-09 21:09:57

Pre-Run: 79,531,171,840 bytes free
Post-Run: 79,572,631,552 bytes free

162

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:51, on 09/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\yhixl.exe
O4 - HKLM\..\RunServices: [UeQaYzakOp] C:\WINDOWS\system32\yhixl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--
End of file - 5247 bytes

[AdvancedSetup]

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
NdisFileServices32

File::
c:\windows\system32\yhixl.exe
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\drivers\kljgkg.sys
C:\backup.reg
c:\windows\system32\vsconfig.xml
c:\windows\system32\wmfptc32.dll


Folder::
c:\windows\Sun

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UeQaYzakOp"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UeQaYzakOp"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log please.

[fmajor7th]

Hello again,

Thanks for your reply – your instructions were very clear/straightforward. I deleted old CFix and d/l a fresh copy to my desktop; I copied your code to a Notepad file and named/located it as instructed. Because the UeQaYzakOp entry creates a new name for its exe file in its Windows\system32\ folder upon each start up, the name of the file today (I switch my machine off every night), was, of course, not yhixl.exe (as cited in your code) but txzskjybuznpz.exe (which you could not have known, of course). As I assume you are trying to delete this file, I took the initiative of carefully adding a single line with this file name into the deletions list in the Notepad script file. I hope this was the correct thing to do? (Of course, with the reboot between CF's execution and its log creation, the name of the exe file had changed again, this time to axhkssnsbzm). I assume with the registry deletions that you specified, your dash character in the code covers all/any file names that follow; having said that, I did not see any mention of registry changes whilst CF was running, and these actions appear not to be explicitly reported in the logs.

Anyway, I closed everything down and drag/dropped the script onto CF which then started and appeared to run fine, listing its commands and all 50 stages, no problem. It rebooted and created the log below; I've also appended the catchme log which was produced. Unfortunately, it appears UeQaYzakOp is still with us and all its derivative tmp files are back running as processes; I was hopeful of CF, as it looks so promising but it seems not to have worked on this attempt.

I guess this little bug has buried itself deep in my system and is hell-bent on survival... I continue to appreciate the time and effort you are dedicating to my case and look forward to your reply.

Fmajor7th


ComboFix 09-02-08.02 - User One 2009-02-10 15:06:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.740 [GMT 0:00]
Running from: c:\documents and settings\User One\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User One\Desktop\CFscript.txt
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)
FW: PCguard Firewall *enabled*
* Created a new restore point

FILE ::
C:\backup.reg
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\txzskjybuznpz.exe
c:\windows\system32\vsconfig.xml
c:\windows\system32\wmfptc32.dll
c:\windows\system32\yhixl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\backup.reg
c:\windows\Sun
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\txzskjybuznpz.exe
c:\windows\system32\vsconfig.xml
c:\windows\system32\wmfptc32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISFILESERVICES32
-------\Service_NdisFileServices32


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-10 15:08 . 2009-02-10 15:08 43,520 --a------ c:\windows\system32\axhkssnsbzm.exe
2009-02-08 19:43 . 2009-02-10 13:54 <DIR> d-------- c:\program files\CCleaner
2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes
2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod
2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com
2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting
2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll
2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll
2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll
2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll
2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax
2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax
2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll
2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll
2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org
2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3
2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 14:01 --------- d-----w c:\program files\True Sword 4
2009-01-19 01:35 --------- d-----w c:\program files\iTunes
2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster
2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-12 14:49 --------- d-----w c:\program files\Opera
2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe
+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe
- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe
+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe
- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe
+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe
- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe
+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe
- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe
+ 2009-02-10 15:08:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_84c.dat
- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe
+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe
- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe
+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]
"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]
"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]
"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\
OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]
R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]
S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]
S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NDISFILESERVICES32
*NewlyCreated* - PCALERTDRIVER
*NewlyCreated* - RUSHTOPDEVICE
*Deregistered* - PCAlertDriver
*Deregistered* - RushTopDevice
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 15:08:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\blueyonder\PCguard\fws.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\system32\axhkssnsbzm.exe~1.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~2.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~3.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~5.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~6.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~8.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~B.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~D.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~10.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~12.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~13.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~14.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~1B.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~1A.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~1D.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~20.tmp.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~22.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~24.tmp.exe
c:\docume~1\USERON~1\LOCALS~1\temp\~26.tmp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\docume~1\USERON~1\LOCALS~1\temp\~28.tmp.exe
.
**************************************************************************
.
Completion time: 2009-02-10 15:11:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 15:11:29
ComboFix2.txt 2009-02-09 21:10:00

Pre-Run: 79,426,392,064 bytes free
Post-Run: 79,369,334,784 bytes free

214
------------------------------------
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 15:06:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 0

[AdvancedSetup]

Yes unfortunately you can't be rebooting the system and it should probably be isolated off of the network from other computers.

