I started getting Spyware Protect 2009 popups and redirects to unwanted websites. MBAM would not run. System restore would not run. After reading a post on this forum I used 'randmbam.exe' and was able to run MBAM. After removing infected files and rebooting MBAM still detects 1 infected file (C:\WINDOWS\system32\uacinit.dll) after several attempts to delete on reboot. After running MBAM I, scanned with HijackThis and RootRepeal. Below are the most recent log files for MBAM, HijackThis, and RootRepeal. Thanks for any help.

Russell


Malwarebytes' Anti-Malware 1.36
Database version: 2162
Windows 5.1.2600 Service Pack 3

5/21/2009 12:21:43 PM
mbam-log-2009-05-21 (12-21-43).txt

Scan type: Quick Scan
Objects scanned: 86719
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:21 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HyperWorks Desktop Quick Launch.lnk = C:\Altair\hw9.0\hw\bin\win32\hw.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6794 bytes




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/21 12:36
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4757000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB7000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8F62000 Size: 45056 File Visible: No
Status: -

Name: UACqfulhrqhopappet.sys
Image Path: C:\WINDOWS\system32\drivers\UACqfulhrqhopappet.sys
Address: 0xF49CA000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Name: zlvs.sys
Image Path: C:\WINDOWS\system32\drivers\zlvs.sys
Address: 0xF4813000 Size: 61440 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACaqttwukblkltprr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgihujkxvdllrfpu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACngwhlmaaymuyqxu.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuoimiqpldggyeol.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvqypwxdqgqmuwns.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwtnkvpjjuljxtuy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACymknjxyiwsipjro.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACqfulhrqhopappet.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\UAC6be1.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\5J11VUK3\3Dfbqiln%2Cbdrhyrfdcpjc%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D%26tvmcat%3D%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485830
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\5J11VUK3\click,wRMAAMtmAwDyeAUAUkwCAAIAAAAAAP8AAAACEAIABgJilAMAuqMDAAAAAAAA[2].com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26site%3D128535%26bvs%3D28%26hvs%3Dbbjrmuoop,;ord=1192486095
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDADi3AwBfxQcAPMQCAAAABAAAAAcAAQACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMDWE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12h26s45h%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDADi3AwBfxQcAPMQCAAAACAAAAAMAAgACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAP.WE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12ggj6vp4%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDALywAwBfxQcAPMQCAAIAAAAAAP8AAAACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGLVE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12h92f3n9%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\kiyvza%2Cbdrhylrdemog%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D4%26tvmcat%3D0%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485250
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\26rnd%3D072706137%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485771
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\26rnd%3D416706697%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485690
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\rr%2Cbdrhzgkjfmro%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D729623%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D%26tvmcat%3D%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192486090
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\LF77FNIL\iuyjnz%2Cbdrhyjnftnzr%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D4%26tvmcat%3D0%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485166
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\LF77FNIL\26rnd%3D835669619%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485695
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: AcLayer.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x01220000 Size: 512000

Object: Hidden Module [Name: mscorlib.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x03820000 Size: 4452352

Object: Hidden Module [Name: System.Drawing.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x03e10000 Size: 643072

Object: Hidden Module [Name: acmgd.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x03db0000 Size: 303104

Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x04240000 Size: 5017600

Object: Hidden Module [Name: acdbmgd.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x03eb0000 Size: 1781760

Object: Hidden Module [Name: System.dll]
Process: mscorsvw.exe (PID: 4004) Address: 0x04710000 Size: 3084288

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACqfulhrqhopappet.sys

1. Download CCleaner by clicking the Latest Version arrow on the right.
http://www.filehippo.com/download_ccleaner/Download

Double-click CC setup file to launch the installer

1. Note: CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, When the install options are presented, UNCHECK the last install option to "Add CCleaner Yahoo! Toolbar and use CCLeaner from your browser".

Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Then select the items you wish to clean up.
In the Windows Tab:

* Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.

In the Applications Tab:

* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.

Click the "Run Cleaner" button.
A pop up box will appear advising this process will permanently delete files from your system.
Click "OK" and it will scan and clean your system.
Click "exit" when done.

