6 replies to this topic

[shegon]

Hello,

I hope that someone will be able to help me here. I am relatively certain that my computer has a virus, but I have been unable to get rid of it or even find where it is. I heard about this program from a friend, so I downloaded it to see if it could fix the issue. However, when I try to install it, I get the following error message four times:

microsoft visual c++ runtime library

runtime error!

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

This application has requested that the runtime terminate it in an unusual way.Please contact the programs support team for more information.

After having this issue several times of uninstalling and reinstaling the program, I tried changing the name of the install program to winlogon to no avail. I also tried to install the program running in safe mode, and brought the full version of the program over from another computer on a flash drive, but I still had the same issue. I updated my microsoft visual basic to the newest version, but that didn't help either. Any assistance with installing and running this program would be greatly appreciated. Here are the hijack this logs from my computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:35 AM, on 8/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WTClient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\itunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {95b6f475-10b2-4b86-b046-e4b9fed65729} - C:\WINDOWS\system32\legabebo.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CPMb72e37c4] Rundll32.exe "C:\WINDOWS\system32\gorawuwi.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKUS\S-1-5-19\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\fegezofo.dll c:\windows\system32\gorawuwi.dll c:\windows\system32\doziluhi.dll c:\windows\system32\fisibezu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorawuwi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorawuwi.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 9119 bytes

Thank you in advance for your assistance.

[Maurice Naggar]

Hello shegon and welcome to MalwareBytes forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
If you are a casual viewer, do NOT try this on your system!
If you are not shegon and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Next, Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CPMb72e37c4] Rundll32.exe "C:\WINDOWS\system32\gorawuwi.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKUS\S-1-5-19\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [zegisolimi] Rundll32.exe "C:\WINDOWS\system32\vasidifu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\WINDOWS\system32\fegezofo.dll c:\windows\system32\gorawuwi.dll c:\windows\system32\doziluhi.dll c:\windows\system32\fisibezu.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorawuwi.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gorawuwi.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\WINDOWS\system32\vasidifu.dll
  C:\WINDOWS\system32\gorawuwi.dll
  C:\WINDOWS\system32\fegezofo.dll
  c:\windows\system32\doziluhi.dll
  c:\windows\system32\fisibezu.dll
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  :Commands
  [purity]
  [emptytemp]
  [reboot]

  
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=
Please download VundoFix to your desktop.

• Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the 'Fix Vundo' button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the OTL MOvedFiles log
the C:\Combofix.txt

[shegon]

Hello Maurice,

Thank you for the quick reply. I ran through the series of programs as you instructed. I'm not sure if the OTL worked correctly, but here is the log I found when the computer restarted:

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

I didn't try it again since you had warned not to run it twice. I do think the combo fix worked. It produced this log.

ComboFix 09-08-02.03 - Sean 08/02/2009 23:10.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1595 [GMT -7:00]
Running from: c:\documents and settings\Sean.SEANS\My Documents\Downloads\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService.NT AUTHORITY\Application Data\NetMon
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\NetMon
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\NetMon\domains.txt
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\NetMon\log.txt
c:\documents and settings\Sean.SEAN-AGRVSA1ANN\Application Data\Dxcknwrd.dll
c:\documents and settings\Sean.SEAN-AGRVSA1ANN\Local Settings\Temporary Internet Files\Dxc.log
c:\documents and settings\Sean.SEAN-AGRVSA1ANN\Start Menu\Programs\Startup\.lnk
c:\program files\Mozilla Firefox\components\srff.dll
c:\windows\system32\bapofofe.dll
c:\windows\system32\drivers\geyekrluhppfuc.sys
c:\windows\system32\geyekrdtwyvohi.dll
c:\windows\system32\geyekrmoaipmvm.dat
c:\windows\system32\geyekrotrnekro.dat
c:\windows\system32\geyekrwfmumine.dll
c:\windows\system32\misehebo.dll.tmp
c:\windows\system32\renigeta.dll.tmp
c:\windows\system32\robekuka.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrkoxggefk


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2010-01-18 16:13 . 2009-07-31 15:19 -------- d-----w- c:\program files\Bonjour
2010-01-18 16:00 . 2010-01-18 16:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-03 04:37 . 2009-08-03 04:37 -------- d-----w- C:\_OTL
2009-08-03 01:06 . 2008-02-28 18:50 -------- d-----w- c:\documents and settings\Sean.SEANS\FixPolicies
2009-08-03 01:02 . 2009-08-03 01:02 -------- d-----w- c:\program files\ERUNT
2009-08-02 19:11 . 2009-08-02 19:10 154632 ----a-w- c:\windows\system32\minix32.exe
2009-08-02 19:10 . 2009-08-02 19:11 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-01 14:02 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:02 . 2009-08-02 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:02 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:01 . 2009-08-01 14:01 -------- d-----w- c:\program files\Trend Micro
2009-07-31 16:05 . 2009-07-31 16:05 -------- d-sh--w- c:\documents and settings\Administrator.SEANS\IETldCache
2009-07-31 15:56 . 2009-07-31 15:56 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\Malwarebytes
2009-07-31 15:28 . 2009-08-01 14:02 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Malwarebytes
2009-07-30 23:37 . 2009-07-30 23:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-30 23:28 . 2009-07-30 23:28 -------- d-sh--w- c:\documents and settings\Sean.SEANS\IECompatCache
2009-07-30 23:28 . 2009-07-30 23:28 -------- d-sh--w- c:\documents and settings\Sean.SEANS\PrivacIE
2009-07-30 23:27 . 2009-07-30 23:27 -------- d-sh--w- c:\documents and settings\Sean.SEANS\IETldCache
2009-07-30 23:23 . 2009-07-30 23:23 -------- dc-h--w- c:\windows\ie8
2009-07-07 17:13 . 2009-07-07 17:13 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\FLEXnet
2009-07-07 16:50 . 2009-07-07 16:50 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\ALM
2009-07-07 16:33 . 2007-02-20 23:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-07-07 16:33 . 2007-02-20 23:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 03:27 . 2009-05-03 03:27 84992 --sha-w- c:\windows\system32\voveguji.dll
2009-08-03 01:02 . 2009-01-15 04:27 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\uTorrent
2009-08-02 15:27 . 2009-05-02 15:27 84992 --sha-w- c:\windows\system32\matasivi.dll
2009-08-01 03:26 . 2009-05-01 03:26 84992 --sha-w- c:\windows\system32\yapadoyi.dll
2009-07-31 15:55 . 2009-05-23 00:38 -------- d-----w- c:\program files\DIFX
2009-07-31 15:26 . 1601-01-01 00:12 85504 --sha-w- c:\windows\system32\likebowa.dll
2009-07-31 03:26 . 1601-01-01 00:12 85504 --sha-w- c:\windows\system32\gibegovu.dll
2009-07-31 00:05 . 2009-01-19 03:58 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\dvdcss
2009-07-30 15:25 . 2009-04-30 15:25 84480 --sha-w- c:\windows\system32\salayose.dll
2009-07-30 03:26 . 2009-04-30 03:25 50176 --sha-w- c:\windows\system32\ziwagawu.dll
2009-07-30 03:25 . 2009-04-30 03:25 84992 --sha-w- c:\windows\system32\bodikezi.dll
2009-07-29 15:25 . 2009-04-29 15:25 84480 --sha-w- c:\windows\system32\jifojuse.dll
2009-07-29 03:25 . 2009-04-29 03:25 178688 --sha-w- c:\windows\system32\gopufuzi.dll
2009-07-28 03:25 . 2009-04-28 03:25 190976 --sha-w- c:\windows\system32\momomaju.dll
2009-07-27 15:25 . 2009-04-27 15:25 85504 --sha-w- c:\windows\system32\bevodaze.dll
2009-07-27 03:25 . 2009-04-27 03:25 86016 --sha-w- c:\windows\system32\rihuhavu.dll
2009-07-26 15:25 . 2009-04-26 15:25 84992 --sha-w- c:\windows\system32\huyahife.dll
2009-07-26 03:25 . 2009-04-26 03:24 50688 --sha-w- c:\windows\system32\jigajuwo.dll
2009-07-26 03:24 . 2009-04-26 03:24 85504 --sha-w- c:\windows\system32\defadegi.dll
2009-07-25 15:24 . 2009-04-25 15:24 84992 --sha-w- c:\windows\system32\yatehoyu.dll
2009-07-23 14:08 . 2005-01-04 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 11:40 . 2009-02-07 08:42 -------- d-----w- c:\program files\Safari
2009-07-23 11:38 . 2005-12-08 00:04 -------- d-----w- c:\program files\iPod
2009-07-07 17:14 . 2009-01-13 20:32 21208 ----a-w- c:\documents and settings\Sean.SEANS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 16:54 . 2005-01-04 18:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-17 00:39 . 2009-06-17 00:22 -------- d-----w- c:\program files\DOSBox-0.73
2009-06-16 19:12 . 2009-01-15 05:24 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Apple
2009-06-16 14:55 . 2001-08-18 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 12:46 . 2006-06-26 06:32 -------- d-----w- c:\program files\QuickTime
2009-06-11 18:03 . 2009-06-11 18:03 9158 ----a-r- c:\documents and settings\Sean.SEANS\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-06-11 18:03 . 2008-01-05 22:30 -------- d-----w- c:\program files\ATI Technologies
2009-06-11 18:00 . 2009-01-13 20:55 -------- d-----w- c:\program files\ATI
2009-06-05 18:42 . 2009-03-14 13:41 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2009-01-15 05:24 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 01:06 . 2009-06-05 01:06 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\ATI
2009-06-03 19:27 . 2001-08-18 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 12:28 . 2009-05-11 23:14 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-23 00:36 . 2009-05-23 00:54 331776 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-05-20 02:31 . 2009-05-20 02:31 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 18:42 . 2009-05-18 18:42 127877 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\uninstall.exe
2009-05-18 18:42 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-18 18:42 . 2009-05-18 18:42 1685856 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-11 12:20 . 2009-05-11 12:21 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-07 15:44 . 2001-08-18 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 03:45 . 2009-05-06 03:44 38208 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-29 15:17 . 2008-09-15 06:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-04-30 03:26 . 2009-04-30 03:26 50176 --sha-w- c:\windows\system32\legabebo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95b6f475-10b2-4b86-b046-e4b9fed65729}]
2009-04-30 03:26 50176 --sha-w- c:\windows\system32\legabebo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WTClient"="WTClient.exe" [2007-04-11 40960]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]

