13 replies to this topic

[DaveC 376]

Afternoon,

Is there anyone who can help me please? I am having trouble getting rid of Trojan.Vundo.H

The only program that seems to even find it is MBAM finding it in C:\Windows\System32\yriqdux.dll and three registry entries that refer to it. Unfortunately even after restart (whether into Safe Mode or normal) the files are still there, I have tried CCleaner, Cyberscrub and MBAMs File Assassin but all to no avail.

Looking on the Symantec website they only have a remaoval tool for Trojan.Vundo and Trojan.Vundo.B but this finds no trace of the 'H' variant.

Looking through previous post I have downloaded latest versions of Firefox, MBAM, SuperAntiSpyware, AVG, AdAware and gotten rid of anything such as uTorrent etc prior to running MABM and Hijack This. In anticipation I have also readied

Here are the logs and BIG BIG thanks in advance for any helpand/or advice.

Cheers

Dave


MBAM Log (Quick Scan but a full scan about an hour earlier showe same four results)

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 5.1.2600 Service Pack 3

15/03/2009 13:46:56
mbam-log-2009-03-15 (13-46-56).txt

Scan type: Quick Scan
Objects scanned: 66835
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\yriqdux.dll (Trojan.Vundo.H) -> Delete on reboot.

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15:19, on 15/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6829 bytes

[Rodav]

Hello Dave and welcome to the Malwarebytes forums.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a new HijackThis log.

[DaveC 376]

Thanks for replying, much appreciated.

Here are the ComboFix and HJT logs as requested.....

COMBO FIX

ComboFix 09-03-18.01 - D&A 2009-03-18 22:46:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2919 [GMT 0:00]
Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe
FW: Online Armor Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu
2009-03-15 13:52 . 2009-03-18 22:44 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor
2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys
2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys
2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys
2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb
2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools
2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip
2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe
2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java
2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi
2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut
2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes
2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi
2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi
2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp
2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner
2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub
2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator
2009-03-07 21:40 . 2009-03-07 21:40 2 --a------ C:\-1058818287
2009-03-07 21:40 . 2009-03-09 09:50 0 --a------ c:\windows\system32\drivers\c8485a2.sys
2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com
2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 19:48 . 2009-02-21 19:48 <DIR> d-------- c:\windows\Downloaded Installations
2009-02-21 19:40 . 2008-04-14 00:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-21 19:40 . 2008-04-13 18:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-21 19:40 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 22:39 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData
2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe
2009-03-15 01:36 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent
2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft
2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition
2009-02-02 16:13 --------- d-----w c:\program files\Bonjour
2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX
2009-01-23 12:55 --------- d-----w c:\program files\Valve
2009-01-18 15:02 --------- d-----w c:\documents and settings\D&A\Application Data\Ahead
2009-01-18 14:53 --------- d-----w c:\documents and settings\D&A\Application Data\Vso
2009-01-18 14:21 --------- d-----w c:\program files\Common Files\Ahead
2009-01-18 14:21 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys
2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-18 22:07 3,532 ----a-w C:\drmHeader.bin
2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]
2004-08-04 12:00 104448 --a------ c:\windows\system32\yriqdux.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]
2004-08-04 12:00 104448 c:\windows\system32\yriqdux.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk
backup=c:\windows\pss\Kremlin Sentry.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor]
--a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160]
R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-08-04 23424]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480]
S1 c8485a2;c8485a2;c:\windows\system32\drivers\c8485a2.sys [2009-03-07 0]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ceagovhn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517c1dcf-c9da-11dd-b64c-0016017de508}]
\Shell\AutoRun\command - I:\RavMon.exe
\Shell\explore\Command - I:\RavMon.exe -e
\Shell\open\Command - I:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52885827-db46-11dd-b677-0016017de508}]
\Shell\AutoRun\command - I:\RavMon.exe
\Shell\explore\Command - I:\RavMon.exe -e
\Shell\open\Command - I:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a072178c-b686-11dd-b612-00173fd36e63}]
\Shell\AutoRun\command - I:\RavMon.exe
\Shell\explore\Command - I:\RavMon.exe -e
\Shell\open\Command - I:\RavMon.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48]

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-14 c:\windows\Tasks\At1.job
- c:\windows\system32\yriqdux.dll [2004-08-04 12:00]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 22:48:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-18 22:49:15
ComboFix-quarantined-files.txt 2009-03-18 22:49:10
ComboFix2.txt 2009-03-14 23:24:38

Pre-Run: 48,306,036,736 bytes free
Post-Run: 50,547,736,576 bytes free

226 --- E O F --- 2009-02-25 07:31:55


HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:32, on 18/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6190 bytes

[Rodav]

In your first log you had AVG, now you don't seem to have any antivirus installed. If you have none installed I suggest you install one of the free for home use AV's like Avast or AntiVir immediately:


Step 1:
Please go to Virus Total or VirSCAN and upload c:\windows\system32\drivers\lffycjtc.sys for scanning.

For Virus Total

• Please copy and paste C:\WINDOWS\system32\inetcomm.dll in the text box next to the Browse button.
  
• Click on Send File.

For VirScan

• Copy and paste C:\file.exe into the text box next to the Browse... button.
  
• Click on Upload.
  
• The file will be uploaded and scanned. This will take some time. Please be patient.
  
• When done, the page will be refreshed.
  
• Please copy and paste the scan results of this file in your next reply.

Step 2:
You have a flash infection, please insert any external drive device you have for the next steps:

• Please download Flash_Disinfector and save it to your desktop.
  
• Double click to run it.
  
• You will be prompted to plug in your flash drive. Plug it in.
  
• Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  
• When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  
• Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Step 3:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
C:\-1058818287
c:\windows\system32\drivers\c8485a2.sys
c:\windows\system32\yriqdux.dll
c:\windows\Tasks\At1.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517c1dcf-c9da-11dd-b64c-0016017de508}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52885827-db46-11dd-b677-0016017de508}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a072178c-b686-11dd-b612-00173fd36e63}]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
Driver::
c8485a2

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with a new HijackThis log and the Virustotal/virscasn results.

[DaveC 376]

Thanks again for the help, just to avoid confusion I was finding that Combofix kept detecting AVG running even though I thought I had it off so only way I had round that was to uninstall it. However Avast is now on as per your recommendation.

The requested scan reports are listed below but quick summary is VirusTotal found nothing in either file and ComboFix was denied access to yriqdux.dll

Thanks again and will be keeping an eye out for your reply

Cheers

Dave

COMBO FIX RESULT

Combofix did not leave a result at C:\combofix.txt

all I could find was at C:\combofix\combofix.txt posted below (properties showed it created today at 1907 hours (12 mins ago by my clock)

ComboFix 09-03-18.01 - D&A 2009-03-19 19:06:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2876 [GMT 0:00]
Running from: C:\Documents and Settings\D&A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\D&A\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*
* Created a new restore point

FILE ::
C:\-1058818287
c:\windows\system32\drivers\c8485a2.sys
c:\windows\system32\yriqdux.dll
c:\windows\Tasks\At1.job
.

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20, on 2009-03-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hmbdkint - C:\WINDOWS\SYSTEM32\yriqdux.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7348 bytes

VIRUSTOTAL RESULT FOR inetcomm.dll

File inetcomm.dll_ received on 03.19.2009 19:44:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.19 -
AhnLab-V3 5.0.0.2 2009.03.19 -
AntiVir 7.9.0.120 2009.03.19 -
Authentium 5.1.2.4 2009.03.19 -
Avast 4.8.1335.0 2009.03.19 -
AVG 8.5.0.283 2009.03.19 -
BitDefender 7.2 2009.03.19 -
CAT-QuickHeal 10.00 2009.03.19 -
ClamAV 0.94.1 2009.03.19 -
Comodo 1066 2009.03.18 -
DrWeb 4.44.0.09170 2009.03.19 -
eSafe 7.0.17.0 2009.03.19 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.19 -
F-Secure 8.0.14470.0 2009.03.19 -
Fortinet 3.117.0.0 2009.03.19 -
GData 19 2009.03.19 -
Ikarus T3.1.1.48.0 2009.03.19 -
K7AntiVirus 7.10.676 2009.03.19 -
Kaspersky 7.0.0.125 2009.03.19 -
McAfee 5558 2009.03.19 -
McAfee+Artemis 5558 2009.03.19 -
McAfee-GW-Edition 6.7.6 2009.03.19 -
Microsoft 1.4502 2009.03.19 -
NOD32 3948 2009.03.19 -
Norman 6.00.06 2009.03.19 -
nProtect 2009.1.8.0 2009.03.19 -
Panda 10.0.0.10 2009.03.19 -
PCTools 4.4.2.0 2009.03.19 -
Prevx1 V2 2009.03.19 -
Rising 21.21.32.00 2009.03.19 -
Sophos 4.39.0 2009.03.19 -
Sunbelt 3.2.1858.2 2009.03.19 -
Symantec 1.4.4.12 2009.03.19 -
TheHacker 6.3.3.0.285 2009.03.19 -
TrendMicro 8.700.0.1004 2009.03.19 -
VBA32 3.12.10.1 2009.03.18 -
ViRobot 2009.3.19.1656 2009.03.19 -
VirusBuster 4.6.5.0 2009.03.19 -
Additional information
File size: 691712 bytes
MD5...: 1853ef92e14e84ea982abe9156ce14ef
SHA1..: 9d63827db26c82fc8d52f6a48b255adc2b25dd95
SHA256: d3cfe197a7748cea5fa8f62daa038c7abe6a2cabd891c8d439431cb79fddf941
SHA512: 0566d7f5b9a3b5e4ad5cfc349511c1d6f9e59217f5ff52f6b525a2dc20d66383
02d2fca6404ced8927a7eb9e1a398a30a49f5a43d224f0a7fc2cbe946e971855
ssdeep: 12288:cYdboQWdzQiFlkSyEivQX7mQDMbvfCi8pagSx9H++cu:XIdzQGlkSyEEmm
QojfCi8pagmHF

PEiD..: -
TrID..: File type identification
DirectShow filter (43.0%)
Windows OCX File (26.3%)
Win64 Executable Generic (18.2%)
Win32 Executable MS Visual C++ (generic) (8.0%)
Win32 Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x23c56
timedatestamp.....: 0x47ffb63a (Fri Apr 11 19:04:26 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x99510 0x99600 6.61 d75dfdbe8f881c3366129cb2e74be468
.data 0x9b000 0x5e58 0x3000 3.72 0c7884d3962d831eb661eec99b9d029f
.rsrc 0xa1000 0x3900 0x3a00 5.62 45344bbc4597ad4bd17a4eb6253f65ab
.reloc 0xa5000 0x8894 0x8a00 6.26 6ee9bc95f470d43fc62e03f266eccd0f

