Vundo and other trojans

[hlpmeplz156]

My pc was running soo slow so I downloaded AVG and it found tons of trojans on my PC!! I have tried to uninstall unecessary programs and clean up my pc as much as possible but AVG is still finding viruses.

Here is the DDS report:


DDS (Version 1.1.0) - NTFSx86
Run by valerie at 15:47:09.03 on Sat 12/27/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {1DBDB0A7-9892-4E97-8972-CE58DB5CE5A2} - No File
BHO: {354f4271-c2e8-4cd6-a6dc-8110c231616e} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: {1DBDB0A6-9892-4E97-8972-CE58DB5CE5A2} - No File
TB: {74CC49F7-EB32-4A08-B204-948962A6E3DB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [VTTimer] VTTimer.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CHotkey] zHotkey.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\foyuroke.dll,c:\windows\system32\pogagodi.dll,c:\windows\system32\liseruka.dll,c:\windows\system32\zavisomu.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
LSA: Notification Packages = scecli c:\windows\system32\pogagodi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valerie\applic~1\mozilla\firefox\profiles\ueegmspf.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-27 14:35 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-27 14:35 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-27 14:35 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-27 14:35 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-27 14:13 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2008-12-27 14:13 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-12-27 14:12 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-12-27 14:12 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 14:11 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 14:11 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 14:11 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 14:11 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-12-27 14:11 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 14:11 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-12-27 14:11 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-12-27 14:01 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2008-12-27 14:01 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-27 14:01 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2008-12-27 14:01 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-27 14:01 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2008-12-27 14:01 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2008-12-27 14:00 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2008-12-27 14:00 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2008-12-27 14:00 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-27 14:00 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-20 00:08 <DIR> --d----- c:\windows\system32\scripting
2008-12-20 00:08 <DIR> --d----- c:\windows\l2schemas
2008-12-20 00:08 <DIR> --d----- c:\windows\system32\en
2008-12-20 00:00 <DIR> --d----- c:\windows\network diagnostic
2008-12-19 23:58 1,393 a------- c:\windows\imsins.BAK
2008-12-14 20:05 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 19:14 <DIR> --dsh--- C:\found.000
2008-12-14 18:55 <DIR> --d----- c:\program files\CCleaner
2008-12-14 15:26 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-14 15:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-14 15:10 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-14 15:09 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-14 15:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-14 15:09 <DIR> --d----- c:\program files\AVG
2008-12-14 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-04 07:54 1,430,058 ---sh--- c:\windows\system32\oririkip.ini
2008-12-02 19:12 1,357,717 ---sh--- c:\windows\system32\amipuwuz.ini
2008-12-02 06:38 1,340,850 ---sh--- c:\windows\system32\etetimol.ini
2008-12-01 14:21 1,327,344 ---sh--- c:\windows\system32\itedukol.ini
2008-12-01 14:20 30 ---sh--- c:\windows\system32\meruyuva.dll
2008-11-30 21:52 1,296,222 ---sh--- c:\windows\system32\irawuwus.ini
2008-11-29 14:16 1,296,222 ---sh--- c:\windows\system32\elorinih.ini
2008-11-28 14:44 1,296,222 ---sh--- c:\windows\system32\ayifebub.ini
2008-11-28 11:00 1,632,016 ---sh--- c:\windows\system32\udukesup.ini
2008-11-27 19:04 1,590,546 ---sh--- c:\windows\system32\uzejaguf.ini

==================== Find3M ====================

2008-12-20 00:13 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-24 16:37 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-24 15:06 42,812 a---h--- c:\windows\system32\mlfcache.dat
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 15:48:12.62 ===============

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Using Internet Explorer, Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
   Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
   
   S& D Spybot's Tea Timer
   
   While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
   Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
   • Open Spybot Search & Destroy.
   • In the Mode menu click "Advanced mode" if not already selected.
   • Choose "Yes" at the Warning prompt.
   • Expand the "Tools" menu.
   • Click "Resident".
   • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
   • In the File menu click "Exit" to exit Spybot Search & Destroy.
   • See this link for a tutorial
   
   
   
4. Double click on combofix.exe & follow the prompts.
   
5. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   

[hlpmeplz156]

