Constant popups when I use the internet-with things like antiviruspro etc.

[awaise]

Hi my PC is running very slow and a ot of popups are appearing while im on the internet. I ve used HJT and posted a log below thanx in advance for the help:

Logfile of HijackThis v1.99.1
Scan saved at 20:46:53, on 02/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Home\Application Data\U3\09F1E961435018AF\LaunchPad.exe
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {e9977cec-9e1e-43fc-a880-7c57a9507f62} - C:\WINDOWS\system32\wamejulu.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [nosurepibi] Rundll32.exe "C:\WINDOWS\system32\jobaruse.dll",s
O4 - HKLM\..\Run: [5cadcbaa] rundll32.exe "C:\WINDOWS\system32\raromozo.dll",b
O4 - HKLM\..\Run: [CPM5f9ef836] Rundll32.exe "c:\windows\system32\nebiteda.dll",a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\huyajuni.dll avgrsstx.dll C:\WINDOWS\system32\lilayeti.dll c:\windows\system32\nebiteda.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nebiteda.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[tetonbob]

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[awaise]

hi heres the DDS log:


DDS (Version 1.0) - NTFSx86
Run by Home at 13:35:44.85 on 04/12/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.447.122 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {e9977cec-9e1e-43fc-a880-7c57a9507f62} - c:\windows\system32\yeyapoyu.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nosurepibi] Rundll32.exe "c:\windows\system32\josoguyi.dll",s
mRun: [5cadcbaa] rundll32.exe "c:\windows\system32\raromozo.dll",b
mRun: [CPM5f9ef836] Rundll32.exe "c:\windows\system32\dazetaha.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\huyajuni.dll avgrsstx.dll c:\windows\system32\juborafe.dll c:\windows\system32\dazetaha.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dazetaha.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dazetaha.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli c:\windows\system32\juborafe.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-30 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-30 26824]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-30 394192]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-30 231704]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []

=============== Created Last 30 ================

2008-12-04 13:32 250 a------- c:\windows\gmer.ini
2008-12-04 13:07 1,403,979 ---sh--- c:\windows\system32\ayufusel.ini
2008-12-03 22:19 <DIR> --d----- c:\program files\common files\xing shared
2008-12-03 22:18 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-03 22:18 <DIR> --d----- c:\program files\common files\Real
2008-12-03 13:36 1,330,184 ---sh--- c:\windows\system32\umidomav.ini
2008-12-02 21:51 <DIR> --d----- c:\docume~1\home\applic~1\Dealio
2008-12-02 21:50 <DIR> --d----- c:\windows\system32\custom matrices
2008-12-02 21:49 <DIR> --d----- c:\windows\system32\QuickTime
2008-12-02 21:49 <DIR> --d----- c:\windows\system32\C2MP
2008-12-02 16:01 1,330,220 ---sh--- c:\windows\system32\ozomorar.ini
2008-12-01 16:16 268 a---h--- C:\sqmdata04.sqm
2008-12-01 16:16 268 a---h--- C:\sqmdata03.sqm
2008-12-01 16:16 244 a---h--- C:\sqmnoopt03.sqm
2008-12-01 16:16 172 a---h--- C:\sqmnoopt04.sqm
2008-12-01 16:16 120 ---sh--- c:\windows\system32\ozirusat.ini
2008-11-30 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\UDL
2008-11-30 21:14 131,072 a------- c:\windows\system32\Epcmlib.dll
2008-11-30 17:41 96,768 a------- c:\windows\SlantAdj.dll
2008-11-30 17:41 73,216 a------- c:\windows\ADE.DLL
2008-11-30 17:41 3,136 a------- c:\windows\Ade001.bin
2008-11-30 17:41 72 -------- c:\windows\system32\epDPE.ini
2008-11-30 17:41 <DIR> --d----- c:\program files\Smart Panel
2008-11-30 17:38 75,501 a------- c:\windows\system32\EBPMON24.DLL
2008-11-30 17:38 64,000 a------- c:\windows\system32\ECBTEG.DLL
2008-11-30 17:38 34,304 a------- c:\windows\system32\EBPCHP.DLL
2008-11-30 17:38 31,744 a------- c:\windows\system32\E_DCINST.DLL
2008-11-30 17:38 182 a------- c:\windows\system32\EBPPORT4.DAT
2008-11-30 17:37 26,660 a------- c:\windows\EPSTPLOG.BAK
2008-11-30 17:30 268 a---h--- C:\sqmdata02.sqm
2008-11-30 17:30 244 a---h--- C:\sqmnoopt02.sqm
2008-11-30 17:21 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-11-30 17:21 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-11-30 17:21 46,080 a------- c:\windows\system32\escimgd.dll
2008-11-30 17:21 29,696 a------- c:\windows\system32\escwiad.dll
2008-11-30 17:21 22,528 a------- c:\windows\system32\esccmd.dll
2008-11-30 17:21 <DIR> --d----- c:\program files\EPSON
2008-11-30 17:20 27 a------- c:\windows\CDE RX500E.ini
2008-11-30 17:10 268 a---h--- C:\sqmdata01.sqm
2008-11-30 17:10 244 a---h--- C:\sqmnoopt01.sqm
2008-11-30 17:07 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2008-11-30 17:07 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-11-30 17:07 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-11-30 17:07 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2008-11-30 15:15 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-11-30 15:09 268 a---h--- C:\sqmdata00.sqm
2008-11-30 15:09 244 a---h--- C:\sqmnoopt00.sqm
2008-11-30 15:07 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-11-30 15:07 1,087,216 a------- c:\windows\system32\zpeng24.dll
2008-11-30 15:07 <DIR> --d----- c:\windows\system32\ZoneLabs
2008-11-30 14:56 47,197 a------- c:\windows\system32\vsconfig.xml
2008-11-30 14:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-30 14:52 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-30 14:52 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-11-30 14:52 <DIR> --d----- c:\docume~1\home\applic~1\AVGTOOLBAR
2008-11-30 14:52 <DIR> --d----- c:\program files\AVG
2008-11-30 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-30 14:50 1,300,339 ---sh--- c:\windows\system32\obakepak.ini
2008-11-30 14:45 62,464 a------- c:\windows\system32\~.exe
2008-11-30 14:35 <DIR> --d----- c:\program files\Zone Labs
2008-11-30 14:35 <DIR> --d----- c:\windows\Internet Logs
2008-11-30 14:33 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2008-11-30 14:31 90,435,952 a------- C:\directx_nov2008_redist.exe
2008-11-30 14:23 32,592 a------- c:\windows\system32\msonpmon.dll