( 9 imports )
> MSOERT2.dll: SetWindowLongPtrAthW, FBuildTempPathW, WriteStreamToFileW, IUnknownList_CreateInstance, IVoidPtrList_CreateInstance, IsPlatformWinNT, CreateLogFile, StrTokEx, StrToUintA, PszScanToWhiteA, HrCreatePhonebookEntry, HrEditPhonebookEntry, HrFillRasCombo, FIsSpaceA, UpdateRebarBandColors, LoadMappedToolbarBitmap, HrCreateTridentMenu, HrCheckTridentMenu, CreateInfoWindow, HrIStreamWToBSTR, FreeTempFileList, FIsHTMLFileW, HrIsStreamUnicode, GetHtmlCharset, HrBSTRToLPSZ, HrGetElementImpl, HrSetDirtyFlagImpl, GetExePath, AppendTempFileList, fGetBrowserUrlEncoding, WriteStreamToFile, HrGetBodyElement, HrGetStyleSheet, CreateDataObject, CenterDialog, ReplaceCharsW, IsValidFileIfFileUrlW, MessageBoxInstW, HrIStreamToBSTR, FInitializeRichEdit, GetRichEdClassStringW, SetFontOnRichEd, RicheditStreamIn, HrLPSZToBSTR, HrStreamToByte, HrLPSZCPToBSTR, RicheditStreamOut, PszFromANSIStreamA, StrToUintW, ChConvertFromHex, PVGetMsgParam, HrGetMsgParam, HrGetCertificateParam, UnlocStrEqNW, UlStripWhitespace, FIsEmptyA, PszSkipWhiteW, HrCopyStreamToByte, PszToUnicode, PszToANSI, CchFileTimeToDateTimeW, CchFileTimeToDateTimeSz, CreateEnumFormatEtc, StripCRLF, HrCopyLockBytesToStream, HrGetStreamPos, OpenFileStreamW, BrowseForFolderW, OpenFileStream, PszSkipWhiteA, HrRewindStream, PszDupW, PszAllocW, FIsEmptyW, PszAllocA, HrCopyStreamCBEndOnCRLF, CreateTempFileStream, HrStreamSeekSet, HrSafeGetStreamSize, IsDigit, HrCopyStream, HrCopyStreamCB, CleanupFileNameInPlaceA, PszDupA, CleanupFileNameInPlaceW, HrDecodeObject, PVDecodeObject, IsUpper, HrStreamSeekCur, HrIndexOfMonth, HrIndexOfWeek, HrFindInetTimeZone, PszDayFromIndex, PszMonthFromIndex, PszScanToCharA, CryptFreeFunc, CryptAllocFunc, SzGetCertificateEmailAddress, PVGetCertificateParam, FMissingCert, HrGetStreamSize, DeleteTempFileOnShutdownEx, CreateTempFile, WriteStreamToFileHandle, ReplaceChars, OpenFileStreamShareW, MessageBoxInst
> KERNEL32.dll: GetWindowsDirectoryA, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, ReleaseSemaphore, CreateSemaphoreA, GetEnvironmentVariableA, VirtualProtect, SetStdHandle, LCMapStringW, LCMapStringA, VirtualQuery, InterlockedExchange, RtlUnwind, GetStringTypeW, GetStringTypeA, SetFilePointer, GetCPInfo, GetOEMCP, UnhandledExceptionFilter, HeapReAlloc, WriteFile, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, TlsAlloc, TlsGetValue, TlsFree, ExitProcess, HeapAlloc, HeapFree, GetCommandLineA, TlsSetValue, DeleteFileW, GetFileSize, FormatMessageA, InterlockedDecrement, InterlockedIncrement, InterlockedCompareExchange, lstrcpynA, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, FreeLibrary, EnterCriticalSection, DisableThreadLibraryCalls, MultiByteToWideChar, GetModuleFileNameA, lstrcmpiA, lstrlenA, IsDBCSLeadByteEx, lstrlenW, lstrcmpA, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetSystemTime, GetLastError, GetTimeZoneInformation, GetLocalTime, FileTimeToSystemTime, FileTimeToLocalFileTime, SetLastError, VirtualFree, VirtualAlloc, WideCharToMultiByte, CloseHandle, GetModuleHandleA, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GetACP, GetTickCount, LocalFree, LocalAlloc, lstrcmpiW, lstrcmpW, IsDBCSLeadByte, GetCurrentThreadId, IsValidCodePage, GetProcAddress, LoadLibraryA, GetSystemInfo, LoadLibraryExA, ExpandEnvironmentStringsA, GetSystemDefaultLCID, RtlMoveMemory, MulDiv, SizeofResource, LockResource, LoadResource, FindResourceA, GetVersionExA, DeleteFileA, CopyFileA, FlushFileBuffers, FreeResource, GlobalAlloc, GetLocaleInfoA, CreateDirectoryA, GetUserDefaultLangID, GetSystemDefaultLangID, SetErrorMode, Sleep, CompareFileTime, SetEvent, ResetEvent, WaitForSingleObject, CreateThread, CreateEventA, TerminateThread
> ole32.dll: CoUninitialize, ReleaseStgMedium, CoTaskMemFree, IIDFromString, OleDestroyMenuDescriptor, OleRun, CoCreateInstance, CreateBindCtx, CreateStreamOnHGlobal, GetHGlobalFromStream, StringFromGUID2, PropVariantClear, CoCreateGuid, CoTaskMemRealloc, CLSIDFromString, CoGetMalloc, CoInitializeEx
> USER32.dll: WinHelpA, GetAsyncKeyState, InsertMenuItemA, GetMenuItemCount, GetMenuItemInfoA, DrawIconEx, DestroyIcon, LoadIconA, CopyIcon, SystemParametersInfoA, PeekMessageA, GetWindowThreadProcessId, DialogBoxParamA, SetForegroundWindow, CreateWindowExA, CharNextExA, CreateDialogParamA, RegisterWindowMessageA, SetDlgItemTextA, IsCharAlphaNumericA, IsCharAlphaA, CharNextA, GetClassInfoA, RegisterClassA, RemovePropA, MoveWindow, SetPropA, MapWindowPoints, GetMenuStringA, SetWindowTextA, CheckMenuRadioItem, GetWindow, TranslateMessage, DispatchMessageA, GetDlgCtrlID, GetPropA, CallWindowProcA, CreatePopupMenu, MessageBeep, InflateRect, IsChild, AppendMenuA, CheckMenuItem, PostMessageA, GetCapture, SetCursor, GetWindowTextLengthA, GetWindowTextA, KillTimer, SetTimer, LoadAcceleratorsA, BeginPaint, GetSystemMetrics, GetSysColor, DrawEdge, EndPaint, LoadStringW, DrawTextExW, GetSysColorBrush, FillRect, ClientToScreen, InvalidateRect, GetFocus, CopyRect, IsWindowVisible, ShowWindow, GetDlgItem, EnableWindow, IsDlgButtonChecked, EndDialog, CheckRadioButton, EnumChildWindows, GetKeyboardLayoutList, LoadMenuA, GetSubMenu, GetClassInfoExA, LoadCursorA, RegisterClassExA, CreateWindowExW, SetWindowLongA, GetWindowLongA, DefWindowProcA, GetDC, ReleaseDC, GetClientRect, SetFocus, SetWindowPos, RemoveMenu, EnableMenuItem, GetWindowRect, GetParent, TrackPopupMenu, DestroyMenu, GetKeyState, SendMessageW, SendMessageA, DestroyWindow, IsWindow, LoadStringA, SendDlgItemMessageA, CharUpperA, CharLowerA, RegisterClipboardFormatA, CharPrevExA
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, CryptReleaseContext, CryptGetProvParam, CryptAcquireContextA, CryptSetProvParam, RegEnumKeyExA, RegQueryInfoKeyA, RegEnumValueA, RegSetValueExA, RegCreateKeyExA, CryptGenRandom, RegCloseKey
> GDI32.dll: SelectObject, GetObjectA, GetTextMetricsA, DeleteObject, DeleteDC, ExtTextOutA, RestoreDC, BitBlt, SetTextColor, SetBkColor, SetBkMode, CreateCompatibleBitmap, SaveDC, CreateCompatibleDC, GetStockObject, PatBlt, GetTextExtentPoint32A, CreateDIBitmap, GetDeviceCaps, Ellipse, Rectangle, CreateSolidBrush, EnumFontFamiliesExA, CreateFontIndirectA, TranslateCharsetInfo
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: -, -, -, -, AssocQueryKeyW, PathQuoteSpacesW, PathFileExistsW, PathIsDirectoryW, PathRemoveFileSpecW, PathIsContentTypeW, PathRemoveFileSpecA, PathAddBackslashA, StrChrIA, SHQueryValueExA, UrlCombineW, PathFileExistsA, StrPBrkW, PathFindFileNameA, StrCpyW, StrCatW, StrChrA, StrChrW, StrToIntW, StrCmpNW, SHRegGetBoolUSValueA, -, StrStrIA, StrDupA, StrDupW, StrFormatByteSizeW, StrCatBuffW, PathStripPathW, PathCompactPathExW, StrCmpNA, StrCpyNW, StrCmpNIW, -, UrlIsW, UrlUnescapeA, StrCmpW, StrCmpIW, StrStrW, StrStrIW, StrStrA, PathFindFileNameW, PathFindExtensionW, wnsprintfW, PathFindExtensionA, StrCmpNIA, wnsprintfA, StrToIntA, StrCatBuffA, UrlGetPartW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, PathCreateFromUrlA, -, PathAppendW, SHAutoComplete, -
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 107 exports )
CreateIMAPTransport, CreateIMAPTransport2, CreateNNTPTransport, CreatePOP3Transport, CreateRASTransport, CreateRangeList, CreateSMTPTransport, DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, EssContentHintDecodeEx, EssContentHintEncodeEx, EssKeyExchPreferenceDecodeEx, EssKeyExchPreferenceEncodeEx, EssMLHistoryDecodeEx, EssMLHistoryEncodeEx, EssReceiptDecodeEx, EssReceiptEncodeEx, EssReceiptRequestDecodeEx, EssReceiptRequestEncodeEx, EssSecurityLabelDecodeEx, EssSecurityLabelEncodeEx, EssSignCertificateDecodeEx, EssSignCertificateEncodeEx, GetDllMajorVersion, HrAthGetFileName, HrAthGetFileNameW, HrAttachDataFromBodyPart, HrAttachDataFromFile, HrDoAttachmentVerb, HrFreeAttachData, HrGetAttachIcon, HrGetAttachIconByFile, HrGetDisplayNameWithSizeForFile, HrGetLastOpenFileDirectory, HrGetLastOpenFileDirectoryW, HrSaveAttachToFile, HrSaveAttachmentAs, MimeEditCreateMimeDocument, MimeEditDocumentFromStream, MimeEditGetBackgroundImageUrl, MimeEditIsSafeToRun, MimeEditViewSource, MimeGetAddressFormatW, MimeOleAlgNameFromSMimeCap, MimeOleAlgStrengthFromSMimeCap, MimeOleClearDirtyTree, MimeOleConvertEnrichedToHTML, MimeOleCreateBody, MimeOleCreateByteStream, MimeOleCreateHashTable, MimeOleCreateHeaderTable, MimeOleCreateMessage, MimeOleCreateMessageParts, MimeOleCreatePropertySet, MimeOleCreateSecurity, MimeOleCreateVirtualStream, MimeOleDecodeHeader, MimeOleEncodeHeader, MimeOleFileTimeToInetDate, MimeOleFindCharset, MimeOleGenerateCID, MimeOleGenerateFileName, MimeOleGenerateMID, MimeOleGetAllocator, MimeOleGetBodyPropA, MimeOleGetBodyPropW, MimeOleGetCertsFromThumbprints, MimeOleGetCharsetInfo, MimeOleGetCodePageCharset, MimeOleGetCodePageInfo, MimeOleGetContentTypeExt, MimeOleGetDefaultCharset, MimeOleGetExtContentType, MimeOleGetFileExtension, MimeOleGetFileInfo, MimeOleGetFileInfoW, MimeOleGetInternat, MimeOleGetPropA, MimeOleGetPropW, MimeOleGetPropertySchema, MimeOleGetRelatedSection, MimeOleInetDateToFileTime, MimeOleObjectFromMoniker, MimeOleOpenFileStream, MimeOleParseMhtmlUrl, MimeOleParseRfc822Address, MimeOleParseRfc822AddressW, MimeOleSMimeCapAddCert, MimeOleSMimeCapAddSMimeCap, MimeOleSMimeCapGetEncAlg, MimeOleSMimeCapGetHashAlg, MimeOleSMimeCapInit, MimeOleSMimeCapRelease, MimeOleSMimeCapsFromDlg, MimeOleSMimeCapsFull, MimeOleSMimeCapsToDlg, MimeOleSetBodyPropA, MimeOleSetBodyPropW, MimeOleSetCompatMode, MimeOleSetDefaultCharset, MimeOleSetPropA, MimeOleSetPropW, MimeOleStripHeaders, MimeOleUnEscapeStringInPlace, RichMimeEdit_CreateInstance