Here is the log

ComboFix 08-12-30.01 - valerie 2008-12-30 19:01:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.178 [GMT -8:00]
Running from: c:\documents and settings\valerie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\roman\Application Data\SpamBlocker
c:\documents and settings\roman\Application Data\SpamBlockerUtility_Icons
c:\documents and settings\roman\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
c:\documents and settings\roman\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
c:\documents and settings\roman\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
c:\documents and settings\valerie\Application Data\SpamBlockerUtility_Icons
c:\documents and settings\valerie\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
c:\documents and settings\valerie\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
c:\documents and settings\valerie\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
C:\mimic.log
c:\recycler\ADAPT_Installer.exe
c:\windows\system32\1miEBsMo.exe.a_a
c:\windows\system32\j6S5bO4u.exe.a_a
c:\windows\system32\meruyuva.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-27 16:05 . 2008-12-27 16:06 250 --a------ c:\windows\gmer.ini
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-27 14:13 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-27 14:13 . 2008-08-14 02:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-27 14:12 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 14:12 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-27 14:11 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 14:11 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 14:11 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 14:11 . 2008-04-11 11:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 14:11 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-27 14:11 . 2008-06-13 03:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 14:11 . 2008-05-08 06:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-27 14:01 . 2008-04-13 16:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-27 14:01 . 2008-04-13 16:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-27 14:01 . 2008-04-13 10:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-27 14:01 . 2008-04-13 10:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-27 14:01 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-27 14:01 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-27 14:00 . 2008-04-13 10:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-27 14:00 . 2008-04-13 10:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-27 14:00 . 2008-04-13 10:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-27 14:00 . 2008-04-13 10:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-23 22:09 . 2003-11-20 03:04 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-23 22:09 . 2003-11-20 03:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-23 22:09 . 2003-11-20 03:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2008-12-23 22:09 . 2008-12-23 22:09 <DIR> d-------- c:\documents and settings\Administrator
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\system32\scripting
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\system32\en
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\l2schemas
2008-12-19 23:58 . 2008-12-27 14:23 1,393 --a------ c:\windows\imsins.BAK
2008-12-14 20:05 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 19:14 . 2008-12-14 19:14 <DIR> d--hs---- C:\found.000
2008-12-14 18:55 . 2008-12-14 18:55 <DIR> d-------- c:\program files\CCleaner
2008-12-14 15:26 . 2008-12-27 15:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-14 15:10 . 2008-12-14 15:10 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-14 15:10 . 2008-12-14 15:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-14 15:09 . 2008-12-27 14:05 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-14 15:09 . 2008-12-14 15:09 <DIR> d-------- c:\program files\AVG