2. Rename MBAM exe but don't update or run yet:
Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" ->
"C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

Right-click the Malwarebytes' Anti-Malware desktop shortcut and click "Properties":
In the "target" field replace the path found there with (leave the quotes):
with "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

3. Run a RootRepeal hidden file scan on C and wipe rootkit UAC driver if found:


Disable the active protection component (guard) of your antivirus)- this can usually be accomplished by right-clicking your AV's system tray icon, and then selecting the disable feature from the context menu.

Reopen RootRepeal:

• Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
• Click the "File" tab (located at the bottom of the RootRepeal screen)
• Click the "Scan" button
• In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - C:
• Click OK and the file scan will begin
• Click the "Save Report" Button
• Save the log file to your Documents folder
• After the scan identifies and displays the hidden files present on your system, use your mouse to highlight the the rootkit driver (SYS) file in the Rootrepeal window that has a very long name that begins with with "UAC" and has a SYS file extension with a name the same as, or similar to this:
  C:\WINDOWS\system32\drivers\UACqfulhrqhopappet.sys
• Next right-click the file noted above (the name may vary but it will begin with "UAC" and be very long), and select the *wipe file* option only.
• Post the content of the RootRepeal file scan log in your next reply.

4. Reboot Immediately

5. Launch the renamed MBAM and run quick scan, Clear all infections and save/post log.
Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder or the desktop shortcut.

• Select the Update tab -> Check for Updates
• After MBAM updates, select the Scanner tab.
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK -> Show Results to view the scan results.
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

8. Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as berylman

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
  • Click Tools -> Options -> Main
  • Under the downloads section check the button that says "Always ask me where to save files".
  • Click OK
  
  
• For Internet Explorer:
  • Choose to save, not open the file
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

9. Run Combofix and post back the log.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (berylman) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt, your new RootRepeal log, and a new MBAM log in your next reply.

I ran Ccleaner and RootRepeal as instructed. Ran MBAM and successfully deleted all items. Updated MBAM and scanned again, and found no infected files. Downloaded ComboFix and saved as BerylFix.exe. Ran BerylFix as instructed. Ran HijackThis. The RootRepeal, MBAM, and ComboFix logs are posted below.

ComboFix caused the system to reboot before producing its log file. Is this normal?

Thanks.

Russell



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/22 08:56
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACaqttwukblkltprr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgihujkxvdllrfpu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACngwhlmaaymuyqxu.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuoimiqpldggyeol.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvqypwxdqgqmuwns.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwtnkvpjjuljxtuy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACymknjxyiwsipjro.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACqfulhrqhopappet.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\UAC6be1.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\5J11VUK3\3Dfbqiln%2Cbdrhyrfdcpjc%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D%26tvmcat%3D%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485830
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\5J11VUK3\click,wRMAAMtmAwDyeAUAUkwCAAIAAAAAAP8AAAACEAIABgJilAMAuqMDAAAAAAAA[2].com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26site%3D128535%26bvs%3D28%26hvs%3Dbbjrmuoop,;ord=1192486095
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDADi3AwBfxQcAPMQCAAAABAAAAAcAAQACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMDWE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12h26s45h%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDADi3AwBfxQcAPMQCAAAACAAAAAMAAgACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAP.WE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12ggj6vp4%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\click,WaUDALywAwBfxQcAPMQCAAIAAAAAAP8AAAACDwIAAgKTrgEAr0kEAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGLVE0cAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D12h92f3n9%2FM%3D619213[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XX3UQ36\kiyvza%2Cbdrhylrdemog%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D4%26tvmcat%3D0%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485250
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\26rnd%3D072706137%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485771
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\26rnd%3D416706697%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485690
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\GIIFJRNC\rr%2Cbdrhzgkjfmro%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D729623%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D%26tvmcat%3D%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192486090
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\LF77FNIL\iuyjnz%2Cbdrhyjnftnzr%26s%3D%26bg1%3D%26bg2%3D%26bg3%3D%26fid%3D%26sp%3D0%26cat%3D%26tvvid%3D%26tvch%3D%26tvcat%3D4%26tvmcat%3D0%26nwcat%3D%26nwvert%3D%26dwcat%3D,;ord=1192485166
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Internet Files\Content.IE5\LF77FNIL\26rnd%3D835669619%26ged%3D0%3A0%3Anjmyotfmmjhindhln2y0mqkzsamewfp8vibs-l-8o8pu3erw-ib_fybiupnai-t721ylo7ubjzersybqpw3fgkdb80ksv-f8oxjn1kjdsxbz6wgioo6-fhr_per0vdgl,;ord=1192485695
Status: Locked to the Windows API!