c:\documents and settings\Sean.SEANS\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-1-8 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\matasivi.dll" [2009-08-02 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\matasivi.dll [2009-08-02 84992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"d:\\Binaries\\UT3.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\itunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/11/2009 5:21 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 1:04 AM 65536]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\SEAN~2.SEA\APPLIC~1\Mozilla\Firefox\Profiles\24v3unw9.default\
FF - prefs.js: browser.startup.homepage - hxxp://shegon.livejournal.com/
FF - plugin: c:\documents and settings\Sean.SEANS\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 23:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\legabebo.dll
c:\windows\system32\matasivi.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WTClient.exe
c:\windows\soundman.exe
c:\program files\HP\HP Software Update\hpwuSchd2.exe
d:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
d:\itunes\iTunesHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Messenger\msmsgs.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-08-03 23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 06:42

Pre-Run: 17,651,904,512 bytes free
Post-Run: 22,767,812,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

286 --- E O F --- 2009-07-16 10:00

I hope this is helpful. I appreciate you giving me such specific instructions. Thank you, again.

[Maurice Naggar]

Not only did this have a rootkit infection, it has loads of Vundo left still, and traces of a rogue (fake) known as "Windows Antivirus Pro"

Do NOT do any websurfing of any sort, nor do any online games, and definitely no downloads other than what I guide you to.
Also, just in case, no plugging in of flash-drives from any friends, etc to play games or anything of the sort.
This system is infected, to say the least.

I must also remind you, that there is NO guarantee or NO warranty of any kind, that we'll be able to find and remove all of the infections present on this system. As always, the safest thing to do is for you to consider, wiping clean this system and loading Windows as a new (clean) install. Your documents & personal files would be lost; unless you make a backup to offline media beforehand.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not shegon and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste all the lines in between the ***** stars ****** below into it:

***********************************************************************
KILLALL::

Driver::
geyekrkoxggefk

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Browser Helper Objects\{95b6f475-10b2-4b86-b046-e4b9fed65729}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[-HKEY_CURRENT_USER\Software\Softimer]
[-HKEY_CURRENT_USER\Software\Windows Antivirus Pro]
[-HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}]
[-HKEY_CLASSES_ROOT\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Antivirus Pro]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPro2009_12]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPro2009_12]

