Downloaded virus from YouTube?

[scoop113]

Hi,

I'm having trouble with malware. I believe it originated when I was surfing YouTube. I tried to watch a video, and I got a message saying I needed to download Flash. I already had Flash installed, but since I got the message directly from the site, I assumed it was safe.

Since then I've had various problems. Firefox stopped launching. I was not able to run Ad-Aware, Spybot S-D or the Windows Malicious Software Removal Tool.

I ran the Windows online malware scanner, and it found and fixed several problems. One problem it initially said it was unable to fix. The message follows:

documents and settings\christina\local files\temporary internet files\content.ie5\6tcfapsx\style[1]
Trojan:win32/vundo.gen!AK

After I asked it to fix the problem again it acted like it had done so and I got a green, all-clear message.

Now Firefox and the anti-malware programs run, but I've still got weird stuff happening. I get phony virus scan pop-ups, and Internet Explorer starts unbidden. (I use Firefox exclusively.)

On bootup I get error messages saying:
"error loading c:\windows\system32\pamewoje.dll" plus two other errors saying the same thing but with different file names: tafiwizo.dll and muvapevi.dll.

When Spybot is running, I keep getting warnings that a registry change has occurred. Even though I deny the change, the same message recurs repeatedly.

The system is a Dell Dimension E521, AMD Athlon 64x2 Dual Core Processor 3600+, 1.9 Ghz, 448 MB RAM, Windows XP Pro SP3.

Here's the DDS log:


DDS (Version 1.1.0) - NTFSx86
Run by Mike at 12:10:45.70 on Sat 12/27/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.82 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070501
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4070501
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: {6d1aae8c-5422-423e-b1d0-ed6bfa1ae4f6} - c:\windows\system32\dosetiwi.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VoipCheapCom] "c:\program files\voipcheapcom\VoipCheapCom.exe" -nosplash -minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [zenafolapi] Rundll32.exe "c:\windows\system32\pamewoje.dll",s
mRun: [ac369294] rundll32.exe "c:\windows\system32\muvapevi.dll",b
mRun: [CPMaf05a108] Rundll32.exe "c:\windows\system32\tafiwizo.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
AppInit_DLLs: c:\windows\system32\nuwuzeku.dll,c:\windows\system32\kegewowu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nuwuzeku.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nuwuzeku.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli c:\windows\system32\kegewowu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\bf8i9fy8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-5-6 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-5-6 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-5-6 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-5-6 10760]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-5-6 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-5-6 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-5-6 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-5-6 4960]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2008-4-16 280344]

=============== Created Last 30 ================

2008-12-20 21:01 120 ---sh--- c:\windows\system32\asoyuzoy.ini
2008-12-20 11:50 250 a------- c:\windows\gmer.ini
2008-12-20 11:10 <DIR> --d-h--- c:\windows\PIF
2008-12-20 09:03 1,603,485 ---sh--- c:\windows\system32\ayuyifoy.ini
2008-12-18 22:22 269 a------- c:\windows\wininit.ini
2008-12-18 22:14 1,605,628 a--sh--- c:\windows\system32\epajugur.ini
2008-12-13 13:01 <DIR> --d----- c:\program files\iPod
2008-12-13 13:01 <DIR> --d----- c:\program files\iTunes
2008-12-13 13:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-04 23:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-12-03 23:44 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2008-12-20 21:01 83,052 a--sh--- c:\windows\system32\yozuyosa.dll
2008-12-20 09:01 83,159 a--sh--- c:\windows\system32\yofiyuya.dll
2008-12-18 22:14 97,880 a--sh--- c:\windows\system32\masutora.dll
2008-12-18 22:14 85,106 a--sh--- c:\windows\system32\rugujape.dll
2008-11-25 07:43 18,816 a------- c:\windows\system32\drivers\dvd43llh.sys
2008-11-07 14:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-15 20:00 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-15 20:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-15 20:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 20:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-05-03 07:21 168 ---shr-- c:\windows\system32\156A00215D.sys
2008-05-03 07:21 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:10:59.32 ===============


Other logs are attached.

Thanks for your help.
Regards,
Mike

[Ried]

Hello Mike,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[scoop113]

Thanks for getting back to me so fast. Here's the combofix log. I also attached it in a zipped file, because you didn't specify a format.