2008-12-14 15:09 . 2008-12-14 15:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-14 15:09 . 2008-12-14 15:09 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-04 07:54 . 2008-12-04 07:54 1,430,058 ---hs---- c:\windows\system32\oririkip.ini
2008-12-02 19:12 . 2008-12-02 19:12 1,357,717 ---hs---- c:\windows\system32\amipuwuz.ini
2008-12-02 06:38 . 2008-12-03 08:02 1,340,850 ---hs---- c:\windows\system32\etetimol.ini
2008-12-01 14:21 . 2008-12-01 14:21 1,327,344 ---hs---- c:\windows\system32\itedukol.ini
2008-11-30 21:52 . 2008-11-30 21:52 1,296,222 ---hs---- c:\windows\system32\irawuwus.ini
2008-11-29 14:16 . 2008-11-29 14:16 1,296,222 ---hs---- c:\windows\system32\elorinih.ini
2008-11-28 14:44 . 2008-11-28 14:44 1,296,222 ---hs---- c:\windows\system32\ayifebub.ini
2008-11-28 11:00 . 2008-11-28 11:01 1,632,016 ---hs---- c:\windows\system32\udukesup.ini
2008-11-27 19:04 . 2008-11-27 19:04 1,590,546 ---hs---- c:\windows\system32\uzejaguf.ini
2008-11-26 11:35 . 2008-11-26 17:15 1,739,935 ---hs---- c:\windows\system32\ofayupub.ini
2008-11-25 22:30 . 2008-11-25 22:30 1,739,917 ---hs---- c:\windows\system32\orepogig.ini
2008-11-25 10:30 . 2008-11-25 13:15 1,739,926 ---hs---- c:\windows\system32\okariroz.ini
2008-11-24 16:38 . 2008-11-24 16:37 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 16:15 . 2008-11-24 16:30 <DIR> d-------- c:\documents and settings\judy\.SunDownloadManager
2008-11-24 15:06 . 2008-11-24 15:06 42,812 --ah----- c:\windows\system32\mlfcache.dat
2008-11-20 08:11 . 2008-11-20 08:11 <DIR> d-------- C:\ProgramData
2008-11-20 08:11 . 2008-12-14 19:34 <DIR> d-------- c:\program files\Angle Interactive
2008-11-16 09:23 . 2008-11-16 09:23 <DIR> d-------- c:\documents and settings\judy\Application Data\TuneUp Software
2008-11-13 22:54 . 2008-11-13 22:54 <DIR> d-------- c:\documents and settings\judy\Application Data\Viewpoint
2008-11-13 09:19 . 2008-11-25 10:30 1,739,917 ---hs---- c:\windows\system32\alisesag.ini
2008-11-12 06:29 . 2008-11-13 06:33 1,583,282 ---hs---- c:\windows\system32\ekajowuf.ini
2008-11-11 12:29 . 2008-11-11 13:24 1,589,650 ---hs---- c:\windows\system32\elehogif.ini
2008-11-10 18:40 . 2008-11-10 18:55 1,585,824 ---hs---- c:\windows\system32\aferoven.ini
2008-11-10 06:42 . 2008-11-10 06:45 1,581,253 ---hs---- c:\windows\system32\ufazites.ini
2008-11-09 16:06 . 2008-11-09 22:45 1,931,404 ---hs---- c:\windows\system32\ipigunuf.ini
2008-11-09 00:56 . 2008-11-09 02:13 1,931,395 ---hs---- c:\windows\system32\itefajav.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 02:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-27 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 22:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 22:12 --------- d-----w c:\program files\SpywareGuard
2008-12-24 14:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-15 00:13 --------- d-----w c:\documents and settings\valerie\Application Data\Key Folder
2008-12-14 23:57 --------- d-----w c:\documents and settings\roman\Application Data\Key Folder
2008-12-14 23:48 --------- d-----w c:\documents and settings\judy\Application Data\Key Folder
2008-11-28 23:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 00:37 --------- d-----w c:\program files\Java
2008-11-24 23:01 --------- d-----w c:\documents and settings\judy\Application Data\Apple Computer
2008-11-16 17:23 --------- d-----w c:\documents and settings\valerie\Application Data\LimeWire
2008-10-28 22:55 --------- d-----w c:\program files\QuickTime
2008-10-28 06:10 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-28 06:10 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-28 06:10 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-28 03:33 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-28 03:33 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-14 1261336]
"VTTimer"="VTTimer.exe" [2003-08-20 c:\windows\system32\VTTimer.exe]
"CHotkey"="zHotkey.exe" [2003-06-03 c:\windows\zHotkey.exe]