VIRUSTOTAL RESULT FOR lffycjtc.sys

File lffycjtc.sys received on 03.19.2009 19:38:59 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 63 and 90 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.19 -
AhnLab-V3 5.0.0.2 2009.03.19 -
AntiVir 7.9.0.120 2009.03.19 -
Authentium 5.1.2.4 2009.03.19 -
Avast 4.8.1335.0 2009.03.19 -
AVG 8.5.0.283 2009.03.19 -
BitDefender 7.2 2009.03.19 -
CAT-QuickHeal 10.00 2009.03.19 -
ClamAV 0.94.1 2009.03.19 -
Comodo 1066 2009.03.18 -
DrWeb 4.44.0.09170 2009.03.19 -
eSafe 7.0.17.0 2009.03.19 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.19 -
F-Secure 8.0.14470.0 2009.03.19 -
Fortinet 3.117.0.0 2009.03.19 -
GData 19 2009.03.19 -
Ikarus T3.1.1.48.0 2009.03.19 -
K7AntiVirus 7.10.676 2009.03.19 -
Kaspersky 7.0.0.125 2009.03.19 -
McAfee 5558 2009.03.19 -
McAfee+Artemis 5558 2009.03.19 -
McAfee-GW-Edition 6.7.6 2009.03.19 -
Microsoft 1.4502 2009.03.19 -
NOD32 3948 2009.03.19 -
Norman 6.00.06 2009.03.19 -
nProtect 2009.1.8.0 2009.03.19 -
Panda 10.0.0.10 2009.03.19 -
Prevx1 V2 2009.03.19 -
Rising 21.21.32.00 2009.03.19 -
Sophos 4.39.0 2009.03.19 -
Sunbelt 3.2.1858.2 2009.03.19 -
Symantec 1.4.4.12 2009.03.19 -
TheHacker 6.3.3.0.285 2009.03.19 -
TrendMicro 8.700.0.1004 2009.03.19 -
VBA32 3.12.10.1 2009.03.18 -
ViRobot 2009.3.19.1656 2009.03.19 -
VirusBuster 4.6.5.0 2009.03.19 -
Additional information
File size: 23424 bytes
MD5...: 5118a24a6af29642c72ae14c58772775
SHA1..: 3221d4a23992bf001fc96e646f419d180c6f1b29
SHA256: 1c841036d2513c789185e3550e1786834c2e5771d497d9f6300e45ee1524b865
SHA512: 8718f4b59741010480552c3aa191168a32f354566070b3ea302f340d601f33d4
f5cea0541472d33e8bae943cfac6038cff205b969abb012eec7f4ff4d6c40271
ssdeep: 384:c8Lb5xdIswCKA98X43QtuCZVNbIcP3WJcwWjcAdyEmnmWaODX5rcJ9naUBDv
6ILj:5pNSoADTjOelmnmWRDSJ9aUN62aZfKf

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x27c7
timedatestamp.....: 0x48025771 (Sun Apr 13 18:56:49 2008)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x2300 0x2300 6.89 b547eafda0719b700355c348c9850988
.rdata 0x2600 0xe1 0x100 3.33 1ce6ee7b8767a76a9725a4d7609b2c12
.data 0x2700 0x20 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc
INIT 0x2780 0x45c 0x480 5.26 9b29b76abd6b8499ea13f475a3b7ceb4
.byfo 0x2c00 0x2980 0x2980 7.74 a7e7f0dbadc4ddc94bc8af9ea0a89d36
.rsrc 0x5580 0x3e8 0x400 3.39 57e24e21fe9a929280d91b3e81c1a23c
.reloc 0x5980 0x1ce 0x200 5.04 709f3b9076f654b5acd6a8e26de7b74e

( 4 imports )
> ntoskrnl.exe: InterlockedDecrement, InterlockedIncrement, ExFreePool, IoFreeMdl, IoAllocateMdl, IoCancelIrp, memmove, ExAllocatePoolWithTag, KeSetEvent, IoAllocateIrp, MmBuildMdlForNonPagedPool, MmMapLockedPages, KeTickCount, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, KeSetTimer, IoQueueWorkItem, IoAllocateWorkItem, IofCallDriver, KeWaitForSingleObject, IoFreeIrp, IoFreeWorkItem, KeInitializeSpinLock
> HAL.dll: KfRaiseIrql, KfAcquireSpinLock, KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql
> USBD.SYS: USBD_CreateConfigurationRequestEx, USBD_ParseConfigurationDescriptor
> RNDISMPX.SYS: RndisMInitializeWrapperEx, RndisMSendCompleteEx, RndisMIndicateReceiveEx

( 0 exports )

[Rodav]

Hi Dave,

I was in a hurry posting last night and gave you extra files to scan, you did get the one I wanted to see though. Sorry about the extra work but there was no harm done. Anyway it looks like something is protecting that vundo file, we can have a deeper look.

