18 replies to this topic

[Hatemalware]

Hi, I saw that someone else has almost the identical problem that I do but I didn't want to follow the same instructions that were given to them in case my situation were different. Malwarebytes takes care of this "Security Tool" for a little while but it always returns.

Please help?

Malwarebytes' Anti-Malware 1.41
Database version: 2945
Windows 5.1.2600 Service Pack 3

10/14/2009 2:44:13 PM
mbam-log-2009-10-14 (14-44-13).txt

Scan type: Quick Scan
Objects scanned: 104551
Time elapsed: 11 minute(s), 57 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\10830921\10830921.exe (Rogue.SecurityTool) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\wazitoyi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7357937e-0199-4075-9474-442573c55e84} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rewifepon (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10830921 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7357937e-0199-4075-9474-442573c55e84} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\toloripum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wazitoyi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wazitoyi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10830921 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\wazitoyi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\10830921\10830921.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\waderero.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[Hatemalware]

ComboFix 09-10-15.01 - Dean 10/15/2009 14:58.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1547 [GMT -4:00]
Running from: c:\documents and settings\Dean\My Documents\Downloads\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\72628fe.msp
c:\windows\Installer\7262903.msp
c:\windows\Installer\7262908.msp
c:\windows\Installer\726290d.msp
c:\windows\Installer\7262912.msp
c:\windows\Installer\7262917.msp
c:\windows\Installer\726291c.msp
c:\windows\Installer\7262921.msp
c:\windows\Installer\7262926.msp
c:\windows\Installer\726292b.msp
c:\windows\Installer\7262930.msp
c:\windows\Installer\7262935.msp
c:\windows\Installer\744addc.msp
c:\windows\Installer\744ade1.msp
c:\windows\Installer\744ade6.msp
c:\windows\Installer\744adeb.msp
c:\windows\Installer\744adf0.msp
c:\windows\Installer\744adf5.msp
c:\windows\Installer\744adfa.msp
c:\windows\Installer\74746d7.msp
c:\windows\Installer\74746dc.msp
c:\windows\Installer\74746e1.msp
c:\windows\Installer\74746e6.msp
c:\windows\Installer\74746eb.msp
c:\windows\Installer\74746f0.msp
c:\windows\Installer\74746f5.msp
c:\windows\Installer\74746fa.msp
c:\windows\Installer\74746ff.msp
c:\windows\Installer\7474704.msp
c:\windows\Installer\7474709.msp
c:\windows\Installer\747470e.msp
c:\windows\Installer\7474713.msp
c:\windows\Installer\7474718.msp
c:\windows\Installer\76414fc.msp
c:\windows\Installer\7641501.msp
c:\windows\Installer\7641506.msp
c:\windows\Installer\764150b.msp
c:\windows\Installer\7641510.msp
c:\windows\Installer\7641515.msp
c:\windows\Installer\764151a.msp
c:\windows\Installer\78867.msp
c:\windows\Installer\7886c.msp
c:\windows\Installer\78871.msp
c:\windows\Installer\78876.msp
c:\windows\Installer\7887b.msp
c:\windows\Installer\78880.msp
c:\windows\Installer\78885.msp
c:\windows\Installer\7888a.msp
c:\windows\Installer\7888f.msp
c:\windows\Installer\78894.msp
c:\windows\Installer\78899.msp
c:\windows\Installer\7889e.msp
c:\windows\Installer\788a3.msp
c:\windows\Installer\788a8.msp
c:\windows\Installer\7b42d03.msp
c:\windows\Installer\7b42d08.msp
c:\windows\Installer\7b42d0d.msp
c:\windows\Installer\7b42d12.msp
c:\windows\Installer\7b42d17.msp
c:\windows\Installer\7b42d1c.msp
c:\windows\Installer\7b42d21.msp
c:\windows\Installer\7b42d26.msp
c:\windows\Installer\7b42d2b.msp
c:\windows\Installer\7b42d30.msp
c:\windows\Installer\7b42d35.msp
c:\windows\Installer\7b42d3a.msp
c:\windows\Installer\7b42d3f.msp
c:\windows\Installer\7b42d44.msp
c:\windows\Installer\7b42d49.msp
c:\windows\Installer\7f2e2f8.msp
c:\windows\Installer\7f2e2fd.msp
c:\windows\Installer\7f2e302.msp
c:\windows\Installer\7f2e307.msp
c:\windows\Installer\7f2e30c.msp
c:\windows\Installer\7f2e311.msp
c:\windows\Installer\7f2e316.msp
c:\windows\Installer\7f2e31b.msp
c:\windows\Installer\7f2e320.msp
c:\windows\Installer\7f2e325.msp
c:\windows\Installer\7f2e32a.msp
c:\windows\Installer\7f2e32f.msp
c:\windows\Installer\85e7caf.msp
c:\windows\Installer\85e7cb4.msp
c:\windows\Installer\85e7cb9.msp
c:\windows\Installer\85e7cbe.msp
c:\windows\Installer\85e7cc3.msp