Let's try this tool and see if it can take care of it or at least most of it for us.

Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file.
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.[/indent]

[fmajor7th]

Hello again,

Thanks for your further advice/instructions... I d/l the Avira rescue system and created the boot CD - all OK. I booted my infected PC from this and it loaded what I assume to be a bare-bones Linux OS, followed by the Avira app. with the German language GUI as you described; the video was fine but my mouse was not enabled; so I invoked the command line but my keyboard was not configured properly either so I was unable to select/input command line options with any confidence. I use a somewhat old-fashioned serial mouse/PS2 keyboard; I'm guessing that this is the problem and that maybe the Linux default is a USB mouse and keyboard... I'll have to see if I can get hold of one... it may take a couple of days...

Fmajor7th

[AdvancedSetup]

Okay thanks for the input.

[fmajor7th]

Hello Malwarebytes,

Sorry, for the delay in responding; I managed to get temporary use of a USB mouse which has resolved the non-configured mouse problem indicated earlier.

I booted the infected PC with the Avira rescue system CD and the GUI loaded fine; I configured and checked the options as you instructed and ran the a/v scanner. I hope the outcome makes sense to someone! The scan only took 18 seconds; it stated it had scanned 35 files and 11 directories; there were a couple of messages in the text report about not being able to read the boot sector but none of these seemed to be significant/terminal and the scan seemed to complete with no abnormalities and produced the message 'scan finished'. Yet, the items for Records were 0, Suspect files 0, and Warnings 0. Presumably, this scan was only looking in very specific places in the root and start up areas on my hard drive (I'm not sure exactly what /mnt/ - as the default directory - means in Linux); whatever, it did not seem to find/recognise any rogue files there. Its disappointing as, to me, this 'pre-boot' method - ie before the malware had had a chance to secure itself - seemed such a good idea...

On rebooting XP from the HD using the normal boot method, the malware temp files processes are all still there; so is, I therefore assume, the root/parent malware agent. Yet, to report more generally, I have noticed that over the last couple of sessions, it seems to me that the malware activity (which usually has the CPU running at 30-50%) is somewhat reduced, despite all the files still being there. I have no idea why this is; whether it is just coincidental, just my imagination or wishful thinking, or that gradually your efforts are beginning to curtail its activities... Whatever, you have my continued thanks; I look forward to hearing further from you.

Fmajor7th

[AdvancedSetup]

Okay well let's try to update MBAM and scan with it again. There have been many additions since you've last run the scanner.

The current version is: 1.34 with definitions of 1798


Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

[AdvancedSetup]

Please post a status update on this.

[fmajor7th]

Thank you for your reply. I updated MBAM (1.34/1807) and ran it, then rebooted and ran HJT as requested. Pls find logs below. The temp files remain and our old friend UeQaYzakOp is still in residence. Its very strange and frustrating - I just cant see how it is managing to evade so many anti-malware programs. Btw, I have installed a new Epson printer since my last scan – I know your advice elsewhere is not to install new s/w if infected, so I was waiting until we had got a clean system but in the end I needed it. The drivers/sw were all taken from an official/authorised Epson CD. Thanks once again, look forward to hearing from you.

Fmajor7th

Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 3

27/02/2009 12:14:16
mbam-log-2009-02-27 (12-14-16).txt

Scan type: Quick Scan
Objects scanned: 69537
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:04, on 27/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~145.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14B.tmp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~147.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14C.tmp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14D.tmp.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~189.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~180.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18D.tmp.exe
C:\WINDOWS\system32\RAMASST.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18F.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~193.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~194.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~196.tmp.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19A.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19B.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19C.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19E.tmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A2.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A4.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A6.tmp.exe
C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A8.tmp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UeQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exe
O4 - HKLM\..\RunServices: [UeQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\WINDOWS\TEMP\E_S1D1.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--
End of file - 7992 bytes

[AdvancedSetup]

Please run the following AV scanner. First delete your copy of Combofix.exe on the desktop and empty your trash.

Then after you download it you need to disable any other Anti-Virus and disconnect from the Internet while it runs.


Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
  
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  
• Log mode = Append
  
• Encoding = ANSI
  
• Details Leave Names of file packers and Statistics checked.
  
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  
• On the General tab leave the Scan Priority on High
  
• Click the Apply button at the bottom, and then the OK button.
  
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  
• Click 'Yes to all' if it asks if you want to cure/move the files.
  
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  [indent][/indent]

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post re-opened at user request.