severe problems with main PC

[jrice257]

Hello all, I am posting this from a secondary computer due to the problems of my other comp which I am certain is infected with some malware.

First off there are certain websites that my browser will not allot be to visit. These sites are all virus scanning and malware removing websites. When I try to load one the browser will say page cannot be displayed. I have tried navigating to this site and others in firefox, IE, and google chrome, and none of them can connect, but other sites work perfectly fine through the same browser.

So I tried downloading the dos script and gmer through this computer and sending them to my second comp through an email. I received the files, but there is something else blocking .EXE files from running properly. I'm not sure what it is, but when I try to run a file such as gmer.exe I get an hourglass for a second or two and then nothing happens. The same thing happens when I tried to install malware bytes.

These problems all just started in the last few days and I've been trying to find a solution. Any help is greatly appreciated.

results of dds

DDS (Version 1.0) - NTFSx86
Run by Masta at 16:53:09.25 on Fri 12/05/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.728 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\Documents and Settings\Masta\Desktop\dds.com

============== Pseudo HJT Report ===============

mDefault_Search_URL = about:blank
mSearch Page = about:blank
mLocal Page = about:blank
mStart Page = about:blank
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed
mSearchAssistant = hxxp://ie.search.msn.com
mWinlogon: Userinit=userinit.exe
BHO: {5b88a9e5-01b3-4a16-a6b1-6e7833684ecf} - c:\windows\system32\yfpqwl.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYsrRH.dll
BHO: {C1A45ED4-D098-4147-8E76-BFDDB4722054} - c:\windows\system32\iifeDUlM.dll
BHO: {D3138B39-C8A6-440B-9D42-50F766AEA8C7} - c:\program files\mu online toolbar\v3.2.0.0\MU_Online_Toolbar.dll
BHO: {DB722189-97BF-4214-8629-0B087EC3E83A} - c:\windows\system32\pmnoNEVP.dll
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: efcYsrRH - efcYsrRH.dll
Notify: WB - c:\program files\alienguise\fastload.dll
Notify: winuns32 - winuns32.dll
AppInit_DLLs: c:\windows\system32\msconfig.dll,wbsys.dll yfpqwl.dll
SEH: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - c:\program files\ewido anti-malware\shellhook.dll
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYsrRH.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\pmnoNEVP

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-11-28 3968]
R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys []
S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
S4 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-18 151616]