c:\windows\Installer\85e7cc8.msp
c:\windows\Installer\85e7ccd.msp
c:\windows\Installer\85e7cd2.msp
c:\windows\Installer\85e7cd7.msp
c:\windows\Installer\85e7cdc.msp
c:\windows\Installer\85e7ce1.msp
c:\windows\Installer\85e7ce6.msp
c:\windows\Installer\85e7ceb.msp
c:\windows\Installer\85e7cf0.msp
c:\windows\Installer\85e7cf5.msp
c:\windows\Installer\8d13798.msp
c:\windows\Installer\8d1379d.msp
c:\windows\Installer\8d137a2.msp
c:\windows\Installer\8d137a7.msp
c:\windows\Installer\8d137ac.msp
c:\windows\Installer\8d137b1.msp
c:\windows\Installer\8d137b6.msp
c:\windows\Installer\8d137bb.msp
c:\windows\Installer\8d137c0.msp
c:\windows\Installer\8d137c5.msp
c:\windows\Installer\8d137ca.msp
c:\windows\Installer\8d137cf.msp
c:\windows\Installer\8fa37.msp
c:\windows\Installer\8fa3c.msp
c:\windows\Installer\8fa41.msp
c:\windows\Installer\8fa46.msp
c:\windows\Installer\8fa4b.msp
c:\windows\Installer\8fa50.msp
c:\windows\Installer\8fa55.msp
c:\windows\Installer\8fa5a.msp
c:\windows\Installer\8fa5f.msp
c:\windows\Installer\8fa64.msp
c:\windows\Installer\9198e3.msp
c:\windows\Installer\9198e8.msp
c:\windows\Installer\9198ed.msp
c:\windows\Installer\9198f2.msp
c:\windows\Installer\9198f7.msp
c:\windows\Installer\9198fc.msp
c:\windows\Installer\919901.msp
c:\windows\Installer\919906.msp
c:\windows\Installer\91990b.msp
c:\windows\Installer\919910.msp
c:\windows\Installer\919915.msp
c:\windows\Installer\91991a.msp
c:\windows\Installer\91991f.msp
c:\windows\Installer\919924.msp
c:\windows\Installer\93c33a8.msp
c:\windows\Installer\93c33ad.msp
c:\windows\Installer\93c33b2.msp
c:\windows\Installer\93c33b7.msp
c:\windows\Installer\93c33bc.msp
c:\windows\Installer\93c33c1.msp
c:\windows\Installer\93c33c6.msp
c:\windows\Installer\94d522.msp
c:\windows\Installer\94d527.msp
c:\windows\Installer\94d52c.msp
c:\windows\Installer\94d531.msp
c:\windows\Installer\94d536.msp
c:\windows\Installer\94d53b.msp
c:\windows\Installer\94d540.msp
c:\windows\Installer\97f36.msp
c:\windows\Installer\97f3b.msp
c:\windows\Installer\97f40.msp
c:\windows\Installer\97f45.msp
c:\windows\Installer\97f4a.msp
c:\windows\Installer\97f4f.msp
c:\windows\Installer\97f54.msp
c:\windows\Installer\97f59.msp
c:\windows\Installer\97f5e.msp
c:\windows\Installer\97f63.msp
c:\windows\Installer\97f68.msp
c:\windows\Installer\97f6d.msp
c:\windows\Installer\97f72.msp
c:\windows\Installer\97f77.msp
c:\windows\Installer\97f7c.msp
c:\windows\Installer\98016af.msp
c:\windows\Installer\98016b4.msp
c:\windows\Installer\98016b9.msp
c:\windows\Installer\98016be.msp
c:\windows\Installer\98016c3.msp
c:\windows\Installer\98016c8.msp
c:\windows\Installer\98016cd.msp
c:\windows\Installer\98016d2.msp
c:\windows\Installer\98016d7.msp
c:\windows\Installer\98016dc.msp
c:\windows\Installer\98016e1.msp
c:\windows\Installer\98016e6.msp
c:\windows\Installer\98016eb.msp
c:\windows\Installer\98016f0.msp
c:\windows\Installer\9e83c3e.msp
c:\windows\Installer\9e83c43.msp
c:\windows\Installer\9e83c48.msp
c:\windows\Installer\9e83c4d.msp
c:\windows\Installer\9e83c52.msp
c:\windows\Installer\9e83c57.msp
c:\windows\Installer\9e83c5c.msp
c:\windows\Installer\9e83c61.msp
c:\windows\Installer\9e83c66.msp
c:\windows\Installer\9e83c6b.msp
c:\windows\Installer\9e83c70.msp
c:\windows\Installer\9e83c75.msp
c:\windows\Installer\9e83c7a.msp
c:\windows\Installer\9e83c7f.msp
c:\windows\Installer\9e83c84.msp
c:\windows\Installer\a0b06ad.msp
c:\windows\Installer\a0b06b2.msp
c:\windows\Installer\a0b06b7.msp
c:\windows\Installer\a0b06bc.msp
c:\windows\Installer\a0b06c1.msp
c:\windows\Installer\a0b06c6.msp
c:\windows\Installer\a0b06cb.msp
c:\windows\Installer\a562312.msp
c:\windows\Installer\a562317.msp
c:\windows\Installer\a56231c.msp
c:\windows\Installer\a562321.msp
c:\windows\Installer\a562326.msp
c:\windows\Installer\a56232b.msp
c:\windows\Installer\a562330.msp
c:\windows\Installer\a562335.msp
c:\windows\Installer\a56233a.msp
c:\windows\Installer\a56233f.msp
c:\windows\Installer\a562344.msp
c:\windows\Installer\a562349.msp
c:\windows\Installer\a56234e.msp
c:\windows\Installer\a562353.msp
c:\windows\Installer\a562358.msp
c:\windows\Installer\a8b00a4.msp
c:\windows\Installer\a8b00a9.msp
c:\windows\Installer\a8b00ae.msp
c:\windows\Installer\a8b00b3.msp
c:\windows\Installer\a8b00b8.msp
c:\windows\Installer\a8b00bd.msp
c:\windows\Installer\a8b00c2.msp
c:\windows\Installer\aa8913e.msp
c:\windows\Installer\aa89143.msp
c:\windows\Installer\aa89148.msp
c:\windows\Installer\aa8914d.msp
c:\windows\Installer\aa89152.msp
c:\windows\Installer\aa89157.msp
c:\windows\Installer\aa8915c.msp
c:\windows\Installer\b1af6b4.msp