File::
c:\windows\system32\matasivi.dll
c:\windows\system32\legabebo.dll
c:\windows\system32\voveguji.dll
c:\windows\system32\matasivi.dll
c:\windows\system32\yapadoyi.dll
c:\windows\system32\likebowa.dll
c:\windows\system32\gibegovu.dll
c:\windows\system32\salayose.dll
c:\windows\system32\ziwagawu.dll
c:\windows\system32\bodikezi.dll
c:\windows\system32\jifojuse.dll
c:\windows\system32\gopufuzi.dll
c:\windows\system32\momomaju.dll
c:\windows\system32\bevodaze.dll
c:\windows\system32\rihuhavu.dll
c:\windows\system32\huyahife.dll
c:\windows\system32\jigajuwo.dll
c:\windows\system32\defadegi.dll
c:\windows\system32\yatehoyu.dll
c:\Program Files\Windows Antivirus Pro
c:\WINDOWS\ppp3.dat
c:\WINDOWS\ppp4.dat
c:\WINDOWS\svchast.exe
c:\WINDOWS\system32\bennuar.old
c:\WINDOWS\system32\dddesot.dll
c:\WINDOWS\system32\desot.exe
c:\WINDOWS\system32\sysnet.dat
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
i:\recycler

***********************************************************************

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
  
• Enable (check) the Remove found threats option, and run the scan.
  
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/...c4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Next, Download and save to your Dekstop: PrevX CSI: http://www.prevx.com/freescan.asp

Run Prevx CSI.
If it wants to reboot when finished, do so.

=

I'm going to have you remove the old MBAM you have, and after, get the newest one.
Download, & Save, and then run MBAM-Clean
http://www.malwareby.../mbam-clean.exe

Next, Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechi.../mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
  
• If an update is found, it will download and install the latest version.
  
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
  
• The scan may take some time to finish,so please be patient.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
  
• Make sure that everything is checked, and click Remove Selected.
  
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
  
• Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

=

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

• the contents of C:\Combofix.txt
  
• the contents of the ESET scan Log.txt
  
• the contents of the MBAM scan log and
  
• the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[shegon]

Well, this last batch of programs really seems to have turned the tides. Here is the ComboFix logfile:


ComboFix 09-08-02.03 - Sean 08/06/2009 7:38.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1435 [GMT -7:00]
Running from: c:\documents and settings\Sean.SEANS\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sean.SEANS\My Documents\Downloads\CFScript.txt