=============== Created Last 30 ================

2008-12-05 16:00 129,024 a------- c:\windows\system32\yfpqwl.dll
2008-12-05 16:00 129,024 a------- c:\windows\system32\yixoswfw.dll
2008-12-05 15:57 1,479,822 ---sh--- c:\windows\system32\oagbnpqj.ini
2008-12-05 15:57 72,704 a------- c:\windows\system32\jqpnbgao.dll
2008-12-05 14:47 111,104 a------- c:\windows\system32\IEDefender.dll
2008-12-05 14:46 <DIR> --d----- c:\program files\AV2010
2008-12-05 14:46 76,824 a------- c:\windows\system32\wingamma.exe
2008-12-05 01:52 <DIR> --d----- c:\program files\Panda Security
2008-12-04 18:01 80,896 a------- c:\windows\system32\msiconf.exe
2008-12-04 18:01 <DIR> --d----- c:\program files\Microsoft Common
2008-12-04 17:37 <DIR> --d----- c:\docume~1\masta\applic~1\Malwarebytes
2008-12-04 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-04 16:01 114,688 a------- c:\windows\system32\ukjxhg.dll
2008-12-04 16:01 114,688 a------- c:\windows\system32\ycfamhyk.dll
2008-12-04 15:58 129,024 a------- c:\windows\system32\fcyxuu.dll
2008-12-04 15:58 129,024 a------- c:\windows\system32\rnkletgq.dll
2008-12-04 15:56 72,704 a------- c:\windows\system32\ubnbtflo.dll
2008-12-04 15:56 1,482,400 ---sh--- c:\windows\system32\olftbnbu.ini
2008-12-03 15:08 1,482,400 ---sh--- c:\windows\system32\imoyodpx.ini
2008-12-03 15:04 129,024 a------- c:\windows\system32\kdgdshrt.dll
2008-12-03 15:04 129,024 a------- c:\windows\system32\ecjghi.dll
2008-12-02 15:06 1,404,399 ---sh--- c:\windows\system32\qgtvlpsw.ini
2008-12-02 15:06 72,704 a------- c:\windows\system32\wsplvtgq.dll
2008-12-02 15:04 129,024 a------- c:\windows\system32\rbkoer.dll
2008-12-02 15:04 129,024 a------- c:\windows\system32\dwciaumu.dll
2008-12-01 20:57 129,024 a------- c:\windows\system32\zbchib.dll
2008-12-01 20:57 129,024 a------- c:\windows\system32\ftvktlew.dll
2008-12-01 20:54 72,704 a------- c:\windows\system32\ukdjcpou.dll
2008-12-01 20:54 1,381,274 ---sh--- c:\windows\system32\uopcjdku.ini
2008-11-30 21:57 143 a------- c:\windows\system32\mcrh.tmp
2008-11-30 20:52 129,024 a------- c:\windows\system32\xkljpe.dll
2008-11-30 20:52 129,024 a------- c:\windows\system32\gyxoawck.dll
2008-11-30 20:52 1,381,274 ---sh--- c:\windows\system32\bdgdnwwu.ini
2008-11-30 20:13 916,785 a--sh--- c:\windows\system32\PVENonmp.ini2
2008-11-30 20:13 0 a--sh--- c:\windows\system32\PVENonmp.ini
2008-11-30 20:13 318,464 a------- c:\windows\system32\pmnoNEVP.dll
2008-11-30 20:00 95 a------- c:\windows\wininit.ini
2008-11-30 19:13 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 19:13 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 19:13 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 19:12 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 15:24 129,024 a------- c:\windows\system32\lqlqvg.dll
2008-11-30 15:24 129,024 a------- c:\windows\system32\ispaemwe.dll
2008-11-30 15:22 72,704 a------- c:\windows\system32\qirsbkiu.dll
2008-11-30 15:21 874,029 a--sh--- c:\windows\system32\MlUDefii.ini
2008-11-30 15:12 38,476 a------- c:\windows\system32\wpv631227968841.cpx
2008-11-30 15:12 25,600 a------- c:\windows\system32\pmNgefFv.dll
2008-11-30 15:12 25,600 a------- c:\windows\system32\efcYsrRH.dll
2008-11-06 05:22 <DIR> --d----- c:\program files\Folding@home
2008-11-06 05:22 <DIR> --d----- c:\docume~1\masta\applic~1\Folding@home-x86

==================== Find3M ====================

2008-12-05 02:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 02:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 20:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-03 17:51 <DIR> --d----- c:\docume~1\masta\applic~1\uTorrent
2008-11-26 16:55 <DIR> --d----- c:\program files\Diablo II
2008-11-18 15:16 <DIR> --d----- c:\program files\PokerStars.NET
2008-11-16 14:29 <DIR> --d----- c:\program files\Lavasoft
2008-11-05 02:43 <DIR> --d----- c:\program files\mIRC
2008-09-06 18:47 <DIR> --d----- c:\docume~1\masta\applic~1\Atari
2008-08-14 21:16 <DIR> --d----- c:\docume~1\masta\applic~1\rhc3usj0ej9n
2007-12-13 14:04 <DIR> --d----- c:\docume~1\masta\applic~1\BitTorrent
2007-11-01 05:36 <DIR> --d----- c:\docume~1\masta\applic~1\NetMedia Providers
2007-10-18 22:58 <DIR> --d----- c:\docume~1\masta\applic~1\Turbine
2007-09-25 03:20 <DIR> --d----- c:\docume~1\masta\applic~1\Greyfirst
2007-07-08 18:37 <DIR> --d----- c:\docume~1\masta\applic~1\BitZipper
2007-03-18 22:59 <DIR> --d----- c:\docume~1\masta\applic~1\CoreCodec
2001-08-23 06:00 94,784 -c-sh--- c:\windows\twain.dll
2004-08-03 23:56 50,688 ---sh--- c:\windows\twain_32.dll
2007-05-28 19:08 10,646 a--sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-03 23:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-03 23:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-03 23:56 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-03 23:56 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2004-08-03 23:56 553,472 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-03 23:56 83,456 ---sh--- c:\windows\system32\olepro32.dll
2004-08-03 23:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 16:57:18.15 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[jrice257]

