IEXPLORE.EXE starting randomly, causing pop-ups and slowing computer

[Ironroger]

original post:

http://www.techsupportforum.com/secu...-problems.html

This initially happened a few days ago. While using firefox, IEXPLORE.EXE will appear in the task manager, accompanied by random pop-ups. More and more it's becoming continual pop-ups, and by the time I kill IEXPLORE.EXE in the task manager there's around 15-20 IE windows and still more starting up. I've tried Spybot and Ad-Aware but neither worked. I've spent the last few days googling trying to fix the problem myself, but it's just completely over my head. The pop-ups only happen when I'm currently using the internet, but the computer has just been slow all the time since it started. I'm using windows XP with SP2.

My DDS.txt log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Rachelle at 10:46:08.20 on Wed 03/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.598 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Rachelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {40166b78-65cc-4dba-9413-d7d81bdf91c6} - c:\windows\system32\yawikofe.dll
BHO: {043d3fc8-6b21-bfd8-70f4-429155c8fcac}: {cacf8c55-1924-4f07-8dfb-12b68cf3d340} - c:\windows\system32\ujibhb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [logopegeba] Rundll32.exe "c:\windows\system32\valalafo.dll",s
mRun: [d4a7fd90] rundll32.exe "c:\windows\system32\govegomu.dll",b
mRun: [CPMd794ce0c] Rundll32.exe "c:\windows\system32\bulopazo.dll",a
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\biravoja.dll c:\windows\system32\higawaka.dll ujibhb.dll c:\windows\system32\bulopazo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bulopazo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\bulopazo.dll
LSA: Notification Packages = scecli c:\windows\system32\higawaka.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rachelle\applic~1\mozilla\firefox\profiles\uz685f81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\rachelle\application data\mozilla\firefox\profiles\uz685f81.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [2009-3-10 19200]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090206.007\naveng.sys [2009-2-6 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090206.007\navex15.sys [2009-2-6 876112]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-3-10 34760]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [2009-3-10 101120]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================

2009-03-11 10:39 1,807,280 ---sh--- c:\windows\system32\umogevog.ini
2009-03-11 10:27 123,392 a--sh--- c:\windows\system32\ujibhb.dll
2009-03-10 21:37 1,807,280 ---sh--- c:\windows\system32\iyemahes.ini
2009-03-10 21:37 123,392 a------- c:\windows\system32\KKBBFP.DLL.del
2009-03-10 18:02 123 a------- c:\windows\rootkitno.ini
2009-03-10 15:36 <DIR> --d----- C:\RootkitNO
2009-03-10 15:05 2 a--shrot c:\windows\winstart.bat
2009-03-10 15:05 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-03-10 15:05 32,480 a------- c:\windows\system32\Partizan.exe
2009-03-10 15:05 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 15:05 <DIR> --d----- c:\program files\UnHackMe
2009-03-10 14:55 <DIR> --d----- c:\docume~1\rachelle\applic~1\Prevx
2009-03-10 14:54 <DIR> --d----- c:\program files\Prevx1
2009-03-10 14:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Prevx
2009-03-10 14:53 77,312 a------- c:\windows\ua2.dll
2009-03-10 09:38 1,807,302 ---sh--- c:\windows\system32\amumewod.ini
2009-03-10 09:37 123,392 a------- c:\windows\system32\UDJNUW.DLL.del
2009-03-09 22:46 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-09 22:01 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-09 21:59 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 21:58 <DIR> --d----- c:\program files\Lavasoft
2009-03-09 21:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-09 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-09 21:36 123,392 a--sh--- c:\windows\system32\wznbku.dll
2009-03-09 06:15 123,392 a--sh--- c:\windows\system32\yszqrt.dll
2009-03-08 18:14 121 ---sh--- c:\windows\system32\atogijib.ini
2009-03-08 18:14 123,392 a--sh--- c:\windows\system32\btxdyj.dll
2009-03-07 18:07 123,392 a--sh--- c:\windows\system32\hrdthq.dll
2009-02-12 19:00 <DIR> --d----- c:\documents and settings\rachelle\Updates
2009-02-12 18:11 1,438 a----r-- c:\windows\system32\dlcc.loc
2009-02-12 18:10 <DIR> --d----- c:\program files\Dell Photo AIO Printer 924
2009-02-11 21:53 <DIR> --d----- c:\windows\pss
2009-02-11 21:35 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-03-11 10:27 80,896 a--sh--- c:\windows\system32\govegomu.dll
2009-03-11 10:27 86,016 a--sh--- c:\windows\system32\bulopazo.dll
2009-03-11 10:27 123,392 a--sh--- c:\windows\system32\mejiyuwo.dll
2009-03-10 21:37 123,392 a--sh--- c:\windows\system32\dobohero.dll
2009-03-10 09:37 123,392 a--sh--- c:\windows\system32\kiramega.dll
2009-03-09 06:15 81,408 a--sh--- c:\windows\system32\puzokaya.dll
2009-03-09 06:14 123,392 a--sh--- c:\windows\system32\raromozo.dll
2009-03-09 06:14 86,016 a--sh--- c:\windows\system32\lesetate.dll
2009-03-08 18:14 123,392 a--sh--- c:\windows\system32\jifojuse.dll
2009-03-08 18:14 86,016 a--sh--- c:\windows\system32\norupeze.dll
2009-03-08 18:14 80,896 a--sh--- c:\windows\system32\bijigota.dll
2009-03-07 18:07 123,392 a--sh--- c:\windows\system32\minasuvo.dll
2009-03-07 18:07 86,016 a--sh--- c:\windows\system32\gazeyuha.dll
2009-02-03 13:10 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-12 10:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2006-09-17 14:37 43,432 a------- c:\docume~1\rachelle\applic~1\GDIPFONTCACHEV1.DAT
2006-08-29 13:50 88 ---shr-- c:\windows\system32\941EA98A51.sys
0000-00-00 00:00 49,152 a--sh--- c:\windows\system32\higawaka.dll
2006-08-29 16:39 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:46:52.12 ===============