ComboFix 08-12-26.03 - Mike 2008-12-27 16:48:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.183 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\asoyuzoy.ini
c:\windows\system32\ayuyifoy.ini
c:\windows\system32\dosetiwi.dll
c:\windows\system32\epajugur.ini
c:\windows\system32\masutora.dll
c:\windows\system32\rugujape.dll
c:\windows\system32\yofiyuya.dll
c:\windows\system32\yozuyosa.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-20 21:53 . 2008-12-20 21:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 19:38 . 2008-12-20 20:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-12-20 11:50 . 2008-12-27 12:29 250 --a------ c:\windows\gmer.ini
2008-12-20 11:10 . 2008-12-20 11:10 <DIR> d--h----- c:\windows\PIF
2008-12-18 22:22 . 2008-12-18 22:22 269 --a------ c:\windows\wininit.ini
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iTunes
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iPod
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 13:00 . 2008-12-13 13:00 <DIR> d-------- c:\program files\QuickTime
2008-12-04 23:05 . 2008-12-04 23:06 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-04 23:05 . 2008-12-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-04 09:58 . 2008-12-04 09:58 <DIR> d-------- c:\documents and settings\Christina\Application Data\Recordpad
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\program files\Amazon
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\documents and settings\Mike\Application Data\Amazon
2008-12-03 22:50 . 2008-12-03 22:50 <DIR> d-------- c:\documents and settings\Mike\Application Data\Recordpad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 00:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-19 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 02:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 02:24 --------- d-----w c:\documents and settings\Christina\Application Data\AVG7
2008-12-13 18:29 --------- d-----w c:\program files\NCH Swift Sound
2008-12-13 17:59 --------- d-----w c:\program files\Common Files\Apple
2008-12-07 22:48 --------- d-----w c:\documents and settings\Mike\Application Data\OpenOffice.org2
2008-12-04 14:58 --------- d-----w c:\documents and settings\Christina\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\Mike\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-26 01:32 --------- d-----w c:\documents and settings\Mike\Application Data\VoipCheapCom
2008-11-25 12:43 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2008-11-25 12:43 --------- d-----w c:\program files\dvd43
2008-11-25 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 03:00 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-05-03 12:21 168 --sh--r c:\windows\system32\156A00215D.sys
2008-05-03 12:21 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-11-17 827904]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Christina\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-04-16 1425424]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-02 546288]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\kegewowu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{6d1aae8c-5422-423e-b1d0-ed6bfa1ae4f6} - c:\windows\system32\dosetiwi.dll
HKCU-Run-VoipCheapCom - c:\program files\VoipCheapCom\VoipCheapCom.exe
HKLM-Run-zenafolapi - c:\windows\system32\pamewoje.dll
HKLM-Run-ac369294 - c:\windows\system32\muvapevi.dll
HKLM-Run-CPMaf05a108 - c:\windows\system32\tafiwizo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070501
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\bf8i9fy8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 17:00:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [344] 0x8469BB10

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-27 17:08:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 22:07:56

Pre-Run: 43,805,442,048 bytes free
Post-Run: 44,164,579,328 bytes free

164 --- E O F --- 2008-12-12 12:20:30

[Ried]

You're welcome.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[scoop113]

OK, here is the ComboFix log:

ComboFix 08-12-26.03 - Mike 2008-12-27 18:35:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.154 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-20 21:53 . 2008-12-20 21:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 19:38 . 2008-12-20 20:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-12-20 11:50 . 2008-12-27 12:29 250 --a------ c:\windows\gmer.ini
2008-12-20 11:10 . 2008-12-20 11:10 <DIR> d--h----- c:\windows\PIF
2008-12-18 22:22 . 2008-12-18 22:22 269 --a------ c:\windows\wininit.ini
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iTunes
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iPod
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 13:00 . 2008-12-13 13:00 <DIR> d-------- c:\program files\QuickTime
2008-12-04 23:05 . 2008-12-04 23:06 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-04 23:05 . 2008-12-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-04 09:58 . 2008-12-04 09:58 <DIR> d-------- c:\documents and settings\Christina\Application Data\Recordpad
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\program files\Amazon
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\documents and settings\Mike\Application Data\Amazon
2008-12-03 22:50 . 2008-12-03 22:50 <DIR> d-------- c:\documents and settings\Mike\Application Data\Recordpad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 00:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-19 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 02:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 02:24 --------- d-----w c:\documents and settings\Christina\Application Data\AVG7
2008-12-13 18:29 --------- d-----w c:\program files\NCH Swift Sound
2008-12-13 17:59 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 22:48 --------- d-----w c:\documents and settings\Mike\Application Data\OpenOffice.org2
2008-12-04 14:58 --------- d-----w c:\documents and settings\Christina\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\Mike\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-26 01:32 --------- d-----w c:\documents and settings\Mike\Application Data\VoipCheapCom
2008-11-25 12:43 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2008-11-25 12:43 --------- d-----w c:\program files\dvd43
2008-11-25 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 03:00 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-05-03 12:21 168 --sh--r c:\windows\system32\156A00215D.sys
2008-05-03 12:21 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.07.19.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"VoipCheapCom"="c:\program files\VoipCheapCom\VoipCheapCom.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"zenafolapi"="c:\windows\system32\pamewoje.dll" [BU]
"ac369294"="c:\windows\system32\muvapevi.dll" [BU]
"CPMaf05a108"="c:\windows\system32\tafiwizo.dll" [BU]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Christina\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-04-16 1425424]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-02 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{6d1aae8c-5422-423e-b1d0-ed6bfa1ae4f6} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070501
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\bf8i9fy8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 18:39:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-27 18:41:35
ComboFix-quarantined-files.txt 2008-12-27 23:40:28
ComboFix2.txt 2008-12-27 22:08:26

Pre-Run: 44,216,729,600 bytes free
Post-Run: 44,201,598,976 bytes free

168 --- E O F --- 2008-12-27 22:40:41


Here are the Kaspersky results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 2328
Records in database: 1522053
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 87546
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:59:03


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dosetiwi.dll.vir Infected: Trojan.Win32.Monder.aedd 1
C:\WINDOWS\system32\kegewowu.dll Infected: Trojan.Win32.Monder.aedd 1

The selected area was scanned.