2008-11-30 14:18 <DIR> --d----- c:\windows\SHELLNEW
2008-11-30 14:13 <DIR> --d----- c:\documents and settings\home\Contacts
2008-11-30 14:13 <DIR> --d----- c:\program files\MSN Messenger
2008-11-30 14:10 <DIR> --d----- c:\windows\RegisteredPackages
2008-11-30 14:05 345 a------- c:\windows\system32\NVU002.nvu
2008-11-30 13:52 <DIR> --ds---- c:\documents and settings\home\UserData
2008-11-30 13:46 <DIR> --ds---- c:\windows\system32\Microsoft
2008-11-30 13:42 239 a------- c:\windows\system32\NVU001.nvu
2008-11-30 13:42 110,592 a------- c:\windows\system32\NVUninst.exe
2008-11-30 13:38 98,304 -------- c:\windows\system32\nvuide.exe
2008-11-30 13:38 634 -------- c:\windows\system32\nvide.nvu
2008-11-30 13:38 110,592 -------- c:\windows\system32\nvusmb.exe
2008-11-30 13:38 699 -------- c:\windows\system32\nvsmb.nvu
2008-11-30 13:38 110,592 -------- c:\windows\system32\nvumctl.exe
2008-11-30 13:38 1,217 -------- c:\windows\system32\nvmctl.nvu
2008-11-30 13:37 9,801 a----r-- c:\windows\system32\nvdisp.nvu
2008-11-30 13:37 98,304 a------- c:\windows\system32\nvudisp.exe
2008-11-30 13:37 <DIR> --d----- c:\windows\nview
2008-11-30 13:35 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-30 13:33 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2008-11-30 13:32 19,528 a------- c:\windows\002234_.tmp
2008-11-30 13:32 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-11-30 13:32 15,872 a------- c:\windows\system32\spupdsvc.exe
2008-11-30 13:31 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2008-11-30 13:30 <DIR> --d----- c:\windows\EHome
2008-11-30 13:26 <DIR> --dsh--- c:\windows\Installer
2008-11-30 13:26 <DIR> --d----- c:\documents and settings\Home
2008-11-30 13:25 8,192 a------- c:\windows\REGLOCS.OLD
2008-11-30 13:23 31,744 ac------ c:\windows\system32\dllcache\smb6w.dll
2008-11-30 13:22 108,827 ac------ c:\windows\system32\dllcache\hanja.lex
2008-11-30 13:21 2,577 a------- c:\windows\system32\CONFIG.NT
2008-11-30 13:21 0 a------- c:\windows\control.ini
2008-11-30 13:21 25,065 a------- c:\windows\system32\wmpscheme.xml
2008-11-30 13:21 23,392 a------- c:\windows\system32\nscompat.tlb
2008-11-30 13:21 16,832 a------- c:\windows\system32\amcompat.tlb
2008-11-30 13:21 299,552 a------- c:\windows\WMSysPrx.prx
2008-11-30 13:21 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-11-30 13:19 <DIR> --d----- c:\program files\common files\MSSoap
2008-11-30 13:18 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-11-30 13:18 <DIR> --d----- c:\program files\Online Services
2008-11-30 13:18 <DIR> --d----- c:\program files\Messenger
2008-11-30 13:18 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-11-30 13:18 <DIR> --d----- c:\program files\Windows NT
2008-11-30 13:13 <DIR> --d----- c:\program files\common files\ODBC
2008-11-30 13:13 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-11-30 13:12 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2008-12-04 13:07 92,725 a--sh--- c:\windows\system32\dazetaha.dll
2008-12-04 13:07 87,605 a--sh--- c:\windows\system32\lesufuya.dll
2008-12-04 13:07 64,053 a--sh--- c:\windows\system32\riwakabe.dll
2008-12-03 22:18 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-03 13:36 94,261 a--sh--- c:\windows\system32\nezovefo.dll
2008-12-03 13:36 85,557 -------- c:\windows\system32\vamodimu.dll
2008-12-02 16:01 86,580 a--sh--- c:\windows\system32\raromozo.dll
2008-12-02 16:01 93,748 a--sh--- c:\windows\system32\nebiteda.dll
2008-12-02 16:01 65,076 a--sh--- c:\windows\system32\henemate.dll
2008-11-30 13:41 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-30 13:19 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-09-04 13:07 64,053 a--sh--- c:\windows\system32\josoguyi.dll
2008-09-04 13:07 64,053 a--sh--- c:\windows\system32\juborafe.dll
2008-09-01 16:16 95,744 a--sh--- c:\windows\system32\mijejabe.dll
2008-09-04 13:07 64,053 a--sh--- c:\windows\system32\yeyapoyu.dll

