Computer virus: logs included - PLEASE HELP!

[pc00]

I've started having problems with my computer since no more than 2 weeks ago. I know it's a virus but I don't know how to get rid of it. At first it was just making the computer slow, McAfee started showing up pop ups about a PUP that was being blocked but I could never remove it. Then, today, i noticed that in My Computer an "e:\" drive now appears that seems to be a copy of my C: drive but it's called "movies and music" (see screenshot attached) and some shortcuts appear on my desktop and start menu. Of course I haven't touched them but I don't know how to get rid of it. Also, my McAfee has stopped working properly. Now even the menu for it doesn't display properly.

Here's my DDS log:




DDS (Version 1.0) - NTFSx86
Run by Pamela at 14:20:09.00 on Thu 11/13/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.65 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svshost.exe
C:\windows\system32\system.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\svñhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\system.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Pamela\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://windowshomepage.info
uInternet Settings,ProxyOverride = *.local
BHO: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {c5bf49a2-94f3-42bd-f434-3604812c897d} - c:\windows\system32\jsne87fidgf.dll
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {8B0974BE-F10B-4492-B8E3-ED23B950B034} - c:\windows\system32\gdband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gadcom] "c:\documents and settings\pamela\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [xsjfn83jkemfofght] c:\docume~1\pamela\locals~1\temp\winlogin.exe
uRun: [Jnskdfmf9eldfd] c:\docume~1\pamela\locals~1\temp\csrssc.exe
uRun: [GetPack24] "c:\program files\getpack\GetPack24.exe"
uRun: [svshost.exe] c:\windows\system32\svshost.exe -check
uRun: [gapp] c:\windows\system32\system.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [Xbidequwa] rundll32.exe "c:\windows\Csusazubijax.dll",e
mRun: [Rjemefo] rundll32.exe "c:\windows\etolanavecazucu.dll",e
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: InstallVisualStyle = c:\windows\resources\themes\royale\Royale.msstyles
mPolicies-system: InstallTheme = c:\windows\resources\themes\Royale.theme
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: AtiExtEvent -Ati2evxx.dll
Notify: IntelWireless -c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C5BF49A2-94F3-42BD-F434-3604812C897D} - c:\windows\system32\jsne87fidgf.dll

============= SERVICES / DRIVERS ===============

S0 ati8kqxx;ati8kqxx;c:\windows\system32\drivers\ati8kqxx.sys
S0 ati8syxx;ati8syxx;c:\windows\system32\drivers\ati8syxx.sys
S3 VNUSB;VN Series Device;c:\windows\system32\drivers\VNUSB.sys
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys

=============== Created Last 30 ================

2008-11-13 14:01 250 a------- c:\windows\gmer.ini
2008-11-13 13:56 <DIR> --d----- c:\program files\Trend Micro
2008-11-13 10:02 <DIR> --d----- c:\windows\system32\virtmeddrive
2008-11-13 10:02 4 a------- c:\windows\system32\hhook.tmp
2008-11-13 10:02 488,960 a------- c:\windows\system32\gdband.dll
2008-11-13 10:02 488,960 a------- c:\windows\system32\gdband 8.4.9.dll
2008-11-13 10:01 541,184 a------- c:\windows\system32\system.exe
2008-11-13 10:01 48,640 a------- c:\windows\system32\svshost.exe
2008-11-13 10:01 48,640 a------- c:\windows\system32\svñhost.exe
2008-11-06 22:53 <DIR> --d----- c:\program files\GetPack
2008-11-06 22:53 <DIR> --d----- c:\program files\iCheck
2008-11-06 22:33 <DIR> --d----- c:\program files\Mjcore
2008-11-06 08:56 270,336 a------- c:\windows\etolanavecazucu.dll
2008-11-05 22:30 24,576 a------- c:\windows\Csusazubijax.dll
2008-11-05 22:28 2 a------- C:\-931896361
2008-11-05 22:28 50,688 a------- c:\windows\system32\rbsgam.dll
2008-11-05 22:28 108 a------- c:\windows\system32\kaxs.dat
2008-11-05 22:27 105,858 a------- c:\windows\system32\drivers\ff54ef64.sys
2008-11-05 22:27 <DIR> --d----- c:\program files\Microsoft Common
2008-11-05 22:26 41,984 a------- C:\depwvtw.exe
2008-11-05 22:26 <DIR> --d----- c:\docume~1\pamela\applic~1\gadcom
2008-10-21 18:03 <DIR> --d----- c:\program files\common files\HP
2008-10-21 17:57 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2008-10-21 17:49 117,028 -------- c:\windows\hpoins11.dat.temp
2008-10-21 17:49 11,634 -------- c:\windows\hpomdl11.dat.temp
2008-10-21 17:41 11,634 a------- c:\windows\hpomdl11.dat