c:\documents and settings\valerie\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 13:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-14 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-14 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2003-11-20 14336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-14 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-14 231704]
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 21:35]

2008-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-20 c:\windows\Tasks\At1.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At10.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At11.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-03 c:\windows\Tasks\At12.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-03 c:\windows\Tasks\At13.job
- c:\windows\system32\j6S5bO4u.exe []

2008-11-26 c:\windows\Tasks\At14.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-27 c:\windows\Tasks\At15.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-27 c:\windows\Tasks\At16.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-28 c:\windows\Tasks\At17.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-28 c:\windows\Tasks\At18.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-15 c:\windows\Tasks\At19.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At2.job
- c:\windows\system32\j6S5bO4u.exe []

2008-11-30 c:\windows\Tasks\At20.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-15 c:\windows\Tasks\At21.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-03 c:\windows\Tasks\At22.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At23.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At24.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At25.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At26.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At27.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At28.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At29.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At3.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At30.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At31.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-24 c:\windows\Tasks\At32.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At33.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At34.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At35.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-03 c:\windows\Tasks\At36.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-04 c:\windows\Tasks\At37.job
- c:\windows\system32\1miEBsMo.exe []

2008-11-27 c:\windows\Tasks\At38.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-27 c:\windows\Tasks\At39.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At4.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-27 c:\windows\Tasks\At40.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-28 c:\windows\Tasks\At41.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-28 c:\windows\Tasks\At42.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-15 c:\windows\Tasks\At43.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-01 c:\windows\Tasks\At44.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-15 c:\windows\Tasks\At45.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-03 c:\windows\Tasks\At46.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At47.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At48.job
- c:\windows\system32\1miEBsMo.exe []

2008-12-20 c:\windows\Tasks\At5.job
- c:\windows\system32\j6S5bO4u.exe []

2008-11-26 c:\windows\Tasks\At51.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-11-26 c:\windows\Tasks\At52.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-12-20 c:\windows\Tasks\At6.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At7.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-24 c:\windows\Tasks\At8.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-20 c:\windows\Tasks\At9.job
- c:\windows\system32\j6S5bO4u.exe []

2008-12-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

BHO-{1DBDB0A7-9892-4E97-8972-CE58DB5CE5A2} - (no file)
BHO-{354f4271-c2e8-4cd6-a6dc-8110c231616e} - (no file)
Toolbar-{1DBDB0A6-9892-4E97-8972-CE58DB5CE5A2} - (no file)
WebBrowser-{1DBDB0A6-9892-4E97-8972-CE58DB5CE5A2} - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9f.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\valerie\Application Data\Mozilla\Firefox\Profiles\ueegmspf.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 19:19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*\{undo}]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*\{undo}www]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*\{undo}]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\m*e*i*n*e*-*g*r*u*Ã*x
k*a*r*t*e*n*.*d*e*\{undo}www]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2307804327-1828861041-4101734922-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
@Allowed: (Full) (S-1-5-21-2307804327-1828861041-4101734922-1005)
@Allowed: (Full) (S-1-5-21-2307804327-1828861041-4101734922-1005)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2307804327-1828861041-4101734922-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\BigFix\BigFix\DelayStart]
@Security=(SE_DACL_PRESENT SE_SACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL @SACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1003
@Denied: (Full) (Guests)
@Allowed: (Full) (S-1-5-21-2307804327-1828861041-4101734922-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (S-1-2-0)
@SACL=
"BFastDelayType"=""
"BFastStart"=""
"AttentionType"="BalloonAlert"
"BalloonTitle"="Want to keep your copy of Windows XP up to date?"
"BalloonText"="Click here to learn about eMachines Proactive Support."
"BalloonBitmapFile"="c:\\Windows\\emachines_32.bmp"
"StartupDelayType"="xponline"

[HKEY_LOCAL_MACHINE\software\BigFix\BigFix\DelayStart\State]
@Security=(SE_DACL_PRESENT SE_SACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL @SACL)
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1003
@Denied: (Full) (Guests)
@Allowed: (Full) (S-1-5-21-2307804327-1828861041-4101734922-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (S-1-2-0)
@SACL=
"BFastDelayComplete"=dword:00000001
"BFastRun"=dword:00000001
"StartupDelayComplete"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-2307804327-1828861041-4101734922-1005
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬  r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\wanmpsvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-30 19:23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 03:23:43

Pre-Run: 102,177,771,520 bytes free
Post-Run: 103,305,146,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