c:\windows\Installer\b1af6b9.msp
c:\windows\Installer\b1af6be.msp
c:\windows\Installer\b1af6c3.msp
c:\windows\Installer\b1af6c8.msp
c:\windows\Installer\b1af6cd.msp
c:\windows\Installer\b1af6d2.msp
c:\windows\Installer\b1af6d7.msp
c:\windows\Installer\b1af6dc.msp
c:\windows\Installer\b1af6e1.msp
c:\windows\Installer\b1af6e6.msp
c:\windows\Installer\b1af6eb.msp
c:\windows\Installer\b1af6f0.msp
c:\windows\Installer\b1af6f5.msp
c:\windows\Installer\b1af6fa.msp
c:\windows\Installer\ba59ee.msp
c:\windows\Installer\ba59f3.msp
c:\windows\Installer\ba59f8.msp
c:\windows\Installer\ba59fd.msp
c:\windows\Installer\ba5a02.msp
c:\windows\Installer\ba5a07.msp
c:\windows\Installer\ba5a0c.msp
c:\windows\Installer\ba5a11.msp
c:\windows\Installer\ba5a16.msp
c:\windows\Installer\ba5a1b.msp
c:\windows\Installer\ba5a20.msp
c:\windows\Installer\ba5a25.msp
c:\windows\Installer\ba5a2a.msp
c:\windows\Installer\ba5a2f.msp
c:\windows\Installer\bb8b390.msp
c:\windows\Installer\bb8b395.msp
c:\windows\Installer\bb8b39a.msp
c:\windows\Installer\bb8b39f.msp
c:\windows\Installer\bb8b3a4.msp
c:\windows\Installer\bb8b3a9.msp
c:\windows\Installer\bb8b3ae.msp
c:\windows\Installer\bc71237.msp
c:\windows\Installer\bc7123c.msp
c:\windows\Installer\bc71241.msp
c:\windows\Installer\bc71246.msp
c:\windows\Installer\bc7124b.msp
c:\windows\Installer\bc71250.msp
c:\windows\Installer\bc71255.msp
c:\windows\Installer\bc7125a.msp
c:\windows\Installer\bc7125f.msp
c:\windows\Installer\bc71264.msp
c:\windows\Installer\bc71269.msp
c:\windows\Installer\bc7126e.msp
c:\windows\Installer\bce1988.msp
c:\windows\Installer\bce198d.msp
c:\windows\Installer\bce1992.msp
c:\windows\Installer\bce1997.msp
c:\windows\Installer\bce199c.msp
c:\windows\Installer\bce19a1.msp
c:\windows\Installer\bce19a6.msp
c:\windows\Installer\bf4074f.msp
c:\windows\Installer\bf40754.msp
c:\windows\Installer\bf40759.msp
c:\windows\Installer\bf4075e.msp
c:\windows\Installer\bf40763.msp
c:\windows\Installer\bf40768.msp
c:\windows\Installer\bf4076d.msp
c:\windows\Installer\c117667.msp
c:\windows\Installer\c11766c.msp
c:\windows\Installer\c117671.msp
c:\windows\Installer\c117676.msp
c:\windows\Installer\c11767b.msp
c:\windows\Installer\c117680.msp
c:\windows\Installer\c117685.msp
c:\windows\Installer\c11768a.msp
c:\windows\Installer\c11768f.msp
c:\windows\Installer\c117694.msp
c:\windows\Installer\c117699.msp
c:\windows\Installer\c11769e.msp
c:\windows\Installer\c1176a3.msp
c:\windows\Installer\c1176a8.msp
c:\windows\Installer\c1176ad.msp
c:\windows\Installer\c1a7bda.msp
c:\windows\Installer\c1a7bdf.msp
c:\windows\Installer\c1a7be4.msp
c:\windows\Installer\c1a7be9.msp
c:\windows\Installer\c1a7bee.msp
c:\windows\Installer\c1a7bf3.msp
c:\windows\Installer\c1a7bf8.msp
c:\windows\Installer\c1a7bfd.msp
c:\windows\Installer\c1a7c02.msp
c:\windows\Installer\c1a7c07.msp
c:\windows\Installer\c1a7c0c.msp
c:\windows\Installer\c1a7c11.msp
c:\windows\Installer\c1a7c16.msp
c:\windows\Installer\c1a7c1b.msp
c:\windows\Installer\c1a7c20.msp
c:\windows\Installer\c48e4d5.msp
c:\windows\Installer\c48e4da.msp
c:\windows\Installer\c48e4df.msp
c:\windows\Installer\c48e4e5.msp
c:\windows\Installer\c48e4ea.msp
c:\windows\Installer\c48e4ef.msp
c:\windows\Installer\c48e4f4.msp
c:\windows\Installer\c48e4f9.msp
c:\windows\Installer\c48e4fe.msp
c:\windows\Installer\c48e503.msp
c:\windows\Installer\c48e508.msp
c:\windows\Installer\c48e50d.msp
c:\windows\Installer\c48e512.msp
c:\windows\Installer\c48e517.msp
c:\windows\Installer\c4cb5a4.msp
c:\windows\Installer\c4cb5a9.msp
c:\windows\Installer\c4cb5ae.msp
c:\windows\Installer\c4cb5b3.msp
c:\windows\Installer\c4cb5b8.msp
c:\windows\Installer\c4cb5bd.msp
c:\windows\Installer\c4cb5c2.msp
c:\windows\Installer\c4cb5c7.msp
c:\windows\Installer\c4cb5cc.msp
c:\windows\Installer\c4cb5d1.msp
c:\windows\Installer\c4cb5d6.msp
c:\windows\Installer\c4cb5db.msp
c:\windows\Installer\c4cb5e0.msp
c:\windows\Installer\c4cb5e5.msp
c:\windows\Installer\c4cb5ea.msp
c:\windows\Installer\c6a8d88.msp
c:\windows\Installer\c6a8d8d.msp
c:\windows\Installer\c6a8d92.msp
c:\windows\Installer\c6a8d97.msp
c:\windows\Installer\c6a8d9c.msp
c:\windows\Installer\c6a8da1.msp
c:\windows\Installer\c6a8da6.msp
c:\windows\Installer\c6db0a2.msp
c:\windows\Installer\c6db0a7.msp
c:\windows\Installer\c6db0ac.msp
c:\windows\Installer\c6db0b1.msp
c:\windows\Installer\c6db0b6.msp
c:\windows\Installer\c6db0bb.msp
c:\windows\Installer\c6db0c0.msp
c:\windows\Installer\c6db0c5.msp
c:\windows\Installer\c6db0ca.msp
c:\windows\Installer\c6db0cf.msp
c:\windows\Installer\c6db0d4.msp
