Please read my hijackthis file

[bosslady]

I need help, I never posted on one of these sites. My computer keeps crashing after a while and I use Mozilla firefox but lately IE come on by itself and is been trying to get me to download registry defender. Hope someone can help. Here's the file.


Logfile of HijackThis v1.99.1
Scan saved at 10:00:14 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\program files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PCtools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: {1897e9c4-2076-75a8-7264-22498596b554} - {455b6958-9422-4627-8a57-67024c9e7981} - C:\WINDOWS\system32\cfczdw.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {94c97c02-56f0-4e0a-b416-53383e8b110e} - C:\WINDOWS\system32\biduyayo.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Blorupalirikiji] rundll32.exe "C:\WINDOWS\Etigis.dll",e
O4 - HKLM\..\Run: [Jmeyo] rundll32.exe "C:\WINDOWS\omutejef.dll",e
O4 - HKLM\..\Run: [zinowuvovu] Rundll32.exe "C:\WINDOWS\system32\sizotasi.dll",s
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [780037ae] rundll32.exe "C:\WINDOWS\system32\kerivabe.dll",b
O4 - HKLM\..\Run: [CPM7b330432] Rundll32.exe "c:\windows\system32\rusovudu.dll",a
O4 - HKLM\..\RunOnce: [PhotoshopAlbumUninstallRebootRequired] cmd /c del "C:\WINDOWS\system32\drivers\PFCNeedUnInstallBoot.tmp"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Performance Center] C:\program files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [oovoo.exe] C:\program files\ooVoo\oovoo.exe /minimized
O4 - HKCU\..\Run: [nidle] "C:\Documents and Settings\Owner\Application Data\nidle\nidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1225845454252
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_myw...ex/ieatgpc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\luduyufe.dll c:\windows\system32\nemilove.dll cfczdw.dll c:\windows\system32\rusovudu.dll c:\windows\system32\vevapada.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: __c00258BA - C:\WINDOWS\system32\__c00258BA.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rusovudu.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

[Ried]

Hello bosslady and welcome,

HijackThis is no longer the preferred initial scanning tool in this forum.

We want all our members to perform the steps outlined in our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.


**Please note this section of the forum is very busy, so be sure to familiarize yourself with the Bumping Rules also found in our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.

[bosslady]

My system shut down twice while performing the GMER scan. When I come back on it says, Sysytem recovered from serious error. I also got a "Rundll error loading C:/windows/system32/sizotasi.dll" and also another one "C:/windows/etigis.dll" and also "C:/windows/system32/mawijeho.dll.

I keep getting windows with ads trying to get me to download "Registry Defender" "Malware Removal Programs" and "Shield Deluxe 2009" and "Finally FastPc"

Firefox also will shut down at times and says " your system has encountered a problem and has to close" Just now I also got an Image Studio Application which reads "it has encountered a problem and needs to close"

Here's the info you requested, I hope you can help me. Thanks!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 919.35 on Sun 03/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.74 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\program files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://srch-qus9.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus9.hpwis.com/
uSearch Bar = hxxp://srch-qus9.hpwis.com/
mSearch Bar = hxxp://srch-qus9.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: {1897e9c4-2076-75a8-7264-22498596b554}: {455b6958-9422-4627-8a57-67024c9e7981} - c:\windows\system32\cfczdw.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {94c97c02-56f0-4e0a-b416-53383e8b110e} - c:\windows\system32\biduyayo.dll
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m
uRun: [WebCamRT.exe]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [oovoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [nidle] "c:\documents and settings\owner\application data\nidle\nidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Blorupalirikiji] rundll32.exe "c:\windows\Etigis.dll",e
mRun: [Jmeyo] rundll32.exe "c:\windows\omutejef.dll",e
mRun: [zinowuvovu] Rundll32.exe "c:\windows\system32\sizotasi.dll",s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [780037ae] rundll32.exe "c:\windows\system32\mawijeho.dll",b
mRun: [CPM7b330432] Rundll32.exe "c:\windows\system32\fabarupa.dll",a
dRun: [A00F2A4A2CF.exe] c:\windows\temp\_A00F2A4A2CF.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSubtract.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225845454252
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: __c00258BA - c:\windows\system32\__c00258BA.dat
AppInit_DLLs: c:\windows\system32\luduyufe.dll c:\windows\system32\nemilove.dll cfczdw.dll c:\windows\system32\fabarupa.dll c:\windows\system32\vevapada.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fabarupa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fabarupa.dll
LSA: Notification Packages = scecli c:\windows\system32\luduyufe.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]