Step 1:
Download at your desktop DDS from one of the links below:

Link 1
Link 2

• Double click the tool to run it.
  
• A black Screen will open, just read the contents and do nothing.
  
• When the tool finish it will open 2 reports.
  
• Copy/paste both reports back here and remove DDS from your desktop.

Step 2:
Please download gmer.zip from Gmer and save it to your desktop.

• Right click on gmer.zip and select Extract All....
  
• Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  
• Click on the Browse button. Click on Desktop. Then click OK.
  
• Click Next. It will start extracting.
  
• Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

• When done, you may receive another notice. Click OK.
  
• Click on Save ... to save a log.
  
• Copy and paste in Gmer.txt and click Save.
  
• Close Gmer.

If you receive no notice, click on the Scan button.

• It will start scanning again.
  
• When done, click on Save ... to save a log.
  
• Copy and paste in Gmer.txt and click Save.
  
• Close Gmer.

Note: Do not run any programs while Gmer is running.


Logs to Post:
Post the following logs, if you need to use multiple replies to post the logs please do so:
The 2 DDS logs
Gmer.txt

[DaveC 376]

Morning

Had a chance to try some of this before work so here are the 2 DDS logs, the second said to zip up instead of posting so I have posted it AND attached as a rar (couldnt find zip....)

If gmer takes more than 2 mins I will have to wait till later/tomorrow due to work but really appreciate the work and help.
hanks again

Dave

DDS.txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by D&A at 6:55:35.07 on 2009-03-20
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2887 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\D&A\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File


ATTACH.TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-11-17 11:31:50
System Uptime: 2009-03-20 06:31:15 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-VM
Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 46.912 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C4380 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: HP Photosmart C4380
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4380 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP

[DaveC 376]

Wow! gmer ran way quicker than expected!

here is the log...

Thanks again

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-20 07:02:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xA818EE20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xA818EE50]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

---- EOF - GMER 1.0.15 ----

[Rodav]

Both DDS logs seemed to have been cut off, could you please run it again. DDS.txt should end with something like:
============= FINISH: 21:10:11.75 ===============
Attach.txt should end with ==== End Of File ===========================

[DaveC 376]

Just re run DDS and here are the logs

DDS.TXT


DDS (Ver_09-03-16.01) - NTFSx86
Run by D&A at 22:46:05.31 on 2009-03-20
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2810 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\D&A\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {4a0736bd-3d9d-4d40-86c5-bdf063ab24fe} - c:\windows\system32\yriqdux.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227040515671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230643681234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: hmbdkint - yriqdux.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d&a\applic~1\mozilla\firefox\profiles\phaju8ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2004-8-4 23424]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-19 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-15 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-15 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-15 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-19 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-15 1402568]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-15 3321032]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-19 352920]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-1 372480]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-19 19:05 389,120 a------- c:\windows\system32\CF6364.exe
2009-03-19 19:05 <DIR> --d----- C:\ComboFix
2009-03-19 18:55 <DIR> a-dshr-- C:\autorun.inf
2009-03-19 06:31 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-15 14:14 <DIR> --d----- c:\program files\Trend Micro
2009-03-15 13:52 <DIR> --d----- c:\docume~1\d&a\applic~1\OnlineArmor
2009-03-15 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-03-15 13:52 178,376 a------- c:\windows\system32\drivers\OADriver.sys
2009-03-15 13:52 30,920 a------- c:\windows\system32\drivers\OAmon.sys
2009-03-15 13:52 28,872 a------- c:\windows\system32\drivers\OAnet.sys
2009-03-15 13:52 <DIR> --d----- c:\program files\Tall Emu
2009-03-15 03:00 <DIR> --d----- c:\documents and settings\d&a\DoctorWeb
2009-03-15 01:52 51,060 a------- C:\MGlogs.zip
2009-03-15 01:52 <DIR> --d----- C:\MGtools
2009-03-15 01:45 1,339,834 a------- C:\MGtools.exe
2009-03-15 01:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-15 01:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-14 23:32 <DIR> --d----- c:\docume~1\d&a\applic~1\aAvgApi
2009-03-14 23:18 <DIR> a-dshr-- C:\cmdcons
2009-03-14 23:16 161,792 a------- c:\windows\SWREG.exe
2009-03-14 23:16 98,816 a------- c:\windows\sed.exe
2009-03-14 08:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-14 07:55 <DIR> --d----- c:\program files\mp3DirectCut
2009-03-13 11:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-13 11:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-12 09:52 <DIR> --d----- c:\docume~1\d&a\applic~1\Malwarebytes
2009-03-11 11:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-11 10:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-11 10:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 10:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 07:53 <DIR> --d----- c:\docume~1\d&a\applic~1\dcumwcsi
2009-03-09 15:23 22,540 a------- c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp
2009-03-09 15:19 <DIR> --d----- c:\program files\CCleaner
2009-03-09 12:49 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-09 12:46 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-27 07:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-27 07:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-27 07:23 <DIR> --d----- c:\docume~1\d&a\applic~1\SUPERAntiSpyware.com
2009-02-25 07:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-21 19:48 <DIR> --d----- c:\windows\Downloaded Installations
2009-02-21 19:40 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-02-21 19:40 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-02-21 19:40 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-21 19:40 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-01-17 17:40 47,360 a------- c:\docume~1\d&a\applic~1\pcouffin.sys
2009-01-06 21:35 26,072 a------- c:\docume~1\d&a\applic~1\GDIPFONTCACHEV1.DAT
2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2006-06-23 14:48 32,768 a------- c:\windows\inf\UpdateUSB.exe
2008-11-20 17:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat

============= FINISH: 22:47:54.87 ===============

ATTACH.TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-11-17 11:31:50
System Uptime: 2009-03-20 22:11:17 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K-VM
Processor: Intel Pentium III Xeon processor | LGA775 | 2999/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 46.909 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C4380 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: HP Photosmart C4380
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4380 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4380 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP1: 2009-03-14 22:43:41 - System Checkpoint
RP2: 2009-03-14 22:45:42 - Removed AVG 8.0
RP3: 2009-03-14 22:50:17 - Removed AVG 8.0
RP4: 2009-03-14 23:16:59 - ComboFix created restore point
RP5: 2009-03-14 23:28:41 - Installed AVG Free 8.0
RP6: 2009-03-15 01:18:33 - Installed Java™ 6 Update 12
RP7: 2009-03-15 11:13:06 - Avg8 Update
RP8: 2009-03-16 18:04:37 - System Checkpoint
RP9: 2009-03-17 20:36:08 - System Checkpoint
RP10: 2009-03-18 21:24:09 - System Checkpoint
RP11: 2009-03-18 22:40:13 - Removed AVG Free 8.5
RP12: 2009-03-18 22:40:53 - Installed AVG Free 8.5
RP13: 2009-03-18 22:45:56 - ComboFix created restore point
RP14: 2009-03-19 19:05:42 - ComboFix created restore point

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Apple Mobile Device Support
Apple Software Update
AutoUpdate
avast! Antivirus
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bonjour
CCleaner (remove only)
ConvertXtoDVD 2.2.3.258h
Counter-Strike: Source
CyberScrub® Privacy Suite™ 5.0
DivX Codec
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Lost Coast
Half-Life® 2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Smart Web Printing
HP Update
HPSSupply
Image Resizer Powertoy for Windows XP
ImagXpress
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 12
K-Lite Codec Pack 4.3.1 (Standard)
Kremlin
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard for Students and Teachers
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
Nero Burning ROM Help
Nero ControlCenter
Nero Move it
Nero Vision
neroxml
NetDeviceManager
Online Armor 3.0
OpenAL
PS_AIO_02_Software_Min
QuickTime
Realtek High Definition Audio Driver
Scan
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Shop for HP Supplies
SmartWebPrintingOC
SpeedFan (remove only)
Spybot - Search & Destroy
Steam™
SUPERAntiSpyware Free Edition
Toolbox
Twenty First Century Science iPack
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1 final uninstall
XviD4PSP 5.0

==== Event Viewer Messages From Past Week ========

2009-03-15 01:57:47, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-15 01:57:47, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-15 01:49:27, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2009-03-15 01:49:27, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
2009-03-15 01:49:27, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
2009-03-14 23:32:49, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2009-03-14 22:44:27, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2009-03-14 22:44:21, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 2 time(s).
2009-03-14 22:43:09, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
2009-03-14 22:42:45, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2009-03-14 22:11:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2009-03-14 20:54:50, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2009-03-14 20:54:13, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
2009-03-14 20:50:51, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2009-03-14 20:50:51, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-14 20:50:51, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-13 18:24:56, error: Service Control Manager [7034] - The HP Network Devices Support service terminated unexpectedly. It has done this 1 time(s).
2009-03-15 01:57:47, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-15 01:57:47, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2009-03-15 01:57:47, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2009-03-15 11:02:35, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
2009-03-15 11:04:20, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2009-03-15 11:18:55, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2009-03-15 11:21:14, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2009-03-15 14:03:54, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Online Armor Helper Service service to connect.
2009-03-15 14:03:54, error: Service Control Manager [7000] - The Online Armor Helper Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2009-03-18 17:08:28, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0016017DE508. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2009-03-18 19:11:20, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
2009-03-19 07:08:20, error: Workstation [5727] - Could not load Rdbss device driver.
2009-03-19 07:08:23, error: Workstation [5727] - Could not load RDR device driver.
2009-03-19 07:09:03, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7023] - The Workstation service terminated with the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The WebDav Client Redirector service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector service which failed to start because of the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The HP Network Devices Support service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The HTTP SSL service depends on the HTTP service which failed to start because of the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7023] - The Server service terminated with the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Net Driver HPZ12 service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Online Armor Helper Service service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the HTTP service which failed to start because of the following error: Access is denied.
2009-03-19 07:09:03, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the HTTP SSL service which failed to start because of the following error: The dependency service or group failed to start.
2009-03-19 07:09:06, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
2009-03-19 07:09:19, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
2009-03-20 16:17:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
2009-03-20 16:17:17, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

[Rodav]

Hi, sorry for the delay, I was away.

Step 1:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\yriqdux.dll
c:\windows\system32\drivers\lffycjtc.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a0736bd-3d9d-4d40-86c5-bdf063ab24fe}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmbdkint]
DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} -
Driver::
lffycjtc

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with a new HijackThis log.

[DaveC 376]

Evening and thanks again, here are the Combofix and HJT logs.