============= FINISH: 13:36:46.31 ===============

[tetonbob]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[awaise]

heres the combofix log:

ComboFix 08-12-03.04 - Home 2008-12-04 16:24:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.167 [GMT 0:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.exe
c:\windows\system32\ayufusel.ini
c:\windows\system32\dazetaha.dll
c:\windows\system32\josoguyi.dll
c:\windows\system32\juborafe.dll
c:\windows\system32\lesufuya.dll
c:\windows\system32\nebiteda.dll
c:\windows\system32\nezovefo.dll
c:\windows\system32\obakepak.ini
c:\windows\system32\ozirusat.ini
c:\windows\system32\ozomorar.ini
c:\windows\system32\raromozo.dll
c:\windows\system32\riwakabe.dll
c:\windows\system32\umidomav.ini
c:\windows\system32\vamodimu.dll
c:\windows\system32\yeyapoyu.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 13:32 . 2008-12-04 13:34 250 --a------ c:\windows\gmer.ini
2008-12-03 22:19 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-03 22:18 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\Real
2008-12-03 22:18 . 2008-12-03 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-02 21:51 . 2008-12-02 21:51 <DIR> d-------- c:\documents and settings\Home\Application Data\Dealio
2008-12-02 21:50 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\custom matrices
2008-12-02 21:49 . 2008-12-02 21:49 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-02 21:49 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\C2MP
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata04.sqm
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 244 --ah----- C:\sqmnoopt03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 172 --ah----- C:\sqmnoopt04.sqm
2008-12-01 00:59 . 2008-12-01 00:59 0 --a------ c:\windows\nsreg.dat
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\UDL
2008-11-30 21:14 . 2003-07-02 01:00 131,072 --a------ c:\windows\system32\Epcmlib.dll
2008-11-30 17:41 . 2008-11-30 21:13 <DIR> d-------- c:\program files\Smart Panel
2008-11-30 17:41 . 1999-06-15 11:31 96,768 --a------ c:\windows\SlantAdj.dll
2008-11-30 17:41 . 1999-12-07 02:03 73,216 --a------ c:\windows\ADE.DLL
2008-11-30 17:41 . 1999-04-27 00:17 3,136 --a------ c:\windows\Ade001.bin
2008-11-30 17:41 . 1999-08-09 23:50 72 --------- c:\windows\system32\epDPE.ini
2008-11-30 17:38 . 2003-07-23 01:09 75,501 --a------ c:\windows\system32\EBPMON24.DLL
2008-11-30 17:38 . 2003-05-21 02:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2008-11-30 17:38 . 2000-06-07 01:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2008-11-30 17:38 . 2003-07-16 13:14 31,744 --a------ c:\windows\system32\E_DCINST.DLL
2008-11-30 17:38 . 2001-09-04 02:04 182 --a------ c:\windows\system32\EBPPORT4.DAT
2008-11-30 17:37 . 2008-11-30 21:05 26,660 --a------ c:\windows\EPSTPLOG.BAK
2008-11-30 17:30 . 2008-11-30 17:30 268 --ah----- C:\sqmdata02.sqm
2008-11-30 17:30 . 2008-11-30 17:30 244 --ah----- C:\sqmnoopt02.sqm
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d-------- c:\program files\EPSON
2008-11-30 17:21 . 2003-07-01 00:00 46,080 --a------ c:\windows\system32\escimgd.dll
2008-11-30 17:21 . 2003-07-01 00:00 29,696 --a------ c:\windows\system32\escwiad.dll
2008-11-30 17:21 . 2003-07-01 00:00 22,528 --a------ c:\windows\system32\esccmd.dll
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-30 17:20 . 2008-11-30 17:20 27 --a------ c:\windows\CDE RX500E.ini
2008-11-30 17:10 . 2008-11-30 17:10 268 --ah----- C:\sqmdata01.sqm
2008-11-30 17:10 . 2008-11-30 17:10 244 --ah----- C:\sqmnoopt01.sqm
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-30 15:15 . 2008-12-04 16:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-30 15:09 . 2008-11-30 15:09 268 --ah----- C:\sqmdata00.sqm
2008-11-30 15:09 . 2008-11-30 15:09 244 --ah----- C:\sqmnoopt00.sqm
2008-11-30 15:07 . 2008-12-04 16:39 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-11-30 15:07 . 2007-03-09 00:01 1,087,216 --a------ c:\windows\system32\zpeng24.dll
2008-11-30 15:07 . 2008-11-30 17:11 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-11-30 14:56 . 2008-12-04 16:39 47,197 --a------ c:\windows\system32\vsconfig.xml
2008-11-30 14:52 . 2008-12-04 13:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\program files\AVG
2008-11-30 14:52 . 2008-11-30 15:16 <DIR> d-------- c:\documents and settings\Home\Application Data\AVGTOOLBAR
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-30 14:52 . 2008-11-30 14:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 14:52 . 2008-11-30 14:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-30 14:35 . 2008-12-04 16:41 <DIR> d-------- c:\windows\Internet Logs
2008-11-30 14:35 . 2008-11-30 14:35 <DIR> d-------- c:\program files\Zone Labs
2008-11-30 14:33 . 2008-11-30 14:33 <DIR> d-------- c:\windows\Logs
2008-11-30 14:31 . 2008-11-30 14:31 90,435,952 --a------ C:\directx_nov2008_redist.exe
2008-11-30 14:23 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\MSBuild
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\Microsoft Works
2008-11-30 14:18 . 2008-11-30 14:21 <DIR> d-------- c:\windows\SHELLNEW
2008-11-30 14:17 . 2008-11-30 14:17 <DIR> dr-h----- C:\MSOCache
2008-11-30 14:17 . 2008-11-30 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-30 14:13 . 2008-12-03 22:18 <DIR> d-------- c:\program files\Real
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d-------- c:\program files\MSN Messenger
2008-11-30 14:13 . 2008-12-02 18:08 <DIR> d-------- c:\documents and settings\Home\Contacts
2008-11-30 14:06 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 14:05 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 14:05 . 2008-11-30 14:05 345 --a------ c:\windows\system32\NVU002.nvu
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\program files\NOS
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:18 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-02 16:01 65,076 --sha-w c:\windows\system32\henemate.dll
2008-11-30 18:09 100,352 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-30 18:09 1,983,488 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-30 14:34 --------- d-----w c:\documents and settings\Home\Application Data\U3
2008-11-30 13:37 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-30 13:22 --------- d-----w c:\program files\microsoft frontpage
2008-10-27 10:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-10 04:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 04:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-09-01 16:16 95,744 --sha-w c:\windows\system32\mijejabe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE" [2003-09-12 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd6a6a-bee2-11dd-a79d-a246701f923a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{e9977cec-9e1e-43fc-a880-7c57a9507f62} - c:\windows\system32\yeyapoyu.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 16:48:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-04 17:00:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 16:59:41

Pre-Run: 74,181,361,664 bytes free
Post-Run: 74,136,002,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

194

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/319441-constant-popups-when-i-use-internet-things-like-antiviruspro-etc.html#post1837954
   
   Collect::
   c:\windows\system32\henemate.dll
   c:\windows\system32\mijejabe.dll
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   

[awaise]

here is the new log:

ComboFix 08-12-03.04 - Home 2008-12-04 20:08:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT 0:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\henemate.dll
c:\windows\system32\mijejabe.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 13:32 . 2008-12-04 13:34 250 --a------ c:\windows\gmer.ini
2008-12-03 22:19 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-03 22:18 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\Real
2008-12-03 22:18 . 2008-12-03 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-02 21:51 . 2008-12-02 21:51 <DIR> d-------- c:\documents and settings\Home\Application Data\Dealio
2008-12-02 21:50 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\custom matrices
2008-12-02 21:49 . 2008-12-02 21:49 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-02 21:49 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\C2MP
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata04.sqm
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 244 --ah----- C:\sqmnoopt03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 172 --ah----- C:\sqmnoopt04.sqm
2008-12-01 00:59 . 2008-12-01 00:59 0 --a------ c:\windows\nsreg.dat
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\UDL
2008-11-30 21:14 . 2003-07-02 01:00 131,072 --a------ c:\windows\system32\Epcmlib.dll
2008-11-30 17:41 . 2008-11-30 21:13 <DIR> d-------- c:\program files\Smart Panel
2008-11-30 17:41 . 1999-06-15 11:31 96,768 --a------ c:\windows\SlantAdj.dll
2008-11-30 17:41 . 1999-12-07 02:03 73,216 --a------ c:\windows\ADE.DLL
2008-11-30 17:41 . 1999-04-27 00:17 3,136 --a------ c:\windows\Ade001.bin
2008-11-30 17:41 . 1999-08-09 23:50 72 --------- c:\windows\system32\epDPE.ini
2008-11-30 17:38 . 2003-07-23 01:09 75,501 --a------ c:\windows\system32\EBPMON24.DLL
2008-11-30 17:38 . 2003-05-21 02:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2008-11-30 17:38 . 2000-06-07 01:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2008-11-30 17:38 . 2003-07-16 13:14 31,744 --a------ c:\windows\system32\E_DCINST.DLL
2008-11-30 17:38 . 2001-09-04 02:04 182 --a------ c:\windows\system32\EBPPORT4.DAT
2008-11-30 17:37 . 2008-11-30 21:05 26,660 --a------ c:\windows\EPSTPLOG.BAK
2008-11-30 17:30 . 2008-11-30 17:30 268 --ah----- C:\sqmdata02.sqm
2008-11-30 17:30 . 2008-11-30 17:30 244 --ah----- C:\sqmnoopt02.sqm
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d-------- c:\program files\EPSON
2008-11-30 17:21 . 2003-07-01 00:00 46,080 --a------ c:\windows\system32\escimgd.dll
2008-11-30 17:21 . 2003-07-01 00:00 29,696 --a------ c:\windows\system32\escwiad.dll
2008-11-30 17:21 . 2003-07-01 00:00 22,528 --a------ c:\windows\system32\esccmd.dll
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-30 17:20 . 2008-11-30 17:20 27 --a------ c:\windows\CDE RX500E.ini
2008-11-30 17:10 . 2008-11-30 17:10 268 --ah----- C:\sqmdata01.sqm
2008-11-30 17:10 . 2008-11-30 17:10 244 --ah----- C:\sqmnoopt01.sqm
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-30 15:15 . 2008-12-04 16:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-30 15:09 . 2008-11-30 15:09 268 --ah----- C:\sqmdata00.sqm
2008-11-30 15:09 . 2008-11-30 15:09 244 --ah----- C:\sqmnoopt00.sqm
2008-11-30 15:07 . 2008-12-04 16:39 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-11-30 15:07 . 2007-03-09 00:01 1,087,216 --a------ c:\windows\system32\zpeng24.dll
2008-11-30 15:07 . 2008-11-30 17:11 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-11-30 14:56 . 2008-12-04 19:52 47,197 --a------ c:\windows\system32\vsconfig.xml
2008-11-30 14:52 . 2008-12-04 13:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\program files\AVG
2008-11-30 14:52 . 2008-11-30 15:16 <DIR> d-------- c:\documents and settings\Home\Application Data\AVGTOOLBAR
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-30 14:52 . 2008-11-30 14:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 14:52 . 2008-11-30 14:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-30 14:35 . 2008-12-04 20:04 <DIR> d-------- c:\windows\Internet Logs
2008-11-30 14:35 . 2008-11-30 14:35 <DIR> d-------- c:\program files\Zone Labs
2008-11-30 14:33 . 2008-11-30 14:33 <DIR> d-------- c:\windows\Logs
2008-11-30 14:31 . 2008-11-30 14:31 90,435,952 --a------ C:\directx_nov2008_redist.exe
2008-11-30 14:23 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\MSBuild
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\Microsoft Works
2008-11-30 14:18 . 2008-11-30 14:21 <DIR> d-------- c:\windows\SHELLNEW
2008-11-30 14:17 . 2008-11-30 14:17 <DIR> dr-h----- C:\MSOCache
2008-11-30 14:17 . 2008-11-30 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-30 14:13 . 2008-12-03 22:18 <DIR> d-------- c:\program files\Real
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d-------- c:\program files\MSN Messenger
2008-11-30 14:13 . 2008-12-02 18:08 <DIR> d-------- c:\documents and settings\Home\Contacts
2008-11-30 14:06 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 14:05 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 14:05 . 2008-11-30 14:05 345 --a------ c:\windows\system32\NVU002.nvu
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\program files\NOS
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:18 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-30 18:09 100,352 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-30 18:09 1,983,488 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-30 14:34 --------- d-----w c:\documents and settings\Home\Application Data\U3
2008-11-30 13:37 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-30 13:22 --------- d-----w c:\program files\microsoft frontpage
2008-10-27 10:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-10 04:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 04:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE" [2003-09-12 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd6a6a-bee2-11dd-a79d-a246701f923a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 20:10:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-04 20:11:29
ComboFix-quarantined-files.txt 2008-12-04 20:11:16
ComboFix2.txt 2008-12-04 17:00:15