=============== Created Last 30 ================

2009-03-28 22:46 3,290,247 ---sh--- c:\windows\system32\ohejiwam.ini
2009-03-28 10:46 3,290,247 ---sh--- c:\windows\system32\ebavirek.ini
2009-03-28 04:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-27 23:35 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-27 23:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-27 23:17 <DIR> --d----- c:\program files\Lavasoft
2009-03-27 22:50 3,290,234 ---sh--- c:\windows\system32\ujilevoh.ini
2009-03-27 20:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-27 19:06 3,290,243 ---sh--- c:\windows\system32\ebukihuv.ini
2009-03-27 00:28 3,290,383 ---sh--- c:\windows\system32\iyonojat.ini
2009-03-26 17:05 27,136 a------- c:\windows\system32\1000.exe
2009-03-26 16:50 27,136 a------- c:\windows\system32\998.exe
2009-03-26 12:50 27,648 a------- c:\windows\system32\__c00258BA.dat
2009-03-26 12:50 36,352 a------- c:\windows\system32\gldx.exe
2009-03-26 10:44 3,291,173 ---sh--- c:\windows\system32\itutukif.ini
2009-03-26 10:44 124,928 a--sh--- c:\windows\system32\cfczdw.dll
2009-03-25 22:45 3,291,095 ---sh--- c:\windows\system32\okokijib.ini
2009-03-25 22:44 124,928 a--sh--- c:\windows\system32\mpoqhk.dll
2009-03-25 10:02 3,290,183 ---sh--- c:\windows\system32\enewonoy.ini
2009-03-24 23:09 133,120 a------- c:\windows\omutejef.dll
2009-03-24 22:45 <DIR> --d----- c:\docume~1\owner\applic~1\nidle
2009-03-24 22:43 124,928 a--sh--- c:\windows\system32\nrcbas.dll
2009-03-24 22:38 59,801 a------- c:\windows\system32\prunnet.exe
2009-03-24 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-03-24 21:23 <DIR> --d----- c:\program files\Bonjour
2009-03-24 21:02 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-23 21:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-03-21 20:14 <DIR> --d----- c:\docume~1\owner\applic~1\ooVoo Details
2009-03-21 20:14 <DIR> --d----- c:\program files\oovooToolbar
2009-03-21 20:14 <DIR> --d----- c:\docume~1\owner\applic~1\oovooToolbar
2009-03-21 20:14 <DIR> --d----- c:\program files\ooVoo
2009-03-13 21:35 6,144 ac-sh--- c:\windows\system32\Thumbs.db

==================== Find3M ====================

2009-03-28 22:46 84,992 a--sh--- c:\windows\system32\fabarupa.dll
2009-03-28 22:46 79,872 a--sh--- c:\windows\system32\mawijeho.dll
2009-03-28 22:46 61,440 a--sh--- c:\windows\system32\vijobaje.exe
2009-03-28 10:45 84,992 a--sh--- c:\windows\system32\vevapada.dll
2009-03-28 10:45 61,440 a--sh--- c:\windows\system32\zadasola.exe
2009-03-27 22:45 84,992 a--sh--- c:\windows\system32\rahitelo.dll
2009-03-27 22:45 61,440 a--sh--- c:\windows\system32\birizori.exe
2009-03-27 10:45 84,992 a--sh--- c:\windows\system32\pavijifu.dll
2009-03-27 10:45 79,872 a--sh--- c:\windows\system32\vuhikube.dll
2009-03-27 10:45 61,440 a--sh--- c:\windows\system32\jorevuku.exe
2009-03-26 22:44 84,992 a--sh--- c:\windows\system32\rusovudu.dll
2009-03-26 22:44 79,872 a--sh--- c:\windows\system32\tajonoyi.dll
2009-03-26 22:44 61,440 a--sh--- c:\windows\system32\yidefemo.exe
2009-03-26 10:44 84,992 a--sh--- c:\windows\system32\lobejuno.dll
2009-03-26 10:44 124,928 a--sh--- c:\windows\system32\logowazu.dll
2009-03-26 10:44 79,872 a--sh--- c:\windows\system32\fikututi.dll
2009-03-25 22:44 124,928 a--sh--- c:\windows\system32\nilekiza.dll
2009-03-25 22:44 84,992 a--sh--- c:\windows\system32\wofetoha.dll
2009-03-25 10:44 84,992 a--sh--- c:\windows\system32\newakoja.dll
2009-03-24 22:43 124,928 a--sh--- c:\windows\system32\wanoraza.dll
2009-02-17 01:16 0 ac--h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-02-17 01:14 0 ac--h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-02-17 01:14 0 ac--h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-02-16 23:57 0 ac--h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-16 23:57 0 ac--h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-22 21:02 8,464 ac------ c:\windows\system32\sporder.dll
2005-06-15 21:57 0 ac--h--- c:\documents and settings\owner\hpothb07.dat
2005-04-18 13:20 164 ac--h--- c:\documents and settings\all users\hpothb07.dat

