Infected with Trojans, Pop ups, and Viruses

[woody5]

Thanks for helping.

A while back Antivirus 2008 tried to install but I semi-stopped it mid process. Currently, there are a few random pop-ups, and the spy bot program is constantly popping up asking me if I want to deny or allow changes made to my system. Sometimes it does not even give me the option to deny.

I continually have run malware and spybot but everytime the programs reinstall themselves or avoid detection.

I have attached two files, just tell me what else i need to do.



DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 19:47:38.27 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1280 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1906908c-f869-4af0-ab50-a5ac68a13efa} - c:\windows\system32\yoyikofu.dll
BHO: {4D34AC66-2F23-4D7D-8571-F9C8A8506412} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7d5706d2-843b-42cb-803e-cff7a9d23989} - No File
BHO: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: {03ca55ff-1fc4-9d88-9b74-832d38e9150f}: {f0519e83-d238-47b9-88d9-4cf1ff55ac30} - c:\windows\system32\qcmypl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [hefiyivego] Rundll32.exe "c:\windows\system32\rifoseyo.dll",s
mRun: [c47ddc06] rundll32.exe "c:\windows\system32\tuhezolo.dll",b
mRun: [CPMc74eef9a] Rundll32.exe "c:\windows\system32\ruginefo.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162605016015
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163077941421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: xkydsi.dll hjmsff.dll dgkpah.dll hyzbzf.dll qstjlt.dll vcakbd.dll c:\windows\system32\fuwonelu.dll hgqdfq.dll jybzcj.dll c:\windows\system32\mihobibi.dll npogto.dll ovgswk.dll ircdtp.dll rrfmel.dll epzknw.dll qcmypl.dll c:\windows\system32\ruginefo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\ruginefo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\ruginefo.dll
LSA: Notification Packages = scecli c:\windows\system32\fuwonelu.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-1 1251720]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-6-1 297984]

=============== Created Last 30 ================

2009-03-13 16:09 1,912,193 ---sh--- c:\windows\system32\olozehut.ini
2009-03-13 16:09 122,880 a--sh--- c:\windows\system32\qcmypl.dll
2009-03-13 04:09 122,880 a--sh--- c:\windows\system32\epzknw.dll
2009-03-13 04:09 1,807,293 ---sh--- c:\windows\system32\ulajatiz.ini
2009-03-12 22:01 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2009-03-12 22:01 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:01 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-03-12 22:00 <DIR> --d----- c:\program files\DVDFab 5
2009-03-12 16:09 1,807,280 ---sh--- c:\windows\system32\eyuvesez.ini
2009-03-12 16:09 122,880 a--sh--- c:\windows\system32\cqwfpk.dll
2009-03-12 04:09 123,392 a--sh--- c:\windows\system32\mhtaos.dll
2009-03-12 04:08 1,807,293 ---sh--- c:\windows\system32\omihimay.ini
2009-03-11 16:08 1,807,293 ---sh--- c:\windows\system32\ekimibes.ini
2009-03-11 16:08 123,392 a--sh--- c:\windows\system32\lghqii.dll
2009-03-11 04:08 123,392 a--sh--- c:\windows\system32\lgzinh.dll
2009-03-11 04:08 1,807,293 ---sh--- c:\windows\system32\ipatomam.ini
2009-03-10 16:08 1,807,289 ---sh--- c:\windows\system32\uferesay.ini
2009-03-10 16:08 123,392 a--sh--- c:\windows\system32\rrfmel.dll
2009-03-10 04:07 123,392 a--sh--- c:\windows\system32\ircdtp.dll
2009-03-09 11:03 123,392 a--sh--- c:\windows\system32\ovgswk.dll
2009-03-09 11:03 2,713 ---sh--- c:\windows\system32\neyuvena.dll
2009-03-08 23:01 123,392 a--sh--- c:\windows\system32\npogto.dll
2009-03-07 23:01 123,392 a--sh--- c:\windows\system32\jybzcj.dll