My attach.txt from DDS and ark.txt from GMER are attached. Any help would be very appreciated.

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Ironroger]

I ran combofix, and so far I haven't had any more pop-up issues. I've attached combofix.txt

ComboFix 09-03-10.03 - Rachelle 2009-03-12 14:46:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.556 [GMT -7:00]
Running from: c:\documents and settings\Rachelle\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Rachelle\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Rachelle\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\alqhcz.dll
c:\windows\system32\amumewod.ini
c:\windows\system32\atogijib.ini
c:\windows\system32\bijigota.dll
c:\windows\system32\btxdyj.dll
c:\windows\system32\bulopazo.dll
c:\windows\system32\dajufiwe.dll
c:\windows\system32\dobohero.dll
c:\windows\system32\ehejogep.ini
c:\windows\system32\gazeyuha.dll
c:\windows\system32\govegomu.dll
c:\windows\system32\higawaka.dll
c:\windows\system32\hikkyd.dll
c:\windows\system32\hrdthq.dll
c:\windows\system32\iyavefas.ini
c:\windows\system32\iyemahes.ini
c:\windows\system32\jifojuse.dll
c:\windows\system32\kiramega.dll
c:\windows\system32\kivigoru.dll
c:\windows\system32\kutirata.dll
c:\windows\system32\lesetate.dll
c:\windows\system32\mejiyuwo.dll
c:\windows\system32\minasuvo.dll
c:\windows\system32\norupeze.dll
c:\windows\system32\pegojehe.dll
c:\windows\system32\puzokaya.dll
c:\windows\system32\raromozo.dll
c:\windows\system32\safevayi.dll
c:\windows\system32\ujibhb.dll
c:\windows\system32\umogevog.ini
c:\windows\system32\wznbku.dll
c:\windows\system32\yszqrt.dll
c:\windows\system32\zusudupe.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 14:52 . 2009-03-12 14:52 <DIR> d-------- c:\windows\LastGood
2009-03-10 21:37 . 2009-03-10 21:37 123,392 --a------ c:\windows\system32\KKBBFP.DLL.del
2009-03-10 18:02 . 2009-03-10 18:02 123 --a------ c:\windows\rootkitno.ini
2009-03-10 15:36 . 2009-03-11 00:56 <DIR> d-------- C:\RootkitNO
2009-03-10 15:05 . 2009-03-10 15:06 <DIR> d-------- c:\program files\UnHackMe
2009-03-10 15:05 . 2009-03-10 15:05 34,760 --a------ c:\windows\system32\drivers\Partizan.sys
2009-03-10 15:05 . 2009-03-10 15:05 32,480 --a------ c:\windows\system32\Partizan.exe
2009-03-10 15:05 . 2008-12-22 15:56 12,752 --a------ c:\windows\system32\drivers\UnHackMeDrv.sys
2009-03-10 15:05 . 2009-03-10 15:05 (2) -rahs-ot- c:\windows\winstart.bat
2009-03-10 14:55 . 2009-03-10 14:55 <DIR> d-------- c:\documents and settings\Rachelle\Application Data\Prevx
2009-03-10 14:54 . 2009-03-10 15:12 <DIR> d-------- c:\program files\Prevx1
2009-03-10 14:54 . 2009-03-11 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Prevx
2009-03-10 14:53 . 2009-03-10 14:53 77,312 --a------ c:\windows\ua2.dll
2009-03-10 09:37 . 2009-03-10 09:37 123,392 --a------ c:\windows\system32\UDJNUW.DLL.del
2009-03-09 22:46 . 2009-03-09 22:00 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-09 22:01 . 2009-03-09 22:00 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-09 21:59 . 2009-03-09 21:59 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 21:58 . 2009-03-09 21:58 <DIR> d-------- c:\program files\Lavasoft
2009-03-09 21:58 . 2009-03-09 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-09 21:49 . 2009-03-09 21:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-09 21:49 . 2009-03-09 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 21:21 . 2009-03-01 21:22 <DIR> d-------- c:\program files\QuickTime
2009-03-01 21:20 . 2009-03-01 21:20 <DIR> d-------- c:\program files\Apple Software Update
2009-03-01 21:20 . 2009-03-01 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-12 19:00 . 2009-02-12 19:00 <DIR> d-------- c:\documents and settings\Rachelle\Updates
2009-02-12 18:11 . 2005-12-09 13:31 1,438 -ra------ c:\windows\system32\dlcc.loc
2009-02-12 18:10 . 2009-02-12 18:22 <DIR> d-------- c:\program files\Dell Photo AIO Printer 924