c:\windows\Installer\c6db0d9.msp
c:\windows\Installer\c6db0de.msp
c:\windows\Installer\c6db0e3.msp
c:\windows\Installer\c6db0e8.msp
c:\windows\Installer\c7092.msp
c:\windows\Installer\c7097.msp
c:\windows\Installer\c709c.msp
c:\windows\Installer\c70a1.msp
c:\windows\Installer\c70a6.msp
c:\windows\Installer\c70ab.msp
c:\windows\Installer\c8a709e.msp
c:\windows\Installer\c8a70a3.msp
c:\windows\Installer\c8a70a8.msp
c:\windows\Installer\c8a70ad.msp
c:\windows\Installer\c8a70b2.msp
c:\windows\Installer\c8a70b7.msp
c:\windows\Installer\c8a70bc.msp
c:\windows\Installer\cdada7f.msp
c:\windows\Installer\cdada84.msp
c:\windows\Installer\cdada89.msp
c:\windows\Installer\cdada8e.msp
c:\windows\Installer\cdada93.msp
c:\windows\Installer\cdada98.msp
c:\windows\Installer\cdada9d.msp
c:\windows\Installer\cdadaa2.msp
c:\windows\Installer\cdadaa7.msp
c:\windows\Installer\cdadaac.msp
c:\windows\Installer\cdadab1.msp
c:\windows\Installer\cdadab6.msp
c:\windows\Installer\cdadabb.msp
c:\windows\Installer\cdadac0.msp
c:\windows\Installer\cdadac5.msp
c:\windows\Installer\ce39c3.msp
c:\windows\Installer\ce39c8.msp
c:\windows\Installer\ce39cd.msp
c:\windows\Installer\ce39d2.msp
c:\windows\Installer\ce39d7.msp
c:\windows\Installer\ce39dc.msp
c:\windows\Installer\ce39e1.msp
c:\windows\Installer\ce39e6.msp
c:\windows\Installer\ce39eb.msp
c:\windows\Installer\ce39f0.msp
c:\windows\Installer\ce39f5.msp
c:\windows\Installer\ce39fa.msp
c:\windows\Installer\ce39ff.msp
c:\windows\Installer\ce3a04.msp
c:\windows\Installer\d194149.msp
c:\windows\Installer\d19414e.msp
c:\windows\Installer\d194153.msp
c:\windows\Installer\d194158.msp
c:\windows\Installer\d19415d.msp
c:\windows\Installer\d194162.msp
c:\windows\Installer\d194167.msp
c:\windows\Installer\d19416c.msp
c:\windows\Installer\d194171.msp
c:\windows\Installer\d194176.msp
c:\windows\Installer\d19417b.msp
c:\windows\Installer\d194180.msp
c:\windows\Installer\d84e12b.msp
c:\windows\Installer\d84e130.msp
c:\windows\Installer\d84e135.msp
c:\windows\Installer\d84e13a.msp
c:\windows\Installer\d84e13f.msp
c:\windows\Installer\d84e144.msp
c:\windows\Installer\d84e149.msp
c:\windows\Installer\d84e14e.msp
c:\windows\Installer\d84e153.msp
c:\windows\Installer\d84e158.msp
c:\windows\Installer\d84e15d.msp
c:\windows\Installer\d84e162.msp
c:\windows\Installer\d84e167.msp
c:\windows\Installer\d84e16c.msp
c:\windows\Installer\d84e171.msp
c:\windows\Installer\d9f993.msp
c:\windows\Installer\d9f998.msp
c:\windows\Installer\d9f99d.msp
c:\windows\Installer\d9f9a2.msp
c:\windows\Installer\d9f9a7.msp
c:\windows\Installer\d9f9ac.msp
c:\windows\Installer\d9f9b1.msp
c:\windows\Installer\df724b1.msp
c:\windows\Installer\df724b6.msp
c:\windows\Installer\df724bb.msp
c:\windows\Installer\df724c0.msp
c:\windows\Installer\df724c5.msp
c:\windows\Installer\df724ca.msp
c:\windows\Installer\df724cf.msp
c:\windows\Installer\df724d4.msp
c:\windows\Installer\df724d9.msp
c:\windows\Installer\df724de.msp
c:\windows\Installer\df724e3.msp
c:\windows\Installer\df724e8.msp
c:\windows\Installer\e2382b.msp
c:\windows\Installer\e23830.msp
c:\windows\Installer\e23835.msp
c:\windows\Installer\e2383a.msp
c:\windows\Installer\e2383f.msp
c:\windows\Installer\e23844.msp
c:\windows\Installer\e23849.msp
c:\windows\Installer\e2384e.msp
c:\windows\Installer\e23853.msp
c:\windows\Installer\e23858.msp
c:\windows\Installer\e2385d.msp
c:\windows\Installer\e23862.msp
c:\windows\Installer\e23867.msp
c:\windows\Installer\e2386c.msp
c:\windows\Installer\ea696b2.msp
c:\windows\Installer\ea696b7.msp
c:\windows\Installer\ea696bc.msp
c:\windows\Installer\ea696c1.msp
c:\windows\Installer\ea696c6.msp
c:\windows\Installer\ea696cb.msp
c:\windows\Installer\ea696d0.msp
c:\windows\Installer\ea696d5.msp
c:\windows\Installer\ea696da.msp
c:\windows\Installer\ea696df.msp
c:\windows\Installer\ea696e4.msp
c:\windows\Installer\ea696e9.msp
c:\windows\Installer\ea696ee.msp
c:\windows\Installer\ea696f3.msp
c:\windows\Installer\f0e525c.msp
c:\windows\Installer\f0e5261.msp
c:\windows\Installer\f0e5266.msp
c:\windows\Installer\f0e526b.msp
c:\windows\Installer\f0e5270.msp
c:\windows\Installer\f0e5275.msp
c:\windows\Installer\f0e527a.msp
c:\windows\Installer\f0e527f.msp
c:\windows\Installer\f0e5284.msp
c:\windows\Installer\f0e5289.msp
c:\windows\Installer\f0e528e.msp
c:\windows\Installer\f0e5293.msp
c:\windows\Installer\f0e5298.msp
c:\windows\Installer\f0e529d.msp
c:\windows\Installer\f0e52a2.msp
c:\windows\Installer\f311a79.msp
c:\windows\Installer\f311a7e.msp
c:\windows\Installer\f311a83.msp
c:\windows\Installer\f311a88.msp
c:\windows\Installer\f311a8d.msp