The system seems to be somewhat improved. I'm no longer getting unbidden IE pop-ups nor requests for registry changes from Spybot.

On bootup, I am still getting the error messages: "error loading c:\windows\system32\pamewoge.dll" and the same message with the filenames "tafiwizo.dll" and "muvapevi.dll."

It's running a little slow, but probably no slower than before the problem started.

[Ried]

No worries, we'll take care of that now.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\WINDOWS\system32\kegewowu.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zenafolapi"=-
"ac369294"=-
"CPMaf05a108"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that for further review.

[scoop113]

After running ComboFix this time I got several requests for registry changes. They were requests for deletions and they included the names of the troublesome files, so I allowed the changes. I hope I didn't mess things up.

Here's the latest ComboFix log:

ComboFix 08-12-28.01 - Mike 2008-12-28 13:52:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.169 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\kegewowu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kegewowu.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-20 21:53 . 2008-12-20 21:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-20 19:38 . 2008-12-20 20:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-12-20 11:50 . 2008-12-27 12:29 250 --a------ c:\windows\gmer.ini
2008-12-20 11:10 . 2008-12-20 11:10 <DIR> d--h----- c:\windows\PIF
2008-12-18 22:22 . 2008-12-18 22:22 269 --a------ c:\windows\wininit.ini
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iTunes
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\program files\iPod
2008-12-13 13:01 . 2008-12-13 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 13:00 . 2008-12-13 13:00 <DIR> d-------- c:\program files\QuickTime
2008-12-04 23:05 . 2008-12-04 23:06 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-04 23:05 . 2008-12-04 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-04 09:58 . 2008-12-04 09:58 <DIR> d-------- c:\documents and settings\Christina\Application Data\Recordpad
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\program files\Amazon
2008-12-03 23:44 . 2008-12-03 23:44 <DIR> d-------- c:\documents and settings\Mike\Application Data\Amazon
2008-12-03 22:50 . 2008-12-03 22:50 <DIR> d-------- c:\documents and settings\Mike\Application Data\Recordpad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 00:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-19 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 02:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 02:24 --------- d-----w c:\documents and settings\Christina\Application Data\AVG7
2008-12-13 18:29 --------- d-----w c:\program files\NCH Swift Sound
2008-12-13 17:59 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 22:48 --------- d-----w c:\documents and settings\Mike\Application Data\OpenOffice.org2
2008-12-04 14:58 --------- d-----w c:\documents and settings\Christina\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\Mike\Application Data\NCH Swift Sound
2008-12-04 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-26 01:32 --------- d-----w c:\documents and settings\Mike\Application Data\VoipCheapCom
2008-11-25 12:43 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2008-11-25 12:43 --------- d-----w c:\program files\dvd43
2008-11-25 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 03:00 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-05-03 12:21 168 --sh--r c:\windows\system32\156A00215D.sys
2008-05-03 12:21 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-27_17.07.19.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"VoipCheapCom"="c:\program files\VoipCheapCom\VoipCheapCom.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Christina\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-04-16 1425424]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-02 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{6d1aae8c-5422-423e-b1d0-ed6bfa1ae4f6} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070501
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\bf8i9fy8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 13:56:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-28 13:58:31
ComboFix-quarantined-files.txt 2008-12-28 18:57:20
ComboFix2.txt 2008-12-27 23:41:36
ComboFix3.txt 2008-12-27 22:08:26

Pre-Run: 44,133,367,808 bytes free
Post-Run: 44,171,501,568 bytes free

172 --- E O F --- 2008-12-27 22:40:41

[Ried]

Quote:

After running ComboFix this time I got several requests for registry changes. They were requests for deletions and they included the names of the troublesome files, so I allowed the changes. I hope I didn't mess things up.

You did exactly what needed to be done with those alerts. Good work.

Your logs are clean, and you should no longer be receiving any boot up errors. If there aren't any more problems, please continue with these final instructions and helpful links:

Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE]
@="C:\\WINDOWS\\pchealth\\helpctr\\Binaries\\MSCONFIG.EXE"

Save the file as "msconfig.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the msconfig.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


===============================


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[scoop113]

Seems to be working pretty well. No problems on bootup. Web surfing is quite fast.

Thanks so much for your time and trouble. A donation to the site is on the way.

[Ried]

You're welcome, scoop113. I'm sure the owner of this site appreciates the donation--thank you.

Take care and surf safely.