============= FINISH: 9:08:51.84 ===============

[Ried]

Thank you, bosslady.

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Rename ComboFix.exe to boss.exe and Save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on boss.exe & follow the prompts.
  
  
• As part of it's process, ComboFix (boss.exe) will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. (it will be named ComboFix.txt, not boss.txt)

[bosslady]

Here's the requested ComboFix text

ComboFix 09-03-31.01 - Owner 2009-03-31 20:44:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.270 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\boss.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\urlredir.cfg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mozilla Firefox\plugins\npclntax.dll
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\security toolbar
c:\program files\security toolbar\Uninstall.bat
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\omutejef.dll
c:\windows\smdat32m.sys
c:\windows\system32\__c00258BA.dat
c:\windows\system32\1000.exe
c:\windows\system32\998.exe
c:\windows\system32\cfczdw.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekadcbsgpji.sys
c:\windows\system32\ebavirek.ini
c:\windows\system32\ebukihuv.ini
c:\windows\system32\emanijag.ini
c:\windows\system32\enewonoy.ini
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\itutukif.ini
c:\windows\system32\ivavidom.ini
c:\windows\system32\iyonojat.ini
c:\windows\system32\kawowuzu.dll
c:\windows\system32\logowazu.dll
c:\windows\system32\luduyufe.dll
c:\windows\system32\mpoqhk.dll
c:\windows\system32\nilekiza.dll
c:\windows\system32\nrcbas.dll
c:\windows\system32\ohejiwam.ini
c:\windows\system32\ohejuven.ini
c:\windows\system32\okokijib.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\senekaakolmuec.dat
c:\windows\system32\senekaayoovkss.dll
c:\windows\system32\senekahasfnqql.dll
c:\windows\system32\senekaieeoabka.dat
c:\windows\system32\senekalywiwoui.dll
c:\windows\system32\uheganaj.ini
c:\windows\system32\ujilevoh.ini
c:\windows\system32\ulapejuz.ini
c:\windows\system32\wanoraza.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_NNSERV
-------\Service_NNServ