Got combofix to work and here's the log

ComboFix 08-12-06.04 - Masta 2008-12-06 21:23:53.1 - NTFSx86
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Masta\Application Data\rhc3usj0ej9n
c:\program files\Common Files\ystem~1
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\smdat32m.sys
c:\windows\system32\bdgdnwwu.ini
c:\windows\system32\drivers\TDSSmact.sys
c:\windows\system32\dwciaumu.dll
c:\windows\system32\ecjghi.dll
c:\windows\system32\efcYsrRH.dll
c:\windows\system32\fcyxuu.dll
c:\windows\system32\ftvktlew.dll
c:\windows\system32\gyxoawck.dll
c:\windows\system32\imoyodpx.ini
c:\windows\system32\ispaemwe.dll
c:\windows\system32\kdgdshrt.dll
c:\windows\system32\lqlqvg.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\MlUDefii.ini
c:\windows\system32\msiconf.exe
c:\windows\system32\nhtndgqe.dll
c:\windows\system32\oagbnpqj.ini
c:\windows\system32\olftbnbu.ini
c:\windows\system32\pmNgefFv.dll
c:\windows\system32\pmnoNEVP.dll
c:\windows\system32\PVENonmp.ini
c:\windows\system32\PVENonmp.ini2
c:\windows\system32\qgtvlpsw.ini
c:\windows\system32\qirsbkiu.dll
c:\windows\system32\rbkoer.dll
c:\windows\system32\rnkletgq.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\ubnbtflo.dll
c:\windows\system32\ukdjcpou.dll
c:\windows\system32\ukjxhg.dll
c:\windows\system32\uopcjdku.ini
c:\windows\system32\wpv631227968841.cpx
c:\windows\system32\wsplvtgq.dll
c:\windows\system32\xkljpe.dll
c:\windows\system32\xpvxsriy.dll
c:\windows\system32\ycfamhyk.dll
c:\windows\system32\yfpqwl.dll
c:\windows\system32\yfwkit.dll
c:\windows\system32\yirsxvpx.ini
c:\windows\system32\yixoswfw.dll
c:\windows\system32\zbchib.dll
c:\windows\wiaserviv.log
H:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 20:51 . 2008-12-06 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 20:51 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 20:51 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 20:08 . 2008-12-06 16:21 3,060,566 --a------ c:\documents and settings\Masta\ComboFix.exe
2008-12-06 17:23 . 2008-12-06 17:23 <DIR> d-------- c:\documents and settings\newuse
2008-12-06 16:41 . 2008-12-06 16:41 1,297 --a------ c:\program files\WinXP_EXE_Fix.reg
2008-12-05 14:47 . 2008-12-05 14:47 111,104 --a------ c:\windows\system32\IEDefender.dll
2008-12-05 14:46 . 2008-12-05 14:47 <DIR> d-------- c:\program files\AV2010
2008-12-05 14:46 . 2008-12-05 14:46 76,824 --a------ c:\windows\system32\wingamma.exe
2008-12-05 01:52 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Panda Security
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\Masta\Application Data\Malwarebytes
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 20:00 . 2008-11-30 20:00 95 --a------ c:\windows\wininit.ini
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 19:12 . 2008-11-30 19:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:35 --------- d-----w c:\program files\Warcraft III
2008-12-06 02:32 --------- d-----w c:\program files\Diablo II
2008-12-05 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 23:51 --------- d-----w c:\documents and settings\Masta\Application Data\uTorrent
2008-11-18 21:16 --------- d-----w c:\program files\PokerStars.NET
2008-11-16 20:29 --------- d-----w c:\program files\Lavasoft
2008-11-06 11:24 --------- d-----w c:\documents and settings\Masta\Application Data\Folding@home-x86
2008-11-06 11:22 --------- d-----w c:\program files\Folding@home
2008-11-05 08:43 --------- d-----w c:\program files\mIRC