c:\windows\Installer\f311a92.msp
c:\windows\Installer\f311a97.msp
c:\windows\Installer\f7c6fef.msp
c:\windows\Installer\f7c6ff4.msp
c:\windows\Installer\f7c6ff9.msp
c:\windows\Installer\f7c6ffe.msp
c:\windows\Installer\f7c7003.msp
c:\windows\Installer\f7c7008.msp
c:\windows\Installer\f7c700d.msp
c:\windows\Installer\f7c7012.msp
c:\windows\Installer\f7c7017.msp
c:\windows\Installer\f7c701c.msp
c:\windows\Installer\f7c7021.msp
c:\windows\Installer\f7c7026.msp
c:\windows\Installer\f7c702b.msp
c:\windows\Installer\f7c7030.msp
c:\windows\Installer\fb1c1a7.msp
c:\windows\Installer\fb1c1ac.msp
c:\windows\Installer\fb1c1b1.msp
c:\windows\Installer\fb1c1b6.msp
c:\windows\Installer\fb1c1bb.msp
c:\windows\Installer\fb1c1c0.msp
c:\windows\Installer\fb1c1c5.msp
c:\windows\Installer\fcec832.msp
c:\windows\Installer\fcec837.msp
c:\windows\Installer\fcec83c.msp
c:\windows\Installer\fcec841.msp
c:\windows\Installer\fcec846.msp
c:\windows\Installer\fcec856.msp
c:\windows\Installer\fcec85b.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\bonigezi.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\fumufovi.dll
c:\windows\system32\gejekoyu.dll
c:\windows\system32\gifeleho.dll
c:\windows\system32\gilumuju.dll
c:\windows\system32\gudeyose.dll
c:\windows\system32\hufufoga.dll.tmp
c:\windows\system32\huyahife.dll
c:\windows\system32\jafajada.dll
c:\windows\system32\jawefinu.dll
c:\windows\system32\jodunufe.dll.tmp
c:\windows\system32\juposeno.dll
c:\windows\system32\kejowigi.dll
c:\windows\system32\koyubevu.dll
c:\windows\system32\nojemete.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tizohafi.dll.tmp
c:\windows\system32\tmp.reg
c:\windows\system32\vibumego.dll
c:\windows\system32\vokeloso.dll
c:\windows\system32\wuvoseti.dll
c:\windows\system32\zatajipi.dll
c:\windows\system32\zazuporo.dll
c:\windows\system32\zohijiho.dll
c:\windows\system32\zorihali.dll.tmp
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 07:28 . 2009-10-15 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\86899141
2009-10-09 18:43 . 2009-10-09 18:43 -------- d-----w- c:\documents and settings\Dean\Application Data\Malwarebytes
2009-10-09 09:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 09:42 . 2009-10-11 09:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 09:42 . 2009-10-09 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 09:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 03:06 . 2009-09-08 03:06 -------- d-----w- c:\program files\Logitech
2009-09-08 02:54 . 2009-09-08 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-08-30 04:44 . 2009-08-30 04:44 -------- d-----w- c:\program files\Ventrilo
2009-08-30 04:44 . 2009-08-30 04:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 21:16 . 2009-08-19 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-06 23:24 . 2006-05-24 21:25 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-05-24 21:25 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-05-24 21:25 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-05-24 21:25 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 04:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-05-24 21:25 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-02-27 11:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-02-27 11:48 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-05-24 21:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 20:42 . 2006-05-24 21:33 115720 ----a-w- c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-01-30 09:00 . 2006-06-16 22:11 6449 -c--a-w- c:\program files\hijackthis.log
2005-02-16 15:06 . 2005-02-16 15:06 218112 -c--a-w- c:\program files\HijackThis.exe
2009-07-15 07:28 . 2009-07-15 07:28 1112325 --sha-w- c:\windows\system32\gigazayu.exe
2009-07-13 07:28 . 2009-07-13 07:28 3 --sha-w- c:\windows\system32\vefukufe.dll
2008-08-04 01:56 . 2008-08-04 01:43 544 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="f:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech G35"="c:\program files\Logitech\G35\G35.exe" [2009-01-08 1795344]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-11 515416]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
Logitech blank Product Registration.lnk - c:\program files\Logitech\G35\eReg.exe [2008-2-13 493832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe"=
"c:\\Program Files\\Logitech\\G35\\eReg.exe"=
"c:\\Program Files\\Logitech\\G35\\G35.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\Program Files\\Windows Media Player\\wmpnscfg.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader 6112