Pre-Run: 74,110,832,640 bytes free
Post-Run: 74,106,904,576 bytes free

167

[tetonbob]

Thanks for uploading the file.

Please perform this online scan to help look for remnants.


Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[awaise]

Hi, thanx a lot for your help, you're the fastest anlayst i have seen! I have having problems when I turned on the PC and tried to open anything, the computer would just slow down a lot. When I tried to open the internet, the window opened but then it would just load for ages and then when i tried ctrl alt del the PC would just freeze and i had to restart it. This happend a few times then when i turned the pc on again i pressed ctl alt del and the task manager came up after a bit of a wait. Then i just deleted a few dodgy looking proceses. Then I opened up my firewall, zonealarm, and went into program control. There was a program with no namr just something like this ~.exe and i saw the details of it and it was in the system32 folder. I just blocked all internet access for it ( killed it) and after that evrything went back to normal again and was able to log back onto the forum. out of breath now!

Thanx a lot for your help again here is the log from the eset scanner:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3664 (20081204)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=b6a0ba3f2d57db49961260471a6e9db7
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-12-04 09:49:35
# local_time=2008-12-04 09:49:35 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=123399
# found=2
# scan_time=1441
C:\WINDOWS\system32\wawunego.dll.tmp Win32/Agent.ARRW trojan 56D01817B63F5792F88A8B7322510E2B
C:\WINDOWS\system32\yatehaje.dll.tmp Win32/Agent.ARRW trojan 56D01817B63F5792F88A8B7322510E2B

[tetonbob]

Hi again -

Before we continue, I need some clarification....these issues you're describing, are they ongoing? Or, was this before we began the removal process? How are things now?

[awaise]

this happened before the online scan only - after the combofix. Normally there are popups but those are gone now

[tetonbob]

Let's run this script, and then let me know how things are. The machine is a little light on memory, at 447MB, but that should be close enough to minimum for XP to run well. More physical memory (RAM) is always better.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/319441-constant-popups-when-i-use-internet-things-like-antiviruspro-etc.html#post1838444
   
   Collect::
   "C:\WINDOWS\system32\wawunego.dll.tmp"
   "C:\WINDOWS\system32\yatehaje.dll.tmp"
   
   DirLook::
   c:\windows\system32\C2MP
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
3. If ComboFix requests an update, please allow it. Ignore any indication that the update failed, just continue on.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   

[awaise]

here is the log:

ComboFix 08-12-04.04 - Home 2008-12-04 22:38:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.131 [GMT 0:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wawunego.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 21:23 . 2008-12-04 21:49 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-04 13:32 . 2008-12-04 13:34 250 --a------ c:\windows\gmer.ini
2008-12-03 22:19 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\xing shared
2008-12-03 22:18 . 2008-12-03 22:19 <DIR> d-------- c:\program files\Common Files\Real
2008-12-03 22:18 . 2008-12-03 22:18 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-02 21:51 . 2008-12-02 21:51 <DIR> d-------- c:\documents and settings\Home\Application Data\Dealio
2008-12-02 21:50 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\custom matrices
2008-12-02 21:49 . 2008-12-02 21:49 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-02 21:49 . 2008-12-02 21:50 <DIR> d-------- c:\windows\system32\C2MP
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata04.sqm
2008-12-01 16:16 . 2008-12-01 16:16 268 --ah----- C:\sqmdata03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 244 --ah----- C:\sqmnoopt03.sqm
2008-12-01 16:16 . 2008-12-01 16:16 172 --ah----- C:\sqmnoopt04.sqm
2008-12-01 00:59 . 2008-12-01 00:59 0 --a------ c:\windows\nsreg.dat
2008-11-30 21:15 . 2008-11-30 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\UDL
2008-11-30 21:14 . 2003-07-02 01:00 131,072 --a------ c:\windows\system32\Epcmlib.dll
2008-11-30 17:41 . 2008-11-30 21:13 <DIR> d-------- c:\program files\Smart Panel
2008-11-30 17:41 . 1999-06-15 11:31 96,768 --a------ c:\windows\SlantAdj.dll
2008-11-30 17:41 . 1999-12-07 02:03 73,216 --a------ c:\windows\ADE.DLL
2008-11-30 17:41 . 1999-04-27 00:17 3,136 --a------ c:\windows\Ade001.bin
2008-11-30 17:41 . 1999-08-09 23:50 72 --------- c:\windows\system32\epDPE.ini
2008-11-30 17:38 . 2003-07-23 01:09 75,501 --a------ c:\windows\system32\EBPMON24.DLL
2008-11-30 17:38 . 2003-05-21 02:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2008-11-30 17:38 . 2000-06-07 01:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2008-11-30 17:38 . 2003-07-16 13:14 31,744 --a------ c:\windows\system32\E_DCINST.DLL
2008-11-30 17:38 . 2001-09-04 02:04 182 --a------ c:\windows\system32\EBPPORT4.DAT
2008-11-30 17:37 . 2008-11-30 21:05 26,660 --a------ c:\windows\EPSTPLOG.BAK
2008-11-30 17:30 . 2008-11-30 17:30 268 --ah----- C:\sqmdata02.sqm
2008-11-30 17:30 . 2008-11-30 17:30 244 --ah----- C:\sqmnoopt02.sqm
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-30 17:21 . 2008-11-30 21:15 <DIR> d-------- c:\program files\EPSON
2008-11-30 17:21 . 2003-07-01 00:00 46,080 --a------ c:\windows\system32\escimgd.dll
2008-11-30 17:21 . 2003-07-01 00:00 29,696 --a------ c:\windows\system32\escwiad.dll
2008-11-30 17:21 . 2003-07-01 00:00 22,528 --a------ c:\windows\system32\esccmd.dll
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-30 17:21 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-30 17:20 . 2008-11-30 17:20 27 --a------ c:\windows\CDE RX500E.ini
2008-11-30 17:10 . 2008-11-30 17:10 268 --ah----- C:\sqmdata01.sqm
2008-11-30 17:10 . 2008-11-30 17:10 244 --ah----- C:\sqmnoopt01.sqm
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-30 17:07 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-30 15:15 . 2008-12-04 16:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-30 15:09 . 2008-11-30 15:09 268 --ah----- C:\sqmdata00.sqm
2008-11-30 15:09 . 2008-11-30 15:09 244 --ah----- C:\sqmnoopt00.sqm
2008-11-30 15:07 . 2008-12-04 16:39 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-11-30 15:07 . 2007-03-09 00:01 1,087,216 --a------ c:\windows\system32\zpeng24.dll
2008-11-30 15:07 . 2008-11-30 17:11 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-11-30 14:56 . 2008-12-04 21:07 47,197 --a------ c:\windows\system32\vsconfig.xml
2008-11-30 14:52 . 2008-12-04 13:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\program files\AVG
2008-11-30 14:52 . 2008-11-30 15:16 <DIR> d-------- c:\documents and settings\Home\Application Data\AVGTOOLBAR
2008-11-30 14:52 . 2008-11-30 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-30 14:52 . 2008-11-30 14:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 14:52 . 2008-11-30 14:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-30 14:35 . 2008-12-04 22:31 <DIR> d-------- c:\windows\Internet Logs
2008-11-30 14:35 . 2008-11-30 14:35 <DIR> d-------- c:\program files\Zone Labs
2008-11-30 14:33 . 2008-11-30 14:33 <DIR> d-------- c:\windows\Logs
2008-11-30 14:31 . 2008-11-30 14:31 90,435,952 --a------ C:\directx_nov2008_redist.exe
2008-11-30 14:23 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\MSBuild
2008-11-30 14:22 . 2008-11-30 14:22 <DIR> d-------- c:\program files\Microsoft Works
2008-11-30 14:18 . 2008-11-30 14:21 <DIR> d-------- c:\windows\SHELLNEW
2008-11-30 14:17 . 2008-11-30 14:17 <DIR> dr-h----- C:\MSOCache
2008-11-30 14:17 . 2008-11-30 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-30 14:13 . 2008-12-03 22:18 <DIR> d-------- c:\program files\Real
2008-11-30 14:13 . 2008-11-30 14:13 <DIR> d-------- c:\program files\MSN Messenger
2008-11-30 14:13 . 2008-12-02 18:08 <DIR> d-------- c:\documents and settings\Home\Contacts
2008-11-30 14:06 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 14:05 . 2008-11-30 14:06 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 14:05 . 2008-11-30 14:05 345 --a------ c:\windows\system32\NVU002.nvu
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\program files\NOS
2008-11-30 14:02 . 2008-11-30 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:18 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-30 18:09 100,352 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-30 18:09 1,983,488 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-30 14:34 --------- d-----w c:\documents and settings\Home\Application Data\U3
2008-11-30 13:37 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-30 13:22 --------- d-----w c:\program files\microsoft frontpage
2008-10-27 10:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-10 04:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 04:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\C2MP ----