ComboFix 09-03-22.01 - D&A 2009-03-22 21:25:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2859 [GMT 0:00]
Running from: c:\documents and settings\D&A\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\D&A\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\lffycjtc.sys
c:\windows\system32\yriqdux.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\D&A\Cookies\OFLMC.PEG
c:\documents and settings\D&A\Cookies\OUOIA.IPV
c:\windows\system32\drivers\lffycjtc.sys
c:\windows\system32\yriqdux.dll
.
---- Previous Run -------
.
C:\-1058818287
c:\windows\system32\drivers\c8485a2.sys
c:\windows\Tasks\At1.job
c:\windows\system32\yriqdux.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c8485a2
-------\Legacy_lffycjtc
-------\Service_lffycjtc


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-19 06:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-19 06:30 . 2009-03-19 06:30 <DIR> d-------- c:\program files\Alwil Software
2009-03-15 14:14 . 2009-03-15 14:14 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\program files\Tall Emu
2009-03-15 13:52 . 2009-03-22 21:34 <DIR> d-------- c:\documents and settings\D&A\Application Data\OnlineArmor
2009-03-15 13:52 . 2009-03-15 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-03-15 13:52 . 2008-12-13 02:26 178,376 --a------ c:\windows\system32\drivers\OADriver.sys
2009-03-15 13:52 . 2008-12-13 02:26 30,920 --a------ c:\windows\system32\drivers\OAmon.sys
2009-03-15 13:52 . 2008-12-13 02:26 28,872 --a------ c:\windows\system32\drivers\OAnet.sys
2009-03-15 03:00 . 2009-03-15 03:00 <DIR> d-------- c:\documents and settings\D&A\DoctorWeb
2009-03-15 01:52 . 2009-03-15 01:53 <DIR> d-------- C:\MGtools
2009-03-15 01:52 . 2009-03-15 01:53 51,060 --a------ C:\MGlogs.zip
2009-03-15 01:45 . 2009-03-15 01:45 1,339,834 --a------ C:\MGtools.exe
2009-03-15 01:18 . 2009-03-15 01:18 <DIR> d-------- c:\program files\Java
2009-03-15 01:18 . 2009-03-15 01:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 01:18 . 2009-03-15 01:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-14 23:32 . 2009-03-14 23:32 <DIR> d-------- c:\documents and settings\D&A\Application Data\aAvgApi
2009-03-14 08:28 . 2009-03-09 12:49 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-14 07:55 . 2009-03-14 07:55 <DIR> d-------- c:\program files\mp3DirectCut
2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-13 11:40 . 2009-03-13 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 09:52 . 2009-03-12 09:52 <DIR> d-------- c:\documents and settings\D&A\Application Data\Malwarebytes
2009-03-11 11:06 . 2009-03-11 11:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 10:54 . 2009-03-11 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 10:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 10:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-11 07:53 . 2009-03-11 07:53 <DIR> d-------- c:\documents and settings\D&A\Application Data\dcumwcsi
2009-03-11 07:34 . 2009-03-11 07:34 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\dcumwcsi
2009-03-09 15:23 . 2009-03-09 15:23 22,540 --a------ c:\windows\system32\AAWService_2009_03_09_15_23_54.dmp
2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- c:\program files\CCleaner
2009-03-09 12:49 . 2009-03-09 12:49 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-09 12:46 . 2009-03-09 12:46 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 10:11 . 2009-03-09 10:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberScrub
2009-03-09 09:59 . 2009-03-18 22:40 <DIR> d-------- c:\documents and settings\Administrator
2009-02-27 07:23 . 2009-03-11 11:06 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\D&A\Application Data\SUPERAntiSpyware.com
2009-02-27 07:23 . 2009-02-27 07:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 07:05 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 21:10 --------- d-----w c:\documents and settings\D&A\Application Data\uTorrent
2009-03-22 14:42 --------- d-----w c:\documents and settings\D&A\Application Data\HPAppData
2009-03-15 21:27 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 12:46 --------- d-----w c:\program files\Lavasoft
2009-03-09 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-09 08:26 --------- d-----w c:\program files\Trials 2 Second Edition
2009-02-02 16:13 --------- d-----w c:\program files\Bonjour
2009-01-31 22:02 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX
2009-01-23 12:55 --------- d-----w c:\program files\Valve
2009-01-17 17:40 47,360 ----a-w c:\documents and settings\D&A\Application Data\pcouffin.sys
2009-01-06 21:35 26,072 ----a-w c:\documents and settings\D&A\Application Data\GDIPFONTCACHEV1.DAT
2008-11-20 17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112020081121\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-18_22.48.37.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-03-22 21:29:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2009-03-22 21:29:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D&A^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
path=c:\documents and settings\D&A\Start Menu\Programs\Startup\Kremlin Sentry.lnk
backup=c:\windows\pss\Kremlin Sentry.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-09 12:48 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-20 13:57 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-10-14 21:17 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-20 13:57 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-20 13:57 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Privacy Suite RiskMonitor]
--a------ 2007-11-22 10:53 1777296 c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-01-23 13:06 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2007-01-30 18:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Oxford University Press\\Twenty First Century Science\\content\\start_t.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Mozilla Shared\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-19 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-15 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-15 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-15 28872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-19 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-15 1402568]
R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\CBG54.SYS [2005-11-01 372480]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-15 3321032]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2006-10-19 303616]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ceagovhn
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:48]

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D&A\Application Data\Mozilla\Firefox\Profiles\phaju8ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 21:34:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-22 21:37:12 - machine was rebooted [D&A]
ComboFix-quarantined-files.txt 2009-03-22 21:37:10
ComboFix2.txt 2009-03-18 22:49:16
ComboFix3.txt 2009-03-14 23:24:38

Pre-Run: 48,711,852,032 bytes free
Post-Run: 48,712,216,576 bytes free

249 --- E O F --- 2009-02-25 07:31:55

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:09, on 22/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227040515671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230643681234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7137 bytes

[Rodav]

Excellent, looks like we got it. I would like to see one more scan just to make sure there is nothing leftover. Also let me know how your computer is running.

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  
• Click Start
  
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  
• Click Scan
  
• Wait for the scan to finish
  
• Re-enable your Anvirisus software.
  
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post along with a new HijackThis log.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.