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/11/2009 3:28 AM 64160]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [5/24/2006 5:34 PM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [7/8/2008 3:12 AM 16768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 951632]
R3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\drivers\ladfDHP2i386.sys [9/7/2009 10:53 PM 53392]
R3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\drivers\ladfSBVMi386.sys [9/7/2009 10:53 PM 334992]
S3 BS_Flash;BS_Flash;\??\c:\program files\Tseries BIOS Update\Award\BS_Flash.sys --> c:\program files\Tseries BIOS Update\Award\BS_Flash.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 07:26]

2009-10-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\lye4uqsi.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.myspace.com/index.cfm?fuseaction=user&MyToken=cdf9d9df-9b0c-4304-837d-e5483724c6cf
FF - component: c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\lye4uqsi.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{2db42c15-81ea-4ab2-9d88-8e8fbe542142} - koyubevu.dll
HKLM-Run-rewifepon - c:\windows\system32\wuvoseti.dll
HKLM-Run-86899141 - c:\docume~1\ALLUSE~1\APPLIC~1\86899141\86899141.exe
HKLM-Run-kosonituho - zatajipi.dll
SharedTaskScheduler-{b15eccdf-fe6d-4518-8bb7-39584fed4d7a} - c:\windows\system32\wuvoseti.dll
SSODL-hejavazih-{b15eccdf-fe6d-4518-8bb7-39584fed4d7a} - c:\windows\system32\wuvoseti.dll
AddRemove-Audacity_is1 - c:\program files\Audacity\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 15:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2009-10-15 15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 19:29