439 --- E O F --- 2008-12-27 22:24:47

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   File::
   c:\windows\Tasks\At1.job
   c:\windows\Tasks\At10.job
   c:\windows\Tasks\At11.job
   c:\windows\Tasks\At12.job
   c:\windows\Tasks\At13.job
   C:\windows\Tasks\At14.job
   c:\windows\Tasks\At15.job
   c:\windows\Tasks\At16.job
   c:\windows\Tasks\At17.job
   c:\windows\Tasks\At18.job
   c:\windows\Tasks\At19.job
   c:\windows\Tasks\At2.job
   c:\windows\Tasks\At20.job
   c:\windows\Tasks\At21.job
   c:\windows\Tasks\At22.job
   c:\windows\Tasks\At23.job
   c:\windows\Tasks\At24.job
   c:\windows\Tasks\At25.job
   c:\windows\Tasks\At26.job
   c:\windows\Tasks\At27.job
   c:\windows\Tasks\At28.job
   c:\windows\Tasks\At29.job
   c:\windows\Tasks\At3.job
   c:\windows\Tasks\At30.job
   c:\windows\Tasks\At31.job
   c:\windows\Tasks\At32.job
   c:\windows\Tasks\At33.job
   c:\windows\Tasks\At34.job
   c:\windows\Tasks\At35.job
   c:\windows\Tasks\At36.job
   c:\windows\Tasks\At37.job
   c:\windows\Tasks\At38.job
   c:\windows\Tasks\At39.job
   c:\windows\Tasks\At4.job
   c:\windows\Tasks\At40.job
   c:\windows\Tasks\At41.job
   c:\windows\Tasks\At42.job
   c:\windows\Tasks\At43.job
   c:\windows\Tasks\At44.job
   c:\windows\Tasks\At45.job
   c:\windows\Tasks\At46.job
   c:\windows\Tasks\At47.job
   c:\windows\Tasks\At48.job
   c:\windows\Tasks\At5.job
   c:\windows\Tasks\At6.job
   c:\windows\Tasks\At7.job
   c:\windows\Tasks\At8.job
   c:\windows\Tasks\At9.job
   c:\windows\system32\oririkip.ini
   c:\windows\system32\amipuwuz.ini
   c:\windows\system32\etetimol.ini
   c:\windows\system32\itedukol.ini
   c:\windows\system32\irawuwus.ini
   c:\windows\system32\elorinih.ini
   c:\windows\system32\ayifebub.ini
   c:\windows\system32\udukesup.ini
   c:\windows\system32\uzejaguf.ini
   c:\windows\system32\ofayupub.ini
   c:\windows\system32\orepogig.ini
   c:\windows\system32\okariroz.ini
   c:\windows\system32\alisesag.ini
   c:\windows\system32\ekajowuf.ini
   c:\windows\system32\elehogif.ini
   c:\windows\system32\aferoven.ini
   c:\windows\system32\ufazites.ini
   c:\windows\system32\ipigunuf.ini
   c:\windows\system32\itefajav.ini
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
6. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
   • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
   • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
   • Click the "Download" button to the right.
   • Select the Windows platform from the dropdown menu.
   • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
   • Click on the link to download Windows Offline Installation and save the file to your desktop.
   • Close any programs you may have running - especially your web browser.
   • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
   • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
   • Click the Remove or Change/Remove button.
   • Repeat as many times as necessary to remove each Java versions.
   • Reboot your computer once all Java components are removed.
   • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
   • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
     • On the General tab, under Temporary Internet Files, click the Settings button.
     • Next, click on the Delete Files button
     • There are two options in the window to clear the cache - Leave BOTH Checked
       • Applications and Applets
         Trace and Log Files
     • Click OK on Delete Temporary Files Window
       Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
     • Click OK to leave the Temporary Files Window
     • Click OK to leave the Java Control Panel.
   
   ---------------------------------------------------------------------------------------------
   
7. Please perform this online scan to help look for remnants
   
   Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner
   
   **Note**
   
   To optimize scanning time and produce a more sensible report for review:
   • Close any open programs
   • Turn off the real time scanner of any existing antivirus program while performing the online scan.
   
   Click Accept, when prompted to download and install the program files and database of malware definitions.
   • Click Run at the Security prompt.
   • The program will then begin downloading and installing and will also update the database.
   • Please be patient as this can take several minutes.
   • Once the update is complete, click on Settings. Uncheck Mail databases.
   • Next, click on My Computer under the green Scan bar to the left to start the scan.
   • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
   • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
   • Click View scan report at the bottom.
   • Click the Save Report As... button.
   • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
   
   ---------------------------------------------------------------------------------------------
   
   Post logs from ComboFix, and Kaspersky. How is the machine behaving?
   