((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-31 21:18 . 2009-03-31 21:22 1,403,211 ---hs---- c:\windows\system32\emanijag.ini
2009-03-31 20:20 . 2009-03-31 20:20 <DIR> d-------- C:\32788R22FWJFW
2009-03-30 09:04 . 2009-03-30 09:04 97,792 --a------ c:\windows\system32\krbclick1.exe
2009-03-29 08:07 . 2009-03-29 08:48 <DIR> d-------- c:\documents and settings\216\Application Data\OOVOOTOOLBAR
2009-03-28 21:22 . 2009-03-28 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-03-28 04:57 . 2009-03-28 04:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-27 23:35 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-27 23:20 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-27 23:17 . 2009-03-27 23:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-27 23:17 . 2009-03-27 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-27 20:48 . 2009-03-27 23:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 12:50 . 2009-03-26 12:50 36,352 --a------ c:\windows\system32\gldx.exe
2009-03-24 22:45 . 2009-03-24 22:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\nidle
2009-03-24 21:27 . 2009-03-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-03-24 21:23 . 2009-03-24 21:23 <DIR> d-------- c:\program files\Bonjour
2009-03-24 21:02 . 2009-03-24 21:02 <DIR> d-------- c:\program files\common files\Macrovision Shared
2009-03-23 21:47 . 2009-03-23 21:47 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-03-21 20:14 . 2009-03-21 20:14 <DIR> d-------- c:\program files\oovooToolbar
2009-03-21 20:14 . 2009-03-21 20:14 <DIR> d-------- c:\program files\ooVoo
2009-03-21 20:14 . 2009-03-27 20:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\oovooToolbar
2009-03-21 20:14 . 2009-03-21 20:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\ooVoo Details
2009-03-13 21:35 . 2009-03-13 21:35 6,144 --ahsc--- c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 14:47 84,992 --sha-w c:\windows\system32\binuvete.dll
2009-03-31 14:47 79,872 --sha-w c:\windows\system32\gajiname.dll
2009-03-31 14:47 61,440 --sha-w c:\windows\system32\lulekosa.exe
2009-03-31 02:47 84,992 --sha-w c:\windows\system32\gahiboru.dll
2009-03-31 02:47 79,872 ------w c:\windows\system32\nevujeho.dll
2009-03-31 02:47 61,440 --sha-w c:\windows\system32\lavuzemo.exe
2009-03-30 14:46 84,992 --sha-w c:\windows\system32\zomumuzo.dll
2009-03-30 14:46 61,440 --sha-w c:\windows\system32\vekujusi.exe
2009-03-30 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-30 02:46 84,992 --sha-w c:\windows\system32\visugahu.dll
2009-03-30 02:46 61,440 --sha-w c:\windows\system32\pohitelo.exe
2009-03-29 14:46 84,992 --sha-w c:\windows\system32\bozaride.dll
2009-03-29 14:46 79,872 --sha-w c:\windows\system32\janagehu.dll
2009-03-29 14:46 61,440 --sha-w c:\windows\system32\hezozaba.exe
2009-03-29 02:46 84,992 --sha-w c:\windows\system32\fabarupa.dll
2009-03-29 02:46 61,440 --sha-w c:\windows\system32\vijobaje.exe
2009-03-29 01:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 14:45 84,992 --sha-w c:\windows\system32\vevapada.dll
2009-03-28 14:45 61,440 --sha-w c:\windows\system32\zadasola.exe
2009-03-28 02:45 84,992 --sha-w c:\windows\system32\rahitelo.dll
2009-03-28 02:45 61,440 --sha-w c:\windows\system32\birizori.exe
2009-03-28 00:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 00:00 --------- d-----w c:\program files\Symantec
2009-03-27 23:33 --------- d-----w c:\program files\Common Files\Adobe
2009-03-27 14:45 84,992 --sha-w c:\windows\system32\pavijifu.dll
2009-03-27 14:45 79,872 --sha-w c:\windows\system32\vuhikube.dll
2009-03-27 14:45 61,440 --sha-w c:\windows\system32\jorevuku.exe
2009-03-27 02:44 84,992 --sha-w c:\windows\system32\rusovudu.dll
2009-03-27 02:44 79,872 --sha-w c:\windows\system32\tajonoyi.dll
2009-03-27 02:44 61,440 --sha-w c:\windows\system32\yidefemo.exe
2009-03-26 14:44 84,992 --sha-w c:\windows\system32\lobejuno.dll
2009-03-26 14:44 79,872 --sha-w c:\windows\system32\fikututi.dll
2009-03-26 02:44 84,992 --sha-w c:\windows\system32\wofetoha.dll
2009-03-25 14:44 84,992 --sha-w c:\windows\system32\newakoja.dll
2009-03-21 00:21 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-11 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-17 05:24 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-17 05:16 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-16 04:09 --------- d-----w c:\program files\Common Files\Xara
2009-02-10 00:13 --------- d-----w c:\program files\PC Connectivity Solution
2009-02-10 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 04:06 --------- d-----w c:\documents and settings\Owner\Application Data\GoodSync
2009-02-09 03:59 --------- d-----w c:\program files\Siber Systems
2009-02-01 07:02 --------- d-----w c:\program files\PokerStars
2009-01-23 01:02 8,464 -c--a-w c:\windows\system32\sporder.dll
2005-06-16 01:57 645 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-06-16 01:57 0 -c-ha-w c:\documents and settings\Owner\hpothb07.dat
2005-04-18 17:20 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat
2008-11-30 23:32 27,976 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-30 23:32 126,360 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-30 23:32 46,408 -c--a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-11-30 23:32 98,712 -c--a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-11-30 18:18 56 --sh--r c:\windows\system32\77CFD94C88.sys
1601-01-01 00:12 47,616 --sha-w c:\windows\system32\biduyayo.dll
1601-01-01 00:12 79,872 --sha-w c:\windows\system32\rafupoka.dll
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110320081110\index.dat
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112620081127\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94c97c02-56f0-4e0a-b416-53383e8b110e}]
47616 --ahs---- c:\windows\system32\biduyayo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]
2008-12-11 12:15 1912280 --a------ c:\progra~1\OOVOOT~1\OOVOOT~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8087-36EE87E26986}"= "c:\progra~1\OOVOOT~1\OOVOOT~1.DLL" [2008-12-11 1912280]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8087-36ee87e26986}]
[HKEY_CLASSES_ROOT\oovooToolbar.OOVOOTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-02-25 14657328]
"NVIEW"="nview.dll" [2003-05-03 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"780037ae"="c:\windows\system32\gajiname.dll" [2009-03-31 79872]
"CPM7b330432"="c:\windows\system32\binuvete.dll" [2009-03-31 84992]
"nwiz"="nwiz.exe" [2003-05-03 c:\windows\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\binuvete.dll" [2009-03-31 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\binuvete.dll [2009-03-31 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\binuvete.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\luduyufe.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\program files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\program files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\program files\\ooVoo\\ooVoo.exe"=
"c:\\program files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nv_agp
*Deregistered* - NVSvc
*Deregistered* - omniserv
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - upnphost
*Deregistered* - usnjsvc
*Deregistered* - VgaSave
*Deregistered* - viaagp1
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMPNetworkSvc
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-27 c:\windows\Tasks\Disable Compaq Connections.job
- c:\progra~1\COMPAQ~1\1940576\Program\TOGGLE~1.EXE [2003-07-24 06:03]