Pre-Run: 9,830,748,160 bytes free
Post-Run: 9,987,215,360 bytes free

Current=12 Default=12 Failed=11 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
761 --- E O F --- 2009-10-15 19:30

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

FOLDER::
c:\documents and settings\All Users\Application Data\86899141
COLLECT::
c:\windows\system32\gigazayu.exe
FILE::
c:\windows\system32\vefukufe.dll
FIXCSET::

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingc...e.php?channel=4


---------------


ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
  
• Tick the box YES, I accept the Terms Of Use
  
• Click the Start button
  
• Now click the Install button
  
• Click Start
  
  The scanner engine will initialise and update
  
  
• Do Not tick the box Remove found threats
  
• Click the Scan button
  
  The scan will now run, please be patient
  
  
• When the scan finishes click the Details tab
  
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------


In your next post, please include fresh logs from:

• Online scan
  
• ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Hatemalware]

I've only encountered one problem and it was the first time I ran combo fix, my screen saver had kicked on and when I moved my mouse to get the screen black it was initially just black... then I got my mouse but that was it. I thought it might be part of combo fix but I let it sit for a long time and nothing happened... I then restarted my computer and re-ran combo fix.

EDIT: It's been about 16 minutes and the ESET Online Scanner is seemingly stuck at %17, I don't mean to not follow instructions but I want to post the combofix log just in case my computer were to freak out and close my browser. When the ESET Online Scanner is completed I will post the log file immediately.

Also, I'm worried because the ESET Online Scanner said it needs access to the Administrator or what not and even though I only have 1 User Profile on this computer, when I boot up in Safe Mode, it has a seperate "Administrator" log-in which I'm not sure I have the password for. I'm sure I'll find out sooner or later, ESET Online Scanner Log File coming soon.







ComboFix 09-10-15.01 - Dean 10/15/2009 15:52.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1480 [GMT -4:00]
Running from: c:\documents and settings\Dean\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Dean\My Documents\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\vefukufe.dll"

file zipped: c:\windows\system32\gigazayu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\86899141
c:\windows\Installer\1f52ad.msp
c:\windows\Installer\1f52b2.msp
c:\windows\Installer\1f52b7.msp
c:\windows\Installer\73798.msp
c:\windows\Installer\7379d.msp
c:\windows\Installer\737a2.msp
c:\windows\Installer\737a7.msp
c:\windows\Installer\737ac.msp
c:\windows\Installer\737b1.msp
c:\windows\Installer\737b6.msp
c:\windows\system32\gigazayu.exe
c:\windows\system32\vefukufe.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-09 18:43 . 2009-10-09 18:43 -------- d-----w- c:\documents and settings\Dean\Application Data\Malwarebytes
2009-10-09 09:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 09:42 . 2009-10-11 09:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 09:42 . 2009-10-09 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 09:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 03:06 . 2009-09-08 03:06 -------- d-----w- c:\program files\Logitech
2009-09-08 02:54 . 2009-09-08 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-08-30 04:44 . 2009-08-30 04:44 -------- d-----w- c:\program files\Ventrilo
2009-08-30 04:44 . 2009-08-30 04:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 21:16 . 2009-08-19 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-06 23:24 . 2006-05-24 21:25 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-05-24 21:25 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-05-24 21:25 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-05-24 21:25 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 04:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-05-24 21:25 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-02-27 11:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-02-27 11:48 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-05-24 21:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 20:42 . 2006-05-24 21:33 115720 ----a-w- c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 03:20 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-01-30 09:00 . 2006-06-16 22:11 6449 -c--a-w- c:\program files\hijackthis.log
2005-02-16 15:06 . 2005-02-16 15:06 218112 -c--a-w- c:\program files\HijackThis.exe
2008-08-04 01:56 . 2008-08-04 01:43 544 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_19.16.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-11 07:03 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-10-09 07:01 . 2009-10-15 19:51 22192 c:\windows\SoftwareDistribution\EventCache\{B6BA84AD-47BB-4BBB-9FBC-F3B200DB3A20}.bin
- 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-06-25 08:25 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2008-10-15 18:33 . 2009-08-05 00:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2004-08-03 22:59 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2004-08-03 22:59 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 18:33 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 18:33 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2004-08-04 03:20 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-04 03:20 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-15 18:33 . 2009-08-05 00:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 18:33 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 18:33 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 18:33 . 2009-02-07 23:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 18:33 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 18:33 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 18:33 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="f:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech G35"="c:\program files\Logitech\G35\G35.exe" [2009-01-08 1795344]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-11 515416]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
Logitech blank Product Registration.lnk - c:\program files\Logitech\G35\eReg.exe [2008-2-13 493832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe"=
"c:\\Program Files\\Logitech\\G35\\eReg.exe"=
"c:\\Program Files\\Logitech\\G35\\G35.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"=
"c:\\Program Files\\Windows Media Player\\wmpnscfg.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\AAWTray.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader 6112