Malwarebytes' Anti-Malware 1.36
Database version: 2166
Windows 5.1.2600 Service Pack 3

5/22/2009 9:15:28 AM
mbam-log-2009-05-22 (09-15-28).txt

Scan type: Quick Scan
Objects scanned: 83024
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ComboFix 09-05-21.08 - Russell 05/22/2009 9:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.714 [GMT -7:00]
Running from: c:\documents and settings\Russell\Desktop\BerylFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UACaqttwukblkltprr.dat
c:\windows\system32\UACngwhlmaaymuyqxu.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 15:35 . 2009-05-22 15:35 -------- d-----w c:\program files\CCleaner
2009-05-21 18:01 . 2009-03-30 17:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-21 18:01 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-21 18:01 . 2009-02-13 19:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-21 18:01 . 2009-02-13 19:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-21 18:01 . 2009-05-21 18:01 -------- d-----w c:\program files\Avira
2009-05-21 18:01 . 2009-05-21 18:01 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-21 17:47 . 2009-05-21 17:47 -------- d-----w c:\program files\Trend Micro
2009-05-02 16:47 . 2009-05-02 16:47 -------- d-----w c:\documents and settings\Russell\Application Data\Malwarebytes
2009-05-02 16:47 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 16:47 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 16:47 . 2009-05-21 17:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 16:47 . 2009-05-02 16:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 03:20 . 2007-04-23 16:17 1835 ----a-w c:\documents and settings\Russell\Application Data\SAS7_000.DAT
2009-05-06 01:25 . 2007-05-18 21:30 -------- d-----w c:\documents and settings\Russell\Application Data\SolidWorks
2009-04-10 16:06 . 2008-02-11 19:31 -------- d-----w c:\program files\Java
2009-04-10 16:05 . 2009-04-10 16:05 152576 ----a-w c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-27 23:53 . 2009-03-27 23:53 -------- d-----w c:\program files\Any Video Converter
2009-03-27 23:53 . 2009-03-27 23:53 -------- d-----w c:\documents and settings\Russell\Application Data\Any Video Converter
2009-03-27 23:12 . 2007-04-27 17:46 -------- d-----w c:\program files\DivX
2009-03-27 23:12 . 2009-03-27 23:12 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 20:15 . 2009-03-26 20:12 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-10 15:41 . 2009-03-10 15:41 152576 ----a-w c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 12:19 . 2008-12-15 22:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2007-11-01 22:29 . 2007-05-07 06:02 104 --sh--r c:\windows\system32\4A8C5AE666.sys
2007-11-01 22:30 . 2007-05-07 05:56 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\Russell\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2006-12-11 2332264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2006-9-10 10872]
HyperWorks Desktop Quick Launch.lnk - c:\altair\hw9.0\hw\bin\win32\hw.exe [2009-1-23 471040]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-3-31 114688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 11:01 AM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1620)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 9:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 16:44

Pre-Run: 17,206,472,704 bytes free
Post-Run: 17,130,889,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

145 --- E O F --- 2009-05-13 18:55

I wasn't sure if you wanted the RootRepeal log from the run to remove the UAC.sys or another scan after running ComboFix. The following is a report log from a RootRepeal scan AFTER runnning ComboFix.

Russell



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/22 10:29
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4776000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B9B000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9704000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7cd5fc6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7cd5fbc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7cd5fcb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7cd5fd5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7cd5fda

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7cd5fa8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7cd5fad

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7cd5fe4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7cd5fdf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7cd5fd0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7cd5fb7

Stealth Objects
-------------------
Object: Hidden Module [Name: AcLayer.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x01220000 Size: 512000

Object: Hidden Module [Name: mscorlib.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x03820000 Size: 4452352

Object: Hidden Module [Name: System.Drawing.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x03e10000 Size: 643072

Object: Hidden Module [Name: acmgd.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x03db0000 Size: 303104

Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x04240000 Size: 5017600

Object: Hidden Module [Name: acdbmgd.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x03eb0000 Size: 1781760

Object: Hidden Module [Name: System.dll]
Process: mscorsvw.exe (PID: 3292) Address: 0x04710000 Size: 3084288

You're welcome and very good job!