2009-03-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]

2005-07-22 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1112669313.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-03-30 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-07-30 14:45]

2009-03-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 19:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{455b6958-9422-4627-8a57-67024c9e7981} - c:\windows\system32\cfczdw.dll
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-nidle - c:\documents and settings\Owner\Application Data\nidle\nidle.exe
HKCU-Run-WebCamRT.exe - (no file)
HKLM-Run-Blorupalirikiji - c:\windows\Etigis.dll
HKLM-Run-zinowuvovu - c:\windows\system32\sizotasi.dll
HKU-Default-Run-A00F2A4A2CF.exe - c:\windows\TEMP\_A00F2A4A2CF.exe
HKU-Default-Run-InetChk - c:\windows\TEMP\ms1238418260.exe
Notify-__c00258BA - c:\windows\system32\__c00258BA.dat
SafeBoot-Wdf01000.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-qus9.hpwis.com/
mSearch Bar = hxxp://srch-qus9.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 21:17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\emanijag.ini 1403220 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\SpSubLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\HPZipm12.exe
c:\program files\windows media player\wmpnetwk.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\interMute\SpamSubtract\SpamSubtract.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
.
**************************************************************************
.
Completion time: 2009-03-31 21:41:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 01:40:57

Pre-Run: 35,190,030,336 bytes free
Post-Run: 34,579,509,248 bytes free

462 --- E O F --- 2009-03-21 08:03:40

[Ried]

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add or Remove Programs)

ooVoo
ooVoo Toolbar

Ignore any prompts to reboot.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361065-please-read-my-hijackthis-file-post2055609.html#post2055609

Collect::
c:\windows\system32\gajiname.dll
c:\windows\system32\biduyayo.dll
c:\windows\system32\luduyufe.dll
c:\windows\system32\lulekosa.exe