2008-11-04 02:45 --------- d-----w c:\program files\7-Zip
1996-09-18 19:07 7,564,336 -c--a-w c:\documents and settings\Jeff\L2DEMO.EXE
1996-09-17 16:02 15 -c--a-w c:\documents and settings\Jeff\INSTALL.BAT
2001-08-23 12:00 94,784 -csh--w c:\windows\twain.dll
2004-08-04 05:56 50,688 --sh--w c:\windows\twain_32.dll
2007-05-29 01:08 10,646 --sha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 05:56 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 05:56 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 05:56 343,040 --sh--w c:\windows\system32\msvcrt.dll
2004-08-04 05:56 553,472 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Masta^Start Menu^Programs^Startup^Alienware Dock.lnk]
path=c:\documents and settings\Masta\Start Menu\Programs\Startup\Alienware Dock.lnk
backup=c:\windows\pss\Alienware Dock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-12-05 01:38 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-03-03 11:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-09-13 09:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
--a------ 2001-08-09 16:06 45056 c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-18 08:42 133104 c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-11-21 19:09 842584 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 09:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-24 14:31 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-10-13 10:16 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Gamma Display]
--a------ 2008-12-05 14:46 76824 c:\windows\system32\wingamma.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 16:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"ewido security suite guard"=2 (0x2)
"ewido security suite control"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"ose"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"dmadmin"=3 (0x3)
"iPod Service"=3 (0x3)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\3.6.15\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-06 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 08:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C1A45ED4-D098-4147-8E76-BFDDB4722054} - c:\windows\system32\iifeDUlM.dll
BHO-{F7472C8C-BD20-49CD-9D2E-47A19E57A808} - c:\windows\system32\pmnoNEVP.dll
BHO-{fee80177-8560-4afc-97c8-b3e8669348d6} - c:\windows\system32\yfwkit.dll
Notify-WgaLogon - (no file)
Notify-winuns32 - winuns32.dll
MSConfigStartUp-avgnt - c:\program files\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-BearShare - c:\program files\BearShare\BearShare.exe
MSConfigStartUp-ec89b77d - c:\windows\system32\xpvxsriy.dll
MSConfigStartUp-fe3dbfea - c:\windows\system32\fe3dbfea.exe
MSConfigStartUp-Inrebpzv - c:\progra~1\COMMON~1\YSTEM~1\NPDB~1.EXE
MSConfigStartUp-InstaFinderK - c:\program files\INSTAFINK\InstaFinderK_inst.exe
MSConfigStartUp-lphc7usj0ej9n - c:\windows\system32\lphc7usj0ej9n.exe
MSConfigStartUp-Opoa - c:\windows\system32\ASEMBL~1\smss.exe
MSConfigStartUp-P2P Networking - c:\windows\system32\P2P Networking\P2P Networking.exe
MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
MSConfigStartUp-SMrhc3usj0ej9n - c:\program files\rhc3usj0ej9n\rhc3usj0ej9n.exe
MSConfigStartUp-SpywareQuake - c:\program files\SpywareQuake.com\Spyware-Quake.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-tbon - c:\program files\TBONBin\tbon.exe
MSConfigStartUp-zango - c:\program files\zango\zango.exe
MSConfigStartUp-msiexec - msiconf.exe