Since it deleted a driver, it's possible that it needed to reboot more than once. The first time to make sure the driver wasn't loaded and the second time to delete it.

Launch HijackThis (HJT)by right-clicking the desktop shortcut and choosing "Run as Administrator". Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com

Exit HJT

We have some more files and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.



Now, disable your Avira guard and any script blocking programs you may have running - you should re-enable your AV after Combofix produces a log.



Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (cartwheel.exe on your desktop)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes and a new HJT log.

Please upload this file to theVirus Total Scanner by browsing to its folder. Only post report back if threat detections were found:
c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

I ran Hijack this, but found no "01 Hosts" entries to fix. Ran the Combofix script as instructed. Uploaded 'lzma.dll' file to Virus Total Scanner and found NO threat detections. The ComboFix and HJT logs are below.

Russell



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:48 PM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Nuance\NATURA~1\Program\natspeak.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HyperWorks Desktop Quick Launch.lnk = C:\Altair\hw9.0\hw\bin\win32\hw.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6559 bytes




ComboFix 09-05-22.05 - Russell 05/22/2009 22:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.726 [GMT -7:00]
Running from: c:\documents and settings\Russell\Desktop\BerylFix.exe
Command switches used :: c:\documents and settings\Russell\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\4A8C5AE666.sys
c:\windows\system32\UACaqttwukblkltprr.dat
c:\windows\system32\UACngwhlmaaymuyqxu.log

.
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-22 15:35 . 2009-05-22 15:35 -------- d-----w c:\program files\CCleaner
2009-05-21 18:01 . 2009-03-30 17:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-21 18:01 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-21 18:01 . 2009-02-13 19:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-21 18:01 . 2009-02-13 19:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-21 18:01 . 2009-05-21 18:01 -------- d-----w c:\program files\Avira
2009-05-21 18:01 . 2009-05-21 18:01 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-21 17:47 . 2009-05-21 17:47 -------- d-----w c:\program files\Trend Micro
2009-05-02 16:47 . 2009-05-02 16:47 -------- d-----w c:\documents and settings\Russell\Application Data\Malwarebytes
2009-05-02 16:47 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 16:47 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 16:47 . 2009-05-21 17:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 16:47 . 2009-05-02 16:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 03:20 . 2007-04-23 16:17 1835 ----a-w c:\documents and settings\Russell\Application Data\SAS7_000.DAT
2009-05-06 01:25 . 2007-05-18 21:30 -------- d-----w c:\documents and settings\Russell\Application Data\SolidWorks
2009-04-10 16:06 . 2008-02-11 19:31 -------- d-----w c:\program files\Java
2009-04-10 16:05 . 2009-04-10 16:05 152576 ----a-w c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-27 23:53 . 2009-03-27 23:53 -------- d-----w c:\program files\Any Video Converter
2009-03-27 23:53 . 2009-03-27 23:53 -------- d-----w c:\documents and settings\Russell\Application Data\Any Video Converter
2009-03-27 23:12 . 2007-04-27 17:46 -------- d-----w c:\program files\DivX
2009-03-27 23:12 . 2009-03-27 23:12 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 20:15 . 2009-03-26 20:12 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-10 15:41 . 2009-03-10 15:41 152576 ----a-w c:\documents and settings\Russell\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 12:19 . 2008-12-15 22:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2007-11-01 22:30 . 2007-05-07 05:56 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\Russell\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2006-12-11 2332264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2006-9-10 10872]
HyperWorks Desktop Quick Launch.lnk - c:\altair\hw9.0\hw\bin\win32\hw.exe [2009-1-23 471040]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-3-31 114688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 11:01 AM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3808)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-05-23 22:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 05:24
ComboFix2.txt 2009-05-22 16:44

Pre-Run: 17,111,654,400 bytes free
Post-Run: 17,117,224,960 bytes free

137 --- E O F --- 2009-05-13 18:55

That looks good now - how are things on your end?