FILE ::
"c:\program files\Windows Antivirus Pro"
"C:\recycler"
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\svchast.exe"
"c:\windows\system32\bennuar.old"
"c:\windows\system32\bevodaze.dll"
"c:\windows\system32\bodikezi.dll"
"c:\windows\system32\dddesot.dll"
"c:\windows\system32\defadegi.dll"
"c:\windows\system32\desot.exe"
"c:\windows\system32\gibegovu.dll"
"c:\windows\system32\gopufuzi.dll"
"c:\windows\system32\huyahife.dll"
"c:\windows\system32\jifojuse.dll"
"c:\windows\system32\jigajuwo.dll"
"c:\windows\system32\legabebo.dll"
"c:\windows\system32\likebowa.dll"
"c:\windows\system32\matasivi.dll"
"c:\windows\system32\momomaju.dll"
"c:\windows\system32\rihuhavu.dll"
"c:\windows\system32\salayose.dll"
"c:\windows\system32\sysnet.dat"
"c:\windows\system32\voveguji.dll"
"c:\windows\system32\yapadoyi.dll"
"c:\windows\system32\yatehoyu.dll"
"c:\windows\system32\ziwagawu.dll"
"D:\recycler"
"e:\recycler"
"f:\recycler"
"g:\recycler"
"h:\recycler"
"i:\recycler"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sean.SEANS\Application Data\EurekaLog
c:\documents and settings\Sean.SEANS\Application Data\EurekaLog\RiffTrax\RiffTrax_SEANS.elf
c:\windows\system32\bevodaze.dll
c:\windows\system32\bodikezi.dll
c:\windows\system32\defadegi.dll
c:\windows\system32\gibegovu.dll
c:\windows\system32\gopufuzi.dll
c:\windows\system32\huyahife.dll
c:\windows\system32\jifojuse.dll
c:\windows\system32\jigajuwo.dll
c:\windows\system32\likebowa.dll
c:\windows\system32\manogebu.dll
c:\windows\system32\matasivi.dll
c:\windows\system32\momomaju.dll
c:\windows\system32\rihuhavu.dll
c:\windows\system32\salayose.dll
c:\windows\system32\voveguji.dll
c:\windows\system32\yapadoyi.dll
c:\windows\system32\yatehoyu.dll
c:\windows\system32\ziwagawu.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2010-01-18 16:13 . 2009-07-31 15:19 -------- d-----w- c:\program files\Bonjour
2010-01-18 16:00 . 2010-01-18 16:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-05 03:52 . 2009-08-05 03:52 -------- d--h--w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\{F71301CF-0E9E-468F-B1CE-FEC9F977CAAF}
2009-08-05 03:52 . 2009-08-05 03:54 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\RiffTrax
2009-08-05 03:52 . 2009-08-05 03:52 -------- d-----w- c:\program files\RiffTrax DVD Player
2009-08-03 04:37 . 2009-08-03 04:37 -------- d-----w- C:\_OTL
2009-08-03 01:06 . 2008-02-28 18:50 -------- d-----w- c:\documents and settings\Sean.SEANS\FixPolicies
2009-08-03 01:02 . 2009-08-03 01:02 -------- d-----w- c:\program files\ERUNT
2009-08-02 19:11 . 2009-08-02 19:10 154632 ----a-w- c:\windows\system32\minix32.exe
2009-08-02 19:10 . 2009-08-02 19:11 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-01 14:02 . 2009-08-05 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:01 . 2009-08-01 14:01 -------- d-----w- c:\program files\Trend Micro
2009-07-31 16:05 . 2009-07-31 16:05 -------- d-sh--w- c:\documents and settings\Administrator.SEANS\IETldCache
2009-07-31 15:56 . 2009-07-31 15:56 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\Malwarebytes
2009-07-31 15:28 . 2009-08-05 00:36 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Malwarebytes
2009-07-30 23:37 . 2009-07-30 23:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-30 23:28 . 2009-07-30 23:28 -------- d-sh--w- c:\documents and settings\Sean.SEANS\IECompatCache
2009-07-30 23:28 . 2009-07-30 23:28 -------- d-sh--w- c:\documents and settings\Sean.SEANS\PrivacIE
2009-07-30 23:27 . 2009-07-30 23:27 -------- d-sh--w- c:\documents and settings\Sean.SEANS\IETldCache
2009-07-30 23:23 . 2009-07-30 23:23 -------- dc-h--w- c:\windows\ie8
2009-07-07 17:13 . 2009-07-07 17:13 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\FLEXnet
2009-07-07 16:50 . 2009-07-07 16:50 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\ALM
2009-07-07 16:33 . 2007-02-20 23:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-07-07 16:33 . 2007-02-20 23:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 03:28 . 2009-05-06 03:28 50176 --sha-w- c:\windows\system32\yegewuge.dll
2009-08-06 03:28 . 2009-05-06 03:28 84992 --sha-w- c:\windows\system32\vihobuwu.dll
2009-08-05 15:28 . 2009-05-05 15:28 85504 --sha-w- c:\windows\system32\wagitiru.dll