==================== Find3M ====================

2008-11-13 13:53 <DIR> --d----- c:\program files\Bonjour
2008-11-13 13:53 <DIR> --d----- c:\program files\Azureus
2008-11-13 13:50 <DIR> --d----- c:\docume~1\pamela\applic~1\Move Networks
2008-11-13 12:39 <DIR> --d----- c:\program files\McAfee
2008-11-12 23:47 <DIR> --d----- c:\docume~1\pamela\applic~1\LimeWire
2008-11-08 10:14 <DIR> --d----- c:\docume~1\pamela\applic~1\Azureus
2008-10-21 18:08 117,246 a------- c:\windows\hpoins11.dat
2008-10-08 05:51 <DIR> --d----- c:\program files\iTunes
2008-10-08 05:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 05:50 <DIR> --d----- c:\program files\iPod
2008-10-05 19:01 <DIR> --d----- c:\program files\AVI Movie Player
2008-09-20 09:56 <DIR> --d----- c:\program files\Essentials Codec Pack
2008-09-14 20:14 <DIR> --d----- c:\program files\Sestek
2008-08-29 09:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-07-28 05:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Outspark
2008-06-21 18:50 <DIR> --d----- c:\docume~1\pamela\applic~1\CoreFTP
2008-06-18 00:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ExtendMedia
2008-06-06 10:44 <DIR> --d----- c:\docume~1\pamela\applic~1\MySpace
2008-06-04 09:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg7
2008-04-16 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2008-03-29 13:26 <DIR> --d----- c:\docume~1\pamela\applic~1\3M
2008-03-29 09:42 <DIR> --d----- c:\docume~1\pamela\applic~1\Intel
2008-03-29 09:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel

============= FINISH: 14:21:16.84 ===============

[Angelfire777]

Hi, welcome to TSF!

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[pc00]

I ran it, here is the log txt:



ComboFix 08-11-12.01 - Pamela 2008-11-13 23:15:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -6:00]
Running from: c:\documents and settings\Pamela\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pamela\Application Data\gadcom
c:\documents and settings\Pamela\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\program files\GetPack
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\wuauclt.exe
c:\program files\Mjcore
c:\windows\system32\kaxs.dat
c:\windows\system32\rbsgam.dll
c:\windows\system32\svshost.exe
c:\windows\system32\system.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 14:01 . 2008-11-13 14:01 250 --a------ c:\windows\gmer.ini
2008-11-13 13:56 . 2008-11-13 13:56 <DIR> d-------- c:\program files\Trend Micro
2008-11-13 10:02 . 2008-11-13 22:46 <DIR> d-------- c:\windows\system32\virtmeddrive
2008-11-13 10:02 . 2008-11-13 22:45 488,960 --a------ c:\windows\system32\gdband.dll
2008-11-13 10:02 . 2008-11-13 15:27 488,960 --a------ c:\windows\system32\gdband 9.2.4.dll
2008-11-13 10:02 . 2008-11-13 10:47 488,960 --a------ c:\windows\system32\gdband 8.4.9.dll
2008-11-13 10:02 . 2008-11-13 22:45 4 --a------ c:\windows\system32\hhook.tmp
2008-11-13 10:01 . 2008-11-13 15:27 48,640 --a------ c:\windows\system32\svñhost.exe
2008-11-06 08:56 . 2008-11-06 08:56 270,336 --a------ c:\windows\etolanavecazucu.dll
2008-11-05 22:30 . 2008-11-13 15:26 24,576 --a------ c:\windows\Csusazubijax.dll
2008-11-05 22:28 . 2008-11-05 22:28 2 --a------ C:\-931896361
2008-11-05 22:27 . 2008-11-13 23:25 105,858 --a------ c:\windows\system32\drivers\ff54ef64.sys
2008-11-05 22:26 . 2008-11-05 22:26 41,984 --a------ C:\depwvtw.exe
2008-10-21 18:08 . 2008-10-21 18:09 <DIR> d-------- c:\documents and settings\Pamela\Application Data\HP
2008-10-21 18:07 . 2008-10-21 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-21 18:03 . 2008-10-21 18:06 <DIR> d-------- c:\program files\Common Files\HP
2008-10-21 17:57 . 2008-10-21 17:57 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-21 17:49 . 2008-09-12 20:38 117,028 --------- c:\windows\hpoins11.dat.temp
2008-10-21 17:49 . 2006-05-05 17:17 11,634 --------- c:\windows\hpomdl11.dat.temp
2008-10-21 17:41 . 2006-05-05 17:17 11,634 --a------ c:\windows\hpomdl11.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 04:27 --------- d-----w c:\documents and settings\Pamela\Application Data\Skype
2008-11-13 19:53 --------- d-----w c:\program files\Bonjour
2008-11-13 19:53 --------- d-----w c:\program files\Azureus
2008-11-13 19:50 --------- d-----w c:\documents and settings\Pamela\Application Data\Move Networks
2008-11-13 18:39 --------- d-----w c:\program files\McAfee
2008-11-13 05:47 --------- d-----w c:\documents and settings\Pamela\Application Data\LimeWire
2008-11-08 18:45 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-08 16:14 --------- d-----w c:\documents and settings\Pamela\Application Data\Azureus
2008-11-08 07:12 6,656 ----a-w c:\windows\system32\drivers\arp1394.sys
2008-10-22 00:06 --------- d-----w c:\program files\Hewlett-Packard
2008-10-08 12:06 --------- d-----w c:\program files\Apple Software Update
2008-10-08 11:51 --------- d-----w c:\program files\iTunes
2008-10-08 11:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 11:50 --------- d-----w c:\program files\iPod
2008-10-06 01:01 --------- d-----w c:\program files\AVI Movie Player
2008-09-20 15:56 --------- d-----w c:\program files\Essentials Codec Pack
2008-09-15 02:14 --------- d-----w c:\program files\Sestek
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8B0974BE-F10B-4492-B8E3-ED23B950B034}"= "c:\windows\system32\gdband.dll" [2008-11-13 488960]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Xbidequwa"="c:\windows\Csusazubijax.dll" [2008-11-13 24576]
"Rjemefo"="c:\windows\etolanavecazucu.dll" [2008-11-06 270336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-08-18 118784]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-22 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8kqxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8syxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S0 ati8kqxx;ati8kqxx;c:\windows\system32\Drivers\ati8kqxx.sys [ ]
S0 ati8syxx;ati8syxx;c:\windows\system32\Drivers\ati8syxx.sys [ ]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 814728]
S3 VNUSB;VN Series Device;c:\windows\system32\DRIVERS\VNUSB.sys [2006-04-07 38496]
S3 XDva143;XDva143;c:\windows\system32\XDva143.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f154262-74a8-11dd-81c0-00123fdbd6ac}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-06-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-svshost.exe - c:\windows\system32\svshost.exe
HKCU-Run-GetPack24 - c:\program files\GetPack\GetPack24.exe
HKCU-Run-gapp - c:\windows\system32\system.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Pamela\Application Data\Mozilla\Firefox\Profiles\hgbe61dd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://windowshomepage.info
FF -: plugin - c:\documents and settings\Pamela\Application Data\Mozilla\Firefox\Profiles\hgbe61dd.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 23:22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ff54ef64]
"ImagePath"="\SystemRoot\System32\drivers\ff54ef64.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
-> c:\windows\Csusazubijax.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-13 23:31:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 05:30:57

Pre-Run: 8,525,877,248 bytes free
Post-Run: 11,767,312,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

220 --- E O F --- 2008-07-09 0821

[Angelfire777]

Hi,

go to control panel > add or remove programs then uninstall this entry if it is still there: Internet Speed Monitor.