I would like you to run a complete system scan with one of the following two scanners (DrWeb or ESET)- directions for both are included below. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):

Please perform a scan with the ESET online virus scanner:
http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
• Check the "Yes, I accept the terms of use" box.
• Click "Start"
• Check the boxes the following two boxes:
  • enable "Remove found threats"
  • Scan unwanted applications
• Click the Scan button to begin scanning.
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
  • Now open a run line by clicking Start >> Run...
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

__________________

As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient.

1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.
2. Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, an Advanced Options Menu should appear
• Select the first option, to run Windows in Safe Mode.

3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear.
4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".
5. Once the short scan has finished, Click Options --> Change settings
6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
7. Back at the main window, click "Complete Scan"
8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.
9. When done, a message will be displayed at the bottom advising if any threats were found.
10. Click "Yes to all" if it asks if you want to cure/move the file.
11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.
13. Save the DrWeb.csv report to your desktop.
14. Exit Dr.Web Cureit when done.
15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.
16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.

In your next reply, please include the following:

• Dr.Web Log or ESET log
• A new HJT log

Everything seems to be working well on this end. The only thing out of the ordinary is all the icons on my IE favorites list are mismatched. I ran the ESET scanner as instructed, then ran another HJT scan. Both logs are below. Thanks again.

Russell



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=516a449a312bf04c9cd8f81415419543
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-23 05:25:18
# local_time=2009-05-23 10:25:18 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 658745368288
# scanned=183451
# found=6
# cleaned=4
# scan_time=3484
C:\Documents and Settings\Russell\Local Settings\Application Data\Identities\{F526A250-031B-49F9-B3A6-6B1D95E7903C}\Microsoft\Outlook Express\Deleted Items.dbx Win32/Jep.Russ joke (unable to clean) 00000000000000000000000000000000
C:\Documents and Settings\Russell\Local Settings\Application Data\Identities\{F526A250-031B-49F9-B3A6-6B1D95E7903C}\Microsoft\Outlook Express\Sent Items.dbx Win32/Jep.Russ joke (unable to clean) 00000000000000000000000000000000
C:\System Volume Information\_restore{D96502DD-4410-40B0-802B-E33B37D95CA2}\RP703\A0045556.dll Win32/Olmarik.HC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\System Volume Information\_restore{D96502DD-4410-40B0-802B-E33B37D95CA2}\RP703\A0045557.dll Win32/Olmarik.HC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\System Volume Information\_restore{D96502DD-4410-40B0-802B-E33B37D95CA2}\RP703\A0045558.dll Win32/Olmarik.GY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\System Volume Information\_restore{D96502DD-4410-40B0-802B-E33B37D95CA2}\RP703\A0045559.dll Win32/Olmarik.GX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:23 AM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HyperWorks Desktop Quick Launch.lnk = C:\Altair\hw9.0\hw\bin\win32\hw.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6706 bytes

Hi berylman,

I'm glad thinks are working much better.

Your HJT and ESET scan report show nothing to be concerned about.

I would do one more quick scan with an updated MBAM, aslo and post back that report.



I don't know what caused that. It's possible the infection added an entry to your favorites, and when that was removed during the cleanup process, the other favs became misaligned. That's the only thing I can think of for the cause, but unfortunately I don't know how to fix that. If I come up with a solution in my travels, I would certainly post back a reply.

Please post the MBAM log and then we will perform some post-cleanup measures.

I updated and scanned with MBAM. Found no infected files. The MBAM log is posted below.

One question. I have a flash drive that is always plugged in to my machine. Do I need to do anything to make sure it's not infected?

Also, no worries on the favorites icons. Windows was just confused--a couple of reboots and it got things sorted out.

Russell




Malwarebytes' Anti-Malware 1.36
Database version: 2176
Windows 5.1.2600 Service Pack 3

5/25/2009 8:36:15 AM
mbam-log-2009-05-25 (08-36-15).txt

Scan type: Quick Scan
Objects scanned: 83337
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good job! I'm glad your issue with "favorites" is now resolved, plus your computer is clean now.

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\BerylFix.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
• It will flush your system restore points and create a new restore point.
• It will rehide your system files and folders
• Reset your system clock

Delete the contents of the C:\ARK folder and then delete the folder itself.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the UPdates button.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Done. And done.

Thanks again. I can't tell you how much I appreciate the help.

Russell