2008-05-24 19:56 228141 --a------ c:\windows\system32\C2MP\Uninst.exe
2008-05-24 19:55 26614 --a------ c:\windows\system32\C2MP\Un_Parts.exe
2008-03-21 20:29 626688 --a------ c:\windows\system32\C2MP\Microsoft.VC80.CRT\msvcr80.dll
2008-03-21 20:29 548864 --a------ c:\windows\system32\C2MP\Microsoft.VC80.CRT\msvcp80.dll
2008-03-21 20:29 479232 --a------ c:\windows\system32\C2MP\Microsoft.VC80.CRT\msvcm80.dll
2008-03-21 20:29 1869 --a------ c:\windows\system32\C2MP\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
2008-03-21 20:28 22624 --a------ c:\windows\system32\C2MP\npdivx32.tlb
2008-03-21 20:28 1607 --a------ c:\windows\system32\C2MP\npdivx32.xpt
2008-03-21 20:28 1335600 --a------ c:\windows\system32\C2MP\npdivx32.dll
2007-09-20 01:15 193110 --a------ c:\windows\system32\C2MP\MPCP.ico
2007-02-22 20:08 925696 --a------ c:\windows\system32\C2MP\GSpot.exe
2007-02-19 15:28 117974 --a------ c:\windows\system32\C2MP\GSpot27.dat
2007-01-16 22:37 10684 --a------ c:\windows\system32\C2MP\ExportFormat.txt
2005-05-05 01:12 69632 --a------ c:\windows\system32\C2MP\DivXConfig.exe
2004-05-30 03:30 766 --a------ c:\windows\system32\C2MP\xvid.ico
2004-04-30 12:11 1730 --a------ c:\windows\system32\C2MP\VP6 VFW Codec\Two Pass - Second Pass - Streaming.vps
2004-04-30 12:11 1730 --a------ c:\windows\system32\C2MP\VP6 VFW Codec\Two Pass - Second Pass - Local File Playback.vps
2004-03-04 20:00 6144 --a------ c:\windows\system32\C2MP\AviC.exe
2004-02-11 14:33 1730 --a------ c:\windows\system32\C2MP\VP6 VFW Codec\Two Pass - First Pass.vps
2004-02-11 14:33 1730 --a------ c:\windows\system32\C2MP\VP6 VFW Codec\RealTime - Streaming.vps
2004-02-11 14:33 1730 --a------ c:\windows\system32\C2MP\VP6 VFW Codec\Good Quality - Streaming.vps
2003-12-26 19:26 9216 --a------ c:\windows\system32\C2MP\OGMCalc.exe
2003-12-21 12:10 2967 --a------ c:\windows\system32\C2MP\XviD_Quant_Matrices.zip
2003-11-24 08:28 13824 --a------ c:\windows\system32\C2MP\StatsReader.exe
2002-12-12 00:14 13312 --a------ c:\windows\system32\C2MP\msdmo.dll
2002-06-12 16:52 23040 --a------ c:\windows\system32\C2MP\MiniCalc.exe


((((((((((((((((((((((((((((( snapshot@2008-12-04_16.49.59.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 15:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 15:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-05 20:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 13:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2007-08-02 18:11:28 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2007-08-02 18:11:14 241,664 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2007-08-06 13:17:40 19,456 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2007-06-13 11:10:34 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE" [2003-09-12 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd6a6a-bee2-11dd-a79d-a246701f923a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 22:39:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\COMRes.dll
.
Completion time: 2008-12-04 22:40:48
ComboFix-quarantined-files.txt 2008-12-04 22:40:35
ComboFix2.txt 2008-12-04 20:11:31
ComboFix3.txt 2008-12-04 17:00:15

Pre-Run: 73,921,253,376 bytes free
Post-Run: 73,994,080,256 bytes free

212

[tetonbob]

Please run a search for this file, if it exists, delete it:

C:\WINDOWS\system32\yatehaje.dll.tmp

Any other problems with the machine?

[awaise]

that file isnt one the pc anymore. But i keep getting virus dtected messages on AVG its called 'Trojan Horse Vundo.BP' and is located in C:\System Volume Information\_restore...\A0011623.dll

[tetonbob]

That will be addressed by uninstalling ComboFix as instructed below.

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache in a little while.

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[awaise]

thanx a lot for your help

[tetonbob]

You're quite welcome.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.