2009-08-05 03:56 . 2009-01-19 03:58 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\dvdcss
2009-08-05 03:28 . 2009-05-05 03:28 84992 --sha-w- c:\windows\system32\rarunuku.dll
2009-08-04 23:45 . 2009-01-15 04:27 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\uTorrent
2009-08-04 15:27 . 2009-05-04 15:27 84992 --sha-w- c:\windows\system32\rejemufa.dll
2009-08-04 12:15 . 2009-01-16 18:11 -------- d-----w- c:\documents and settings\Sean.SEANS\Application Data\HP
2009-08-04 03:27 . 2009-05-04 03:27 85504 --sha-w- c:\windows\system32\papupona.dll
2009-08-03 15:28 . 2009-05-03 15:27 50688 --sha-w- c:\windows\system32\jaduzumi.dll
2009-08-03 15:27 . 2009-05-03 15:27 84992 --sha-w- c:\windows\system32\wabidohu.dll
2009-07-31 15:55 . 2009-05-23 00:38 -------- d-----w- c:\program files\DIFX
2009-07-23 14:08 . 2005-01-04 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 11:40 . 2009-02-07 08:42 -------- d-----w- c:\program files\Safari
2009-07-23 11:38 . 2005-12-08 00:04 -------- d-----w- c:\program files\iPod
2009-07-07 17:14 . 2009-01-13 20:32 21208 ----a-w- c:\documents and settings\Sean.SEANS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 16:54 . 2005-01-04 18:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-17 00:39 . 2009-06-17 00:22 -------- d-----w- c:\program files\DOSBox-0.73
2009-06-16 19:12 . 2009-01-15 05:24 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Apple
2009-06-16 14:55 . 2001-08-18 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 12:46 . 2006-06-26 06:32 -------- d-----w- c:\program files\QuickTime
2009-06-11 18:03 . 2009-06-11 18:03 9158 ----a-r- c:\documents and settings\Sean.SEANS\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-06-11 18:03 . 2008-01-05 22:30 -------- d-----w- c:\program files\ATI Technologies
2009-06-11 18:00 . 2009-01-13 20:55 -------- d-----w- c:\program files\ATI
2009-06-05 18:42 . 2009-03-14 13:41 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2009-01-15 05:24 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:27 . 2001-08-18 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 12:28 . 2009-05-11 23:14 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-23 00:36 . 2009-05-23 00:54 331776 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-05-20 02:31 . 2009-05-20 02:31 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 18:42 . 2009-05-18 18:42 127877 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\uninstall.exe
2009-05-18 18:42 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-18 18:42 . 2009-05-18 18:42 1685856 ----a-w- c:\documents and settings\Sean.SEANS\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-11 12:20 . 2009-05-11 12:21 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-04 14:20 . 2008-09-15 06:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-06 03:28 . 2009-05-06 03:28 50176 --sha-w- c:\windows\system32\huhasonu.dll
2009-04-30 03:26 . 2009-04-30 03:26 50176 --sha-w- c:\windows\system32\legabebo.dll.tmp
2009-05-06 03:28 . 2009-05-06 03:28 50176 --sha-w- c:\windows\system32\witukezo.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-03_06.31.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-01-30 00:39 . 2003-01-30 00:39 53248 c:\windows\system32\dcfft2.dll
+ 2009-08-06 14:57 . 2009-08-06 14:57 45056 c:\windows\ERDNT\AutoBackup\8-6-2009\Users\00000002\UsrClass.dat
+ 2009-08-05 00:29 . 2009-08-05 00:29 45056 c:\windows\ERDNT\AutoBackup\8-4-2009\Users\00000002\UsrClass.dat
+ 2009-08-05 03:52 . 2009-08-05 03:52 302080 c:\windows\Installer\b58fd1.msi
+ 2009-08-06 14:57 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\8-6-2009\ERDNT.EXE
+ 2009-08-05 00:29 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\8-4-2009\ERDNT.EXE
+ 2009-08-06 14:57 . 2009-08-06 14:57 4423680 c:\windows\ERDNT\AutoBackup\8-6-2009\Users\00000001\NTUSER.DAT
+ 2009-08-05 00:29 . 2009-08-05 00:29 4415488 c:\windows\ERDNT\AutoBackup\8-4-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95b6f475-10b2-4b86-b046-e4b9fed65729}]
2009-05-06 03:28 50176 --sha-w- c:\windows\system32\huhasonu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WTClient"="WTClient.exe" [2007-04-11 40960]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]