==================== Find3M ====================

2009-03-13 16:09 81,408 a--sh--- c:\windows\system32\tuhezolo.dll
2009-03-13 16:09 122,880 a--sh--- c:\windows\system32\kofipulo.dll
2009-03-13 16:09 86,016 a--sh--- c:\windows\system32\ruginefo.dll
2009-03-13 04:09 86,016 a--sh--- c:\windows\system32\ziwediya.dll
2009-03-13 04:09 122,880 a--sh--- c:\windows\system32\hefihiru.dll
2009-03-13 04:09 80,896 -------- c:\windows\system32\zitajalu.dll
2009-03-12 16:09 86,016 a--sh--- c:\windows\system32\vejidoza.dll
2009-03-12 16:09 122,880 a--sh--- c:\windows\system32\vehefutu.dll
2009-03-12 16:09 80,896 -------- c:\windows\system32\zesevuye.dll
2009-03-12 04:09 123,392 a--sh--- c:\windows\system32\detovina.dll
2009-03-12 04:08 86,016 a--sh--- c:\windows\system32\vobovuna.dll
2009-03-11 16:08 80,896 -------- c:\windows\system32\sebimike.dll
2009-03-11 16:08 123,392 a--sh--- c:\windows\system32\vibohaji.dll
2009-03-11 16:08 86,016 a--sh--- c:\windows\system32\zeladugu.dll
2009-03-11 04:08 86,016 a--sh--- c:\windows\system32\pulagawi.dll
2009-03-11 04:08 123,392 a--sh--- c:\windows\system32\tuburavi.dll
2009-03-11 04:08 80,896 -------- c:\windows\system32\mamotapi.dll
2009-03-10 16:08 80,896 -------- c:\windows\system32\yaserefu.dll
2009-03-10 16:08 123,392 a--sh--- c:\windows\system32\tegawula.dll
2009-03-10 16:08 86,016 a--sh--- c:\windows\system32\zuyukibe.dll
2009-03-10 04:07 123,392 a--sh--- c:\windows\system32\wonupago.dll
2009-03-09 11:03 123,392 a--sh--- c:\windows\system32\huginoke.dll
2009-03-08 23:01 123,392 a--sh--- c:\windows\system32\pedisasa.dll
2009-03-07 23:01 86,016 a--sh--- c:\windows\system32\hiyokovu.dll
2009-03-07 23:01 123,392 a--sh--- c:\windows\system32\tarovepe.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-08-05 09:11 54,168 a------- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT
2006-11-25 16:57 22 ac-sh--- c:\windows\sminst\HPCD.sys
0000-00-00 00:00 49,152 a--sh--- c:\windows\system32\fuwonelu.dll

============= FINISH: 19:48:33.15 ===============

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------

[woody5]

I ran combofix. Whenever the computer restarted a pop up showed that it could not load c:/WINDOWS .....dll file. I could not write it down fast enough so it doesn't help much.

Spybot asked me to confirm deleting some system changes which i allowed. The log is attached below.


ComboFix 09-03-13.02 - HP_Administrator 2009-03-14 9:19:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1412 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\cqwfpk.dll
c:\windows\system32\detovina.dll
c:\windows\system32\dubolaho.dll
c:\windows\system32\eaahpj.dll
c:\windows\system32\ekimibes.ini
c:\windows\system32\ekuwolit.ini
c:\windows\system32\epzknw.dll
c:\windows\system32\eyuvesez.ini
c:\windows\system32\fiyefeje.dll
c:\windows\system32\fuwonelu.dll
c:\windows\system32\hefihiru.dll
c:\windows\system32\hiyokovu.dll
c:\windows\system32\huginoke.dll
c:\windows\system32\ipatomam.ini
c:\windows\system32\ircdtp.dll
c:\windows\system32\jybzcj.dll
c:\windows\system32\kofipulo.dll
c:\windows\system32\lghqii.dll
c:\windows\system32\lgzinh.dll
c:\windows\system32\mamotapi.dll
c:\windows\system32\mhtaos.dll
c:\windows\system32\npogto.dll
c:\windows\system32\olozehut.ini
c:\windows\system32\omihimay.ini
c:\windows\system32\ovgswk.dll
c:\windows\system32\pedisasa.dll
c:\windows\system32\pulagawi.dll
c:\windows\system32\qcmypl.dll
c:\windows\system32\rrfmel.dll
c:\windows\system32\ruginefo.dll
c:\windows\system32\sebimike.dll
c:\windows\system32\tarovepe.dll
c:\windows\system32\tegawula.dll
c:\windows\system32\tilowuke.dll
c:\windows\system32\tuburavi.dll
c:\windows\system32\tuhezolo.dll
c:\windows\system32\uferesay.ini
c:\windows\system32\ulajatiz.ini
c:\windows\system32\vehefutu.dll
c:\windows\system32\vejidoza.dll
c:\windows\system32\vibohaji.dll
c:\windows\system32\vobovuna.dll
c:\windows\system32\wonupago.dll
c:\windows\system32\x64
c:\windows\system32\yaserefu.dll
c:\windows\system32\zeladugu.dll
c:\windows\system32\zesevuye.dll
c:\windows\system32\zitajalu.dll
c:\windows\system32\ziwediya.dll
c:\windows\system32\zuyukibe.dll
c:\windows\wiaserviv.log
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-12 22:01 . 2009-03-12 22:01 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-03-12 22:00 . 2009-03-12 22:00 <DIR> d-------- c:\program files\DVDFab 5
2009-03-09 11:03 . 2009-03-09 11:03 2,713 ---hs---- c:\windows\system32\neyuvena.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 18:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-03-08 16:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 23:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-08-05 14:11 54,168 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 21:57 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-23 98304]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-01 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-01 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-06-01 297984]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1906908c-f869-4af0-ab50-a5ac68a13efa} - c:\windows\system32\yoyikofu.dll
BHO-{4D34AC66-2F23-4D7D-8571-F9C8A8506412} - (no file)
BHO-{5d1fe950-65fd-4ffd-91b3-19c59013ea7e} - c:\windows\system32\eaahpj.dll
BHO-{7d5706d2-843b-42cb-803e-cff7a9d23989} - (no file)
BHO-{f0519e83-d238-47b9-88d9-4cf1ff55ac30} - (no file)
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 09:22:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-03-14 9:25:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 14:25:19