   ---------------------------------------------------------------------------------------------

[hlpmeplz156]

The machine is not as slow as before and it seems to be acting normal again. No strange processes anymore and I used to get pop ups from AVG that said it had found another trojan but Im not getting those anymore. Here are the logs

ComboFix 08-12-30.01 - valerie 2008-12-30 21:57:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.186 [GMT -8:00]
Running from: c:\documents and settings\valerie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\valerie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\aferoven.ini
c:\windows\system32\alisesag.ini
c:\windows\system32\amipuwuz.ini
c:\windows\system32\ayifebub.ini
c:\windows\system32\ekajowuf.ini
c:\windows\system32\elehogif.ini
c:\windows\system32\elorinih.ini
c:\windows\system32\etetimol.ini
c:\windows\system32\ipigunuf.ini
c:\windows\system32\irawuwus.ini
c:\windows\system32\itedukol.ini
c:\windows\system32\itefajav.ini
c:\windows\system32\ofayupub.ini
c:\windows\system32\okariroz.ini
c:\windows\system32\orepogig.ini
c:\windows\system32\oririkip.ini
c:\windows\system32\udukesup.ini
c:\windows\system32\ufazites.ini
c:\windows\system32\uzejaguf.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aferoven.ini
c:\windows\system32\alisesag.ini
c:\windows\system32\amipuwuz.ini
c:\windows\system32\ayifebub.ini
c:\windows\system32\ekajowuf.ini
c:\windows\system32\elehogif.ini
c:\windows\system32\elorinih.ini
c:\windows\system32\etetimol.ini
c:\windows\system32\ipigunuf.ini
c:\windows\system32\irawuwus.ini
c:\windows\system32\itedukol.ini
c:\windows\system32\itefajav.ini
c:\windows\system32\ofayupub.ini
c:\windows\system32\okariroz.ini
c:\windows\system32\orepogig.ini
c:\windows\system32\oririkip.ini
c:\windows\system32\udukesup.ini
c:\windows\system32\ufazites.ini
c:\windows\system32\uzejaguf.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-27 16:05 . 2008-12-27 16:06 250 --a------ c:\windows\gmer.ini
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-27 14:35 . 2008-12-27 14:35 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-27 14:13 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-27 14:13 . 2008-08-14 02:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-27 14:12 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 14:12 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-27 14:11 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 14:11 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 14:11 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 14:11 . 2008-04-11 11:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 14:11 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-27 14:11 . 2008-06-13 03:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 14:11 . 2008-05-08 06:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-27 14:01 . 2008-04-13 16:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-27 14:01 . 2008-04-13 16:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-27 14:01 . 2008-04-13 10:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-27 14:01 . 2008-04-13 10:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-27 14:01 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-27 14:01 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-27 14:00 . 2008-04-13 10:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-27 14:00 . 2008-04-13 10:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-27 14:00 . 2008-04-13 10:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-27 14:00 . 2008-04-13 10:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-23 22:09 . 2003-11-20 03:04 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-23 22:09 . 2003-11-20 03:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-23 22:09 . 2003-11-20 03:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2008-12-23 22:09 . 2008-12-23 22:09 <DIR> d-------- c:\documents and settings\Administrator
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\system32\scripting
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\system32\en
2008-12-20 00:08 . 2008-12-20 00:08 <DIR> d-------- c:\windows\l2schemas
2008-12-19 23:58 . 2008-12-27 14:23 1,393 --a------ c:\windows\imsins.BAK
2008-12-14 20:05 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 19:14 . 2008-12-14 19:14 <DIR> d--hs---- C:\found.000
2008-12-14 18:55 . 2008-12-14 18:55 <DIR> d-------- c:\program files\CCleaner
2008-12-14 15:26 . 2008-12-27 15:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-14 15:10 . 2008-12-14 15:10 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-14 15:10 . 2008-12-14 15:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-14 15:09 . 2008-12-27 14:05 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-14 15:09 . 2008-12-14 15:09 <DIR> d-------- c:\program files\AVG
2008-12-14 15:09 . 2008-12-14 15:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-14 15:09 . 2008-12-14 15:09 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-24 16:38 . 2008-11-24 16:37 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 16:15 . 2008-11-24 16:30 <DIR> d-------- c:\documents and settings\judy\.SunDownloadManager
2008-11-24 15:06 . 2008-11-24 15:06 42,812 --ah----- c:\windows\system32\mlfcache.dat
2008-11-20 08:11 . 2008-11-20 08:11 <DIR> d-------- C:\ProgramData
2008-11-20 08:11 . 2008-12-14 19:34 <DIR> d-------- c:\program files\Angle Interactive
2008-11-16 09:23 . 2008-11-16 09:23 <DIR> d-------- c:\documents and settings\judy\Application Data\TuneUp Software
2008-11-13 22:54 . 2008-11-13 22:54 <DIR> d-------- c:\documents and settings\judy\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 02:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-27 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 22:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 22:12 --------- d-----w c:\program files\SpywareGuard
2008-12-24 14:42 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-15 00:13 --------- d-----w c:\documents and settings\valerie\Application Data\Key Folder
2008-12-14 23:57 --------- d-----w c:\documents and settings\roman\Application Data\Key Folder
2008-12-14 23:48 --------- d-----w c:\documents and settings\judy\Application Data\Key Folder
2008-11-28 23:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 00:37 --------- d-----w c:\program files\Java
2008-11-24 23:01 --------- d-----w c:\documents and settings\judy\Application Data\Apple Computer
2008-11-16 17:23 --------- d-----w c:\documents and settings\valerie\Application Data\LimeWire
2008-10-28 22:55 --------- d-----w c:\program files\QuickTime
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-10-28 06:10 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-28 06:10 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-28 06:10 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-28 03:33 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-28 03:33 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_19.22.34.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 05:10:31 16,384 ----atw c:\windows\temp\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-14 1261336]
"VTTimer"="VTTimer.exe" [2003-08-20 c:\windows\system32\VTTimer.exe]
"CHotkey"="zHotkey.exe" [2003-06-03 c:\windows\zHotkey.exe]