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/11/2009 3:28 AM 64160]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [5/24/2006 5:34 PM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [7/8/2008 3:12 AM 16768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 951632]
R3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\drivers\ladfDHP2i386.sys [9/7/2009 10:53 PM 53392]
R3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\drivers\ladfSBVMi386.sys [9/7/2009 10:53 PM 334992]
S3 BS_Flash;BS_Flash;\??\c:\program files\Tseries BIOS Update\Award\BS_Flash.sys --> c:\program files\Tseries BIOS Update\Award\BS_Flash.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 07:26]

2009-10-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\lye4uqsi.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.myspace.com/index.cfm?fuseaction=user&MyToken=cdf9d9df-9b0c-4304-837d-e5483724c6cf
FF - component: c:\documents and settings\Dean\Application Data\Mozilla\Firefox\Profiles\lye4uqsi.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 16:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(340)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-10-15 16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 20:15
ComboFix2.txt 2009-10-15 19:31

Pre-Run: 9,885,761,536 bytes free
Post-Run: 9,844,776,960 bytes free

225 --- E O F --- 2009-10-15 19:49

[sUBs]

Quote

It's been about 16 minutes and the ESET Online Scanner is seemingly stuck at %17,

Disable ZoneAlarm + Adaware while you're scanning. Both are real time scanners. For every file that NOD32 looks at, they both want a peek. So, you end having to scan a file 3 times. Not only do they do that, they sometimes fight for the right to access the file.

[Hatemalware]

sUBs, on Oct 15 2009, 05:34 PM, said:

Disable ZoneAlarm + Adaware while you're scanning. Both are real time scanners. For every file that NOD32 looks at, they both want a peek. So, you end having to scan a file 3 times. Not only do they do that, they sometimes fight for the right to access the file.

I'm kind of scared to disable Zone Alarm as last time I did so I got the "Security Tool" virus, haha but I trust your judgment.

[sUBs]

So long as you don't go browsing to other sites while ZA is disabled, you should be okay.

[Hatemalware]

Alright cool. I hate to keep you busy reading my replies rather than my logs, it's been at 37% for a half hour now, and it's ironic it's scanning the C:/Qoobox thing I uploaded earlier. :/

[sUBs]

QooBox is ComboFix's quarantine cache. You may delete it.

[Hatemalware]

Again, I hate to bother you... it won't delete because it's currently being scanned... but I wonder if I hit "Stop" on the scan... if it'll start over or just pause?

[sUBs]

Think it'll be wise to momentarily stop the scan since it's hanging on some QooBox files.

[nekote]

ComboFix did the trick, for me, re-fixing the "not a valid Windows image" popups.

Tip: After downloading ComboFix, reboot in Safe Mode, *with* Networking.
Safe mode turned off my AVG anti-virus that I couldn't kill otherwise.
And Networking permits ComboFix to download and install the MS Recovery Console, if it is not already installed, so it can do the most thorough job.

[Hatemalware]

C:\Documents and Settings\Dean\My Documents\My Downloads\setup.exe Win32/TrojanDownloader.Zlob.ARF trojan
C:\Documents and Settings\Dean\Shared\01 Track 1.wma WMA/TrojanDownloader.Wimad.K trojan
C:\Documents and Settings\Dean\Shared\05 Track 5.wma probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\86899141\86899141.exe.vir a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP2\A0001115.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP2\A0001116.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP2\A0001117.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP4\A0001356.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP4\A0001402.exe a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP4\A0001403.exe a variant of Win32/Kryptik.AVG trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP4\A0001407.dll a variant of Win32/Adware.Virtumonde.NFT application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002503.dll a variant of Win32/KillAV.NFZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002505.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002506.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002507.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002508.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002509.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002512.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002513.dll Win32/KillAV.NFO trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002514.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002515.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002516.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002521.dll a variant of Win32/Adware.Virtumonde.NFT application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002523.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002524.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{E8C6BB6E-A273-4FD0-A05A-2AEA35E35AAD}\RP5\A0002525.dll a variant of Win32/AntiAV.NCZ trojan

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Dean\My Documents\My Downloads\setup.exe"
"C:\Documents and Settings\Dean\Shared\01 Track 1.wma"
"C:\Documents and Settings\Dean\Shared\05 Track 5.wma"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[Hatemalware]

It opened a command prompt that said...

"Deleted Successfully!!
Press any key to continue..."

[sUBs]

Of the stuff found,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /U
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[Hatemalware]

Haha, I'm so pumped up, thank you so much for helping me do this, is there a way to donate or?

[sUBs]

There's no need to donate. My help is free.