.
------- Supplementary Scan -------
.
mLocal Page = about:blank
mStart Page = about:blank
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -
FireFox -: Profile - c:\documents and settings\Masta\Application Data\Mozilla\Firefox\Profiles\r1pbz51b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
FF -: plugin - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:36:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:41:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 03:41:00

Pre-Run: 1,798,524,928 bytes free
Post-Run: 1,887,408,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

306



thanks again for all the help, I can now navigate to the pages online that were blocked and exe files are opening again!

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\program files\AV2010
File::
C:\windows\system32\IEDefender.dll
C:\windows\system32\wingamma.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[jrice257]

done. the log:


ComboFix 08-12-06.04 - Masta 2008-12-06 22:03:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.709 [GMT -6:00]
Running from: c:\documents and settings\Masta\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\Masta\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\IEDefender.dll
c:\windows\system32\wingamma.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AV2010
c:\program files\AV2010\AV2010.exe
c:\program files\AV2010\svchost.exe
c:\windows\system32\IEDefender.dll
c:\windows\system32\wingamma.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 21:56 . 2008-12-06 21:56 <DIR> d-------- c:\program files\SoulseekNS
2008-12-06 20:51 . 2008-12-06 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 20:51 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 20:51 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 20:08 . 2008-12-06 16:21 3,060,566 --a------ c:\documents and settings\Masta\ComboFix.exe
2008-12-06 17:23 . 2008-12-06 17:23 <DIR> d-------- c:\documents and settings\newuse
2008-12-06 16:41 . 2008-12-06 16:41 1,297 --a------ c:\program files\WinXP_EXE_Fix.reg
2008-12-05 01:52 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Panda Security
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\Masta\Application Data\Malwarebytes
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 20:00 . 2008-11-30 20:00 95 --a------ c:\windows\wininit.ini
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 19:13 . 2008-11-30 19:13 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 19:12 . 2008-11-30 19:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:35 --------- d-----w c:\program files\Warcraft III
2008-12-06 02:32 --------- d-----w c:\program files\Diablo II
2008-12-05 08:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 08:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 23:51 --------- d-----w c:\documents and settings\Masta\Application Data\uTorrent
2008-11-18 21:16 --------- d-----w c:\program files\PokerStars.NET
2008-11-16 20:29 --------- d-----w c:\program files\Lavasoft
2008-11-06 11:24 --------- d-----w c:\documents and settings\Masta\Application Data\Folding@home-x86
2008-11-06 11:22 --------- d-----w c:\program files\Folding@home
2008-11-05 08:43 --------- d-----w c:\program files\mIRC
2008-11-04 02:45 --------- d-----w c:\program files\7-Zip
1996-09-18 19:07 7,564,336 -c--a-w c:\documents and settings\Jeff\L2DEMO.EXE
1996-09-17 16:02 15 -c--a-w c:\documents and settings\Jeff\INSTALL.BAT
2001-08-23 12:00 94,784 -csh--w c:\windows\twain.dll
2004-08-04 05:56 50,688 --sh--w c:\windows\twain_32.dll
2007-05-29 01:08 10,646 --sha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 05:56 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 05:56 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 05:56 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 05:56 343,040 --sh--w c:\windows\system32\msvcrt.dll
2004-08-04 05:56 553,472 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 05:56 83,456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 05:56 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Masta^Start Menu^Programs^Startup^Alienware Dock.lnk]
path=c:\documents and settings\Masta\Start Menu\Programs\Startup\Alienware Dock.lnk
backup=c:\windows\pss\Alienware Dock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-12-05 01:38 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-03-03 11:00 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a--c--- 2006-09-13 09:12 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
--a------ 2001-08-09 16:06 45056 c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-18 08:42 133104 c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-11-21 19:09 842584 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 09:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-24 14:31 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-10-13 10:16 185784 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-16 13:01 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 16:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"ewido security suite guard"=2 (0x2)
"ewido security suite control"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"ose"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"dmadmin"=3 (0x3)
"iPod Service"=3 (0x3)
"NVSvc"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 08:42]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Windows Gamma Display - c:\windows\system32\wingamma.exe


.
------- Supplementary Scan -------
.
mLocal Page = about:blank
mStart Page = about:blank
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://toolbar.morpheus.com/ready.html?toolbar=Installed
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -
FireFox -: Profile - c:\documents and settings\Masta\Application Data\Mozilla\Firefox\Profiles\r1pbz51b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
FF -: plugin - c:\documents and settings\Masta\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 22:09:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 22:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 04:13:17
ComboFix2.txt 2008-12-07 03:41:05

Pre-Run: 1,938,612,224 bytes free
Post-Run: 1,918,287,872 bytes free

223

[sUBs]

I'll wait for the results of the Kaspersky scan

[jrice257]

here's the kaspersky scan results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 19:53:45
Records in database: 1440831
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 89982
Threat name: 14
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 04:28:46


File name / Threat name / Threats count
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\3YNUK4ZH\stats[1].htm Infected: Trojan-Downloader.VBS.Agent.n 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-78060736.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-50b7e850.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-45b91d64.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-11e539a7.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7f23c09f.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-564bac3b.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a44f9cc.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Masta\Desktop\LWmusic\ants go marching by - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Masta\Desktop\LWmusic\on a neck, on a spit.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Qoobox\Quarantine\C\Program Files\AV2010\svchost.exe.vir Infected: Trojan.Win32.FraudPack.alc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmact.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcYsrRH.dll.vir Infected: Trojan.Win32.Monderb.xil 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmNgefFv.dll.vir Infected: Trojan.Win32.Monderb.xil 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wingamma.exe.vir Infected: Trojan-Downloader.Win32.Delf.puu 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O92N4DQN\AV2010Installer[1].exe Infected: Trojan-Downloader.Win32.Delf.puu 1

The selected area was scanned.

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\3YNUK4ZH\stats[1].htm"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-78060736.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-50b7e850.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-45b91d64.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-11e539a7.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7f23c09f.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-564bac3b.zip"
"C:\Documents and Settings\Masta\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2a44f9cc.zip"
"C:\Documents and Settings\Masta\Desktop\LWmusic\ants go marching by - greatest hits.wma"
"C:\Documents and Settings\Masta\Desktop\LWmusic\on a neck, on a spit.mp3"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O92N4DQN\AV2010Installer[1].exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says. Also update us on the state of the machine

[jrice257]

It said deleted successfully in the command box, then it closed and the file deleted itself. The computer has been running noticably faster and the internet and EXE problems have been resolved.

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.