c:\documents and settings\valerie\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 13:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLLoginProxy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\PhotoshopElementsFileAgent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-14 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-14 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2003-11-20 14336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-14 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-14 231704]
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 21:35]

2008-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\At51.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-11-26 c:\windows\Tasks\At52.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-12-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\valerie\Application Data\Mozilla\Firefox\Profiles\ueegmspf.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 22:01:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 22:02:46
ComboFix-quarantined-files.txt 2008-12-31 06:02:11
ComboFix2.txt 2008-12-31 03:23:49

Pre-Run: 103,540,903,936 bytes free
Post-Run: 103,500,759,040 bytes free

332 --- E O F --- 2008-12-27 22:24:47



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 31, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 31, 2008 05:19:59
Records in database: 1536156
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 67458
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:13:50


File name / Threat name / Threats count
C:\Documents and Settings\valerie\Desktop\HelpmeMAX!!.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\valerie\My Documents\LimeWire\Saved\dj coone calabria.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\valerie\My Documents\LimeWire\Saved\Jackson Five - Blame it on the boogie.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\valerie\My Documents\LimeWire\Saved\ol english.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

The selected area was scanned.

[tetonbob]

Hi again -

Glad to hear the machine is behaving better now.

Do you know what this file is for?

C:\Documents and Settings\valerie\Desktop\HelpmeMAX!!.exe

Also..

From your earlier logs, I don't see that Limewire is installed any longer, and that's a good thing.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

As you can see from the Kaspersky scan, there are infected mp3 files in this folder:

C:\Documents and Settings\valerie\My Documents\LimeWire\Saved

I would suggest you delete this entire folder:

C:\Documents and Settings\valerie\My Documents\LimeWire

Let me know about the HelpmeMAX!!.exe file, and I'll have what should be final housekeeping and protection instructions for you.

[hlpmeplz156]

Happy New Year!

HelpmeMAX!!.exe is a single click ultravnc program that my cousin made so that if I need help or have a question he can connect to my computer and see what is going on. He is also the one who referred me to go to this forum for help with the viruses. I will go ahead and delete the C:\Documents and Settings\valerie\My Documents\LimeWire folder.

[tetonbob]

Ok, great, we can ignore the HelpMeMax file then, it gets flagged due to potential.

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[hlpmeplz156]

Thank you so much for your help. My PC is definitly running much smoother and virus free!

[tetonbob]

Glad to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.