Pre-Run: 69,376,921,600 bytes free
Post-Run: 70,172,098,560 bytes free

177 --- E O F --- 2009-03-07 08:01:51

[tetonbob]

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Using Windows Explorer, or Windows Search, locate and delete the following file:

c:\windows\system32\neyuvena.dll

---------------------------------------------------------------------------------------------

These indicate some settings have been changed

These are "Change the way Security Center Alerts Me" in Control Panel > Security Center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

This means they are turned off. If that's your choice, that's fine, otherwise tick the boxes to turn the notifications back on.

Ensure TeaTimer allows the changes.

============================

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[woody5]

Got It!

Adobe Flash Player ActiveX
Adobe Reader 7.0.5
AOL Instant Messenger
AutoUpdate
BufferChm
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
DISCover
DivX
DivX Web Player
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
Easy Internet Sign-up
Empire Earth II
Enhanced Multimedia Keyboard Solution
FullDPAppQFolder
GemMaster Mystic
High Definition Audio Driver Package - KB888111
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Software Update
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
iPod for Windows 2005-02-22
iTunes
J2SE Runtime Environment 5.0 Update 6
LightScribe 1.4.105.1
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Age of Empires II
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard for Students and Teachers
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
Netflix Movie Viewer
OptionalContentQFolder
Otto
PC-Doctor 5 for Windows
PhotoGallery
QuickTime
RandMap
RealPlayer
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Spybot - Search & Destroy
Symantec KB-DocID:2003093015493306
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

[tetonbob]

Hi woody5 -

What is your current AntiVirus solution? I see a few references to Norton, but it doesn't seem to be fully installed. Is Norton installed and functioning correctly?

[woody5]

I currently do not have antivirus. I was going to get a Pc antivirus tools for free from downloads. com when we were done. And try to download an outgoing firewall.

NEW PROBLEM!!!

a pop up window appeared myFTP.exe - BAD IMAGE
c:/windows/system32/mcenspc.dll is not a valid window image

Also antivirus 2009 has installed on my computer. Constant pop ups arrive now about being protected and the classic shield looking thing is in the task bar. Also i cannot visit other websites because "i need to purchase antivirus 2009 to protect me."

[tetonbob]

Please do not surf as normal until this is resolved.

Double click on ComboFix.exe to run it once again. Post the log when it's done.

Please use the instructions on this page to completely uninstall your Norton Products.

I'd recommend installing this free AntiVirus next

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

[woody5]

The link you sent me for Avira will not work. Says the webpage cannot be found.
I unistialled Norton .. i think.


Here is the ComboFix Report:



ComboFix 09-03-13.02 - HP_Administrator 2009-03-14 18:07:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1638 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\syssvc.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 18:03 . 2009-03-14 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-12 22:01 . 2009-03-12 22:01 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-03-12 22:00 . 2009-03-12 22:00 <DIR> d-------- c:\program files\DVDFab 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 23:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-13 18:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-03-08 16:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 23:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-08-05 14:11 54,168 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 21:57 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 9.24.31.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-09 21:00:00 19,456 ----a-w c:\windows\msagent\intl\agt0401.dll
+ 2004-08-09 21:00:00 19,456 ----a-w c:\windows\msagent\intl\agt040d.dll
+ 2004-08-09 21:00:00 10,752 ----a-w c:\windows\system32\c_iscii.dll
- 2004-08-10 04:00:00 19,456 -c--a-w c:\windows\system32\dllcache\agt0401.dll
+ 2004-08-09 21:00:00 19,456 ----a-w c:\windows\system32\dllcache\agt0401.dll
- 2004-08-10 04:00:00 19,456 -c--a-w c:\windows\system32\dllcache\agt040d.dll
+ 2004-08-09 21:00:00 19,456 ----a-w c:\windows\system32\dllcache\agt040d.dll
- 2004-08-10 04:00:00 10,752 -c----w c:\windows\system32\dllcache\c_iscii.dll
+ 2004-08-09 21:00:00 10,752 ----a-w c:\windows\system32\dllcache\c_iscii.dll
- 2004-08-10 04:00:00 6,144 -c----w c:\windows\system32\dllcache\ftlx041e.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\dllcache\ftlx041e.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbda1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbda1.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbda2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbda2.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbda3.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbda3.dll
- 2004-08-10 11:00:00 5,120 -c----w c:\windows\system32\dllcache\kbdarme.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\dllcache\kbdarme.dll
- 2004-08-10 11:00:00 5,120 -c----w c:\windows\system32\dllcache\kbdarmw.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\dllcache\kbdarmw.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbddiv1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbddiv1.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbddiv2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbddiv2.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdfa.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdfa.dll
- 2004-08-10 11:00:00 5,120 -c----w c:\windows\system32\dllcache\kbdgeo.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\dllcache\kbdgeo.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdheb.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdheb.dll
- 2004-08-10 04:00:00 6,144 ----a-w c:\windows\system32\dllcache\kbdinbe1.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\dllcache\kbdinbe1.dll
- 2004-08-10 04:00:00 6,656 ----a-w c:\windows\system32\dllcache\kbdinben.dll
+ 2004-08-09 21:00:00 6,656 ----a-w c:\windows\system32\dllcache\kbdinben.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdindev.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdindev.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdinguj.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdinguj.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdinhin.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdinhin.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdinkan.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdinkan.dll
- 2004-08-10 04:00:00 6,656 ----a-w c:\windows\system32\dllcache\kbdinmal.dll
+ 2004-08-09 21:00:00 6,656 ----a-w c:\windows\system32\dllcache\kbdinmal.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdinmar.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdinmar.dll
- 2004-08-10 11:00:00 6,144 -c----w c:\windows\system32\dllcache\kbdinpun.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\dllcache\kbdinpun.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdintam.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdintam.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdintel.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdintel.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdsyr1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdsyr1.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdsyr2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdsyr2.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdth0.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdth0.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdth1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdth1.dll
- 2004-08-10 11:00:00 6,144 -c----w c:\windows\system32\dllcache\kbdth2.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\dllcache\kbdth2.dll
- 2004-08-10 11:00:00 6,144 -c----w c:\windows\system32\dllcache\kbdth3.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\dllcache\kbdth3.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdurdu.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdurdu.dll
- 2004-08-10 04:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdusa.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdusa.dll
- 2004-08-10 11:00:00 5,632 -c----w c:\windows\system32\dllcache\kbdvntc.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\dllcache\kbdvntc.dll
- 2004-08-10 04:00:00 185,344 -c----w c:\windows\system32\dllcache\thawbrkr.dll
+ 2004-08-09 21:00:00 185,344 ----a-w c:\windows\system32\dllcache\thawbrkr.dll
- 2008-12-03 02:54:07 204,120 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 23:05:40 263,824 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\ftlx041e.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbda1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbda2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbda3.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\kbdarme.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\kbdarmw.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbddiv1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbddiv2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdfa.dll
+ 2004-08-09 21:00:00 5,120 ----a-w c:\windows\system32\kbdgeo.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdheb.dll
- 2004-08-10 04:00:00 6,144 -c--a-w c:\windows\system32\kbdinbe1.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\kbdinbe1.dll
- 2004-08-10 04:00:00 6,656 -c--a-w c:\windows\system32\kbdinben.dll
+ 2004-08-09 21:00:00 6,656 ----a-w c:\windows\system32\kbdinben.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdindev.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdinguj.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdinhin.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdinkan.dll
- 2004-08-10 04:00:00 6,656 -c--a-w c:\windows\system32\kbdinmal.dll
+ 2004-08-09 21:00:00 6,656 ----a-w c:\windows\system32\kbdinmal.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdinmar.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\kbdinpun.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdintam.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdintel.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdsyr1.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdsyr2.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdth0.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdth1.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\kbdth2.dll
+ 2004-08-09 21:00:00 6,144 ----a-w c:\windows\system32\kbdth3.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdurdu.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdusa.dll
+ 2004-08-09 21:00:00 5,632 ----a-w c:\windows\system32\kbdvntc.dll
+ 2004-08-09 21:00:00 185,344 ----a-w c:\windows\system32\Thawbrkr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-23 98304]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-01 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-01 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-06-01 297984]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 18:09:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-14 18:10:32
ComboFix-quarantined-files.txt 2009-03-14 23:10:30
ComboFix2.txt 2009-03-14 14:25:22