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
c:\windows\system32\gdband.dll
c:\windows\system32\gdband 9.2.4.dll
c:\windows\system32\gdband 8.4.9.dll
"c:\windows\system32\svñhost.exe"
c:\windows\etolanavecazucu.dll
c:\windows\Csusazubijax.dll
C:\-931896361
C:\WINDOWS\System32\drivers\ff54ef64.sys
C:\depwvtw.exe
c:\windows\system32\hhook.tmp
Driver::
ff54ef64
ati8kqxx
ati8syxx
XDva143
Folder::
c:\documents and settings\Pamela\Application Data\Azureus
c:\documents and settings\Pamela\Application Data\LimeWire
c:\windows\system32\virtmeddrive
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8B0974BE-F10B-4492-B8E3-ED23B950B034}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xbidequwa"=-
"Rjemefo"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8kqxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8syxx.sys]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
Dirlook::
c:\windows\system32\virtmeddrive

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.

__________

*Malware modified your firefox home page. You can change it by opening firefox > tools > options


*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\system32\drivers\arp1394.sys

Then click submit.

Please post the results to your next reply.
___________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u10, and install it to your computer.

• Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

___________

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

• kaspersky scan log
• combofix log
• virustotal scan log

[pc00]

Hi,

Here are my reports.

[Angelfire777]

Hi,

It seems that you missed to copy all the files in the code box I gave you... Also, you didn't update java. Please update the program as previous versions are vulnerable to infections.

Do you have Azureus and Limewire installed?

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
C:\depwvtw.exe
C:\WINDOWS\system32\drivers\arp1394.sys
c:\windows\system32\hhook.tmp
c:\windows\etolanavecazucu.dll
c:\windows\Csusazubijax.dll
C:\-931896361
c:\windows\system32\drivers\ff54ef64.sys
Folder::
c:\windows\system32\virtmeddrive
Driver::
ff54ef64

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.

Please post the combofix log on your next reply. Also, please let me know how your machine is doing.

[pc00]

Hm, that is very strange. I did do the steps you mentioned previously. I don't know why they don't show up. But I will do them again and let you know.

I did have Azureus and Limewire previously installed, but not anymore.

My computer seems to be doing better than before (the 'ghost' drive has gone, and it is running a bit faster. However, McAfee still shows me trojan warnings and doesn't seem to be working properly still.

[Angelfire777]

That's okay.. You still have some infections left, it's normal I guess for McAfee to alert you about it.

No need to re-do all the instructions in post #4.. Just follow my instructions on my previous post. I shall be waiting for your logs.

[pc00]

Here is the combofix log.

[Angelfire777]

Hi,

delete this folder using windows explorer since you don't have Azureus anymore: C:\program files\Azureus

navigate to this file: c:\windows\system32\dllcache\arp1394.sys >> right click it then select copy.

go to this folder: C:\windows\system32\drivers >> right click in the background then select paste

If it asks you if you want to replace, check if the arp1394.sys size in the drivers folder is ~60kb. If so, cancel the copy. If not, please let me know.

How is your machine running?

[pc00]

I deleted the Azureus folder. However, the file you asked me to copy and paste, I can't find it.

The "dllcache" isn't there.

[Angelfire777]

Configure your machine to view hidden files:

• Click Start.
• Open My Computer..
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the "Hidden files and folders" heading select Show hidden files and folders.
• Uncheck the Hide Protected Operating System Files Option.
• Click Yes to confirm.
• Click OK.

[pc00]

Ok, I've copied the file into the system32 driver folder.

[Angelfire777]

How is your machine running?

[Angelfire777]

Are you still with us?

[pc00]

Hello,

Sorry, I was unavailable for the last few days. The machine seems to be running MUCH better now. I haven't had any unusual activity happening. Any further recommendations?

Thanks a lot for all the help you've been giving me!

[Angelfire777]

Congratulations! Your log looks clean!

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.