c:\documents and settings\Sean.SEANS\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\vihobuwu.dll" [2009-08-06 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vihobuwu.dll [2009-08-06 84992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"d:\\Binaries\\UT3.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\itunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/11/2009 5:21 AM 64160]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 1:04 AM 65536]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\SEAN~2.SEA\APPLIC~1\Mozilla\Firefox\Profiles\24v3unw9.default\
FF - prefs.js: browser.startup.homepage - hxxp://shegon.livejournal.com/
FF - plugin: c:\documents and settings\Sean.SEANS\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 07:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\witukezo.dll
c:\windows\system32\vihobuwu.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WTClient.exe
c:\windows\soundman.exe
c:\program files\HP\HP Software Update\hpwuSchd2.exe
d:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
d:\itunes\iTunesHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-08-06 8:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 15:09
ComboFix2.txt 2009-08-03 06:42

Pre-Run: 22,226,698,240 bytes free
Post-Run: 22,286,503,936 bytes free

310 --- E O F --- 2009-07-16 10:00



And here is the ESET logfile:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=8fcdd333735ff345baea6baad96d9b3b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-06 04:36:38
# local_time=2009-08-06 09:36:38 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=253548
# found=64
# cleaned=64
# scan_time=4952
C:\Documents and Settings\Sean.SEAN-AGRVSA1ANN\My Documents\OiUninstaller.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrwfmumine.dll.vir Win32/Olmarik.JU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP520\A0047053.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP521\A0047066.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP521\A0048052.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP521\A0048056.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP521\A0049052.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP521\A0049056.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP522\A0049062.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP523\A0049084.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP524\A0049089.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP524\A0049102.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP525\A0049117.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP525\A0049118.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP526\A0049121.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP526\A0049135.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP526\A0049146.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP526\A0049165.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP527\A0049171.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP527\A0049175.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP527\A0049179.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP527\A0049184.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0049187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0050187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0051187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0052187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0053187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0053188.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0054187.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0054188.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0054189.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0055189.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0056189.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0056190.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0056191.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0057191.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0057192.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0057193.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0058193.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0059193.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0060193.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46EFF434-5AB4-4991-BC14-20F0909808D8}\RP528\A0061193.exe Win32/Adware.UltimateDefender application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{87D01459-2428-4CC3-8F0B-145292A13623}\RP222\A0018459.dll Win32/Olmarik.JU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{87D01459-2428-4CC3-8F0B-145292A13623}\RP224\A0018856.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP455\A1219564.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP458\A1220563.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP460\A1221564.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP461\A1221599.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP461\A1221610.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP463\A1221657.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP464\A1222657.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP464\A1223658.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP465\A1224658.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8815CA9F-06D2-495F-AFDD-573940EC8CC5}\RP465\A1224670.exe Win32/Adware.BestOffer application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\agyavidk.exe.bad Win32/Adware.Toolbar.SearchColours application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\ehrynfft.dll.bad a variant of Win32/BHO.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\orutv.bak1.bad Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\orutv.bak2.bad Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\orutv.ini.bad Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\orutv.ini2.bad Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\orutv.tmp.bad Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\vnfljgch.dll.bad a variant of Win32/BHO.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\minix32.exe a variant of Win32/TrojanDownloader.FakeAlert.AFP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\My Documents\Install_AIM.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C



After I ran PrevX, things were definately running better. Following your advice, I tried once more to install Malwarebytes, and this time I succeeded. Once I ran Malwarebytes I went back through the programs you had me download and ran most of them again to see if they could come up with any more problems, but they all seem to think that we got rid of the infection. The only thing they find is each other. Thank you very much for your help. I don't think I could have done this alone.

[Maurice Naggar]

You are not out of the woods yet. There were still some Vundo files listed in your log.
You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  c:\program files\Windows Antivirus Pro
  c:\windows\system32\yegewuge.dll
  c:\windows\system32\vihobuwu.dll
  c:\windows\system32\wagitiru.dll
  c:\windows\system32\rarunuku.dll
  c:\windows\system32\rejemufa.dll
  c:\windows\system32\papupona.dll
  c:\windows\system32\jaduzumi.dll
  c:\windows\system32\wabidohu.dll
  c:\windows\system32\huhasonu.dll
  c:\windows\system32\legabebo.dll.tmp
  c:\windows\system32\witukezo.dll
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95b6f475-10b2-4b86-b046-e4b9fed65729}]
  [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
  "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  "SSODL"=-
  
  :Commands
  [purity]
  [emptytemp]
  [reboot]

  
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=
1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
It's very important that you be using the most recent version (v2.423 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

• process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  
  
• Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected

=

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2578 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the OTL MovedFiles log
C:\rapport.txt
the latest MBAM scan log
Kaspersky.txt report.
How is your system now ?

[Maurice Naggar]

This is closed due to lack of response.
If you are the original poster and still have the same issues, and need this re-opened.... send me a PM.

The advice and procedures used here are only for this pc.
Do not use them on any other system.