Pre-Run: 69,635,764,224 bytes free
Post-Run: 70,241,681,408 bytes free

212 --- E O F --- 2009-03-14 14:26:36

[tetonbob]

Sorry about that, they must have recently changed that link

http://www.free-av.com/

Edit:

Direct link to the English installer file

http://dlce.antivir.com/down/windows..._winu_en_h.exe

[woody5]

Alright. Avira was installed and ran ... i saved the .txt file if needed. 102 files or something were deleted.

I ran combofix again when Avira was finished and here are the results:

Thanks again.

ComboFix 09-03-13.02 - HP_Administrator 2009-03-14 20:48:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1585 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-14 18:54 . 2009-03-14 18:54 <DIR> d-------- c:\program files\Avira
2009-03-14 18:54 . 2009-03-14 18:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-14 18:03 . 2009-03-14 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-12 22:01 . 2009-03-12 22:01 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Vso
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-03-12 22:01 . 2009-03-12 22:01 47,360 --a------ c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-03-12 22:00 . 2009-03-12 22:00 <DIR> d-------- c:\program files\DVDFab 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 23:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-13 18:49 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-03-08 16:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 23:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-08-05 14:11 54,168 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 21:57 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-03-14_18.09.49.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 17:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 22:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 15:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 14:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-23 98304]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-01 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-01 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-01 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-06-01 297984]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULER
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 20:50:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-14 20:51:18
ComboFix-quarantined-files.txt 2009-03-15 01:51:16
ComboFix2.txt 2009-03-14 23:10:33
ComboFix3.txt 2009-03-14 14:25:22

Pre-Run: 70,135,472,128 bytes free
Post-Run: 70,151,630,848 bytes free

111 --- E O F --- 2009-03-14 14:26:36

[tetonbob]

Yes, please, I'd like to see the report from Avira. If it's too large to post, just attach it. Also let me know how the machine is currently behaving.

[woody5]

I have attached the Avira report. The machine is currently running fine. I ran an anti-malware and no malicious items were found.

Pop ups have stopped and I no longer see the anti-virus 2009 shield in the task bar, nor does it pop up on IE.

Windows Updates are ready to install on my computer so i am going to do that also.

[tetonbob]

Looks good, those were items in ComboFix quarantine or System Restore points. Still a bit of work to do.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

While we just did a full system scan with Avira, because the system had been unprotected, I'd like you to run an online scan with Kaspersky. One vendor's definitions may find what another's did not.

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[woody5]

Sorry its taken me a few days. I cannot uninstall the updated version of Java 2. "It could not correctly acess the uninstall program or it was not installed corectly. Contact someone."

Any ideas?

[tetonbob]

Quote:

I cannot uninstall the updated version of Java 2.

Not sure what you mean here. The updated version is what we want installed. j6u12

Do you mean you can't uninstall this one?

J2SE Runtime Environment 5.0 Update 6

If so, that's ok for now, we'll come back to it.

[woody5]

I have tried to update Java. Delete Java. And have tried to install the link you had me download and get the same error message.

"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Cotact your support personnel for assistance."

The kapersky scan is running and i will post it later this evening.

Ideas?

[woody5]

Also ... probably related. Windows updates are ready to install. Specifically secrutiy update for Microsoft excell 2002, Word 2002, and updates for microsoft silverlight.

When i try to update and install these its a no go and cannot be successfully completed.

[tetonbob]

MS solution for that issue

http://support.microsoft.com/kb/315353

http://support.microsoft.com/kb/315346

If still no joy...

Let's try dial-a-fix

http://wiki.djlizard.net/Dial-a-fix

• Download/save the program and extract to it's own folder.
  
• In the MSI area, tick Fix Windows Installer.
  
• Click on the Go button.
  
• Exit, and try an install routine again.
  

[woody5]

JAVA is unistalled, the correct one was reinstalled and the cache and temp. internet files were deleted.

Karpersky ran (before Java was unistalled) and here is the report.