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 05:46 --------- d-----w c:\program files\Dl_cats
2009-03-12 00:54 --------- d-----w c:\program files\World of Warcraft
2009-03-03 23:53 --------- d-----w c:\documents and settings\Rachelle\Application Data\AdobeUM
2009-02-20 00:03 --------- d-----w c:\documents and settings\Rachelle\Application Data\Move Networks
2009-02-13 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2009-02-13 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-13 01:54 --------- d-----w c:\program files\Dell
2009-02-13 01:49 --------- d-----w c:\program files\MUSICMATCH
2009-02-13 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 01:43 --------- d-----w c:\program files\Jasc Software Inc
2009-02-13 01:43 --------- d-----w c:\documents and settings\Rachelle\Application Data\Jasc Software Inc
2009-02-13 01:34 --------- d-----w c:\program files\EphPod
2009-02-13 01:27 --------- d-----w c:\program files\Common Files\AOL
2009-02-13 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-12 04:37 --------- d-----w c:\program files\Google
2009-02-12 04:37 --------- d-----w c:\program files\BAE
2009-02-12 04:35 --------- d-----w c:\program files\Trend Micro
2009-02-10 18:06 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-03 20:11 --------- d-----w c:\program files\Common Files\xing shared
2009-02-03 20:10 --------- d-----w c:\program files\Common Files\Real
2009-01-28 04:33 --------- d-----w c:\documents and settings\Rachelle\Application Data\XnView
2006-09-17 21:37 43,432 ----a-w c:\documents and settings\Rachelle\Application Data\GDIPFONTCACHEV1.DAT
2006-08-29 20:50 88 --sh--r c:\windows\system32\941EA98A51.sys
2006-08-29 23:39 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
--a------ 2008-08-13 18:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-09 64160]
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [2009-03-10 19200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-03 99376]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-03-10 34760]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [2009-03-10 101120]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f9ccf8-ba2b-11db-82d1-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0cccfe38-5309-4b41-bf86-45ab779a69d2} - c:\windows\system32\alqhcz.dll
BHO-{40166b78-65cc-4dba-9413-d7d81bdf91c6} - c:\windows\system32\yawikofe.dll
HKLM-Run-logopegeba - c:\windows\system32\valalafo.dll


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Rachelle\Application Data\Mozilla\Firefox\Profiles\uz685f81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Rachelle\Application Data\Mozilla\Firefox\Profiles\uz685f81.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 15:00:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-03-12 15:03:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 22:03:08

Pre-Run: 59,188,166,656 bytes free
Post-Run: 60,055,117,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

215 --- E O F --- 2009-02-25 19:50:50

[tetonbob]

Good work...next steps....

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

[Ironroger]

I used the Activescan thing, and it said I had 14 infections I could only fix with the paid version and 1 for the free version. I only disinfected the one free one, and I've attached the log.

[tetonbob]

Most of the items found by Panda are cookies. They get installed on your computer every time you visit any webpage. Now, some cookies are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this tool:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

The other items found are in System Restore points, and will be addressed by uninstalling ComboFix as instructed below.

If there are no other issues....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help