File::
c:\windows\system32\binuvete.dll
c:\windows\system32\emanijag.ini
c:\windows\system32\gldx.exe
c:\windows\system32\gahiboru.dll
c:\windows\system32\nevujeho.dll
c:\windows\system32\lavuzemo.exe
c:\windows\system32\zomumuzo.dll
c:\windows\system32\vekujusi.exe
c:\windows\system32\visugahu.dll
c:\windows\system32\pohitelo.exe
c:\windows\system32\bozaride.dll
c:\windows\system32\janagehu.dll
c:\windows\system32\hezozaba.exe
c:\windows\system32\fabarupa.dll
c:\windows\system32\vijobaje.exe
c:\windows\system32\vevapada.dll
c:\windows\system32\zadasola.exe
c:\windows\system32\rahitelo.dll
c:\windows\system32\birizori.exe
c:\windows\system32\pavijifu.dll
c:\windows\system32\vuhikube.dll
c:\windows\system32\jorevuku.exe
c:\windows\system32\rusovudu.dll
c:\windows\system32\tajonoyi.dll
c:\windows\system32\yidefemo.exe
c:\windows\system32\lobejuno.dll
c:\windows\system32\fikututi.dll
c:\windows\system32\wofetoha.dll
c:\windows\system32\newakoja.dll
c:\Program Files\mozilla firefox\plugins\atgpcdec.dll
c:\Program Files\mozilla firefox\plugins\atgpcext.dll
c:\Program Files\mozilla firefox\plugins\atmccli.dll
c:\Program Files\mozilla firefox\plugins\ieatgpc.dll
c:\windows\system32\rafupoka.dll

Folder::
c:\documents and settings\Owner\Application Data\nidle

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\explorer.exe"=-
"c:\\program files\\ooVoo\\ooVoo.exe"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[bosslady]

C:\ComboFix.txt
Kaspersky results
Update on system behavior


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 00:54:34
Records in database: 2021752
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 178435
Threat name: 18
Infected objects: 36
Suspicious objects: 0
Duration of the scan: 06:31:37


File name / Threat name / Threats count
C:\PCtools\hijackthis\backups\backup-20060718-190055-392.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.s 1
C:\PCtools\hijackthis\backups\backup-20060718-190055-603.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\program files\filesubmit\swanfamilywa.exe\NNWDAC638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\nidle\nidle.exe1p9.vir Infected: Trojan-Downloader.Win32.Agent.bnve 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\binuvete.dll.vir Infected: Trojan-Spy.Win32.Agent.akct 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\birizori.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gldx.exe.vir Infected: Trojan.Win32.Agent.bxcu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hezozaba.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jorevuku.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lavuzemo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pohitelo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.bwvn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekahasfnqql.dll.vir Infected: Trojan.Win32.Tdss.sbq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalywiwoui.dll.vir Infected: Trojan.Win32.Tdss.sbm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vekujusi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vijobaje.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yidefemo.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zadasola.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c00258BA_.dat.zip Infected: Trojan.Win32.Agent2.gnv 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@22.10.zip Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\WINDOWS\system32\ConTest.dll Infected: not-a-virus:FraudTool.Win32.Ascentive.b 1
C:\WINDOWS\system32\gufosaku.exe Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\WINDOWS\system32\krbclick1.exe Infected: Backdoor.Win32.Rbot.kpe 1
E:\!Submit\NDNuninstall5_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall5_64.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g 1
E:\!Submit\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\newdotnet6_38.dll Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\uninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\Documents and Settings\Guest\.jpi_cache\jar\1.0\ar3.jar-7dbaf4a8-268c2097.zip Infected: Trojan.Java.ClassLoader.k 1
E:\RECYCLER\NPROTECT\00001883.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\WINDOWS\system32\FM20.exe Infected: Trojan.Win32.Dialer.ce 1
E:\WINDOWS\system32\rk.bin Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k 1
E:\WINDOWS\system32\rk.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k 1

The selected area was scanned.

[Ried]

I do not see the ComboFix.txt. It's important that I see that--please post it.

[bosslady]

ComboFix 09-03-31.01 - Owner 2009-04-07 20:04:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.168 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
c:\program files\mozilla firefox\plugins\atgpcdec.dll
c:\program files\mozilla firefox\plugins\atgpcext.dll
c:\program files\mozilla firefox\plugins\atmccli.dll
c:\program files\mozilla firefox\plugins\ieatgpc.dll
c:\windows\system32\binuvete.dll
c:\windows\system32\birizori.exe
c:\windows\system32\bozaride.dll
c:\windows\system32\emanijag.ini
c:\windows\system32\fabarupa.dll
c:\windows\system32\fikututi.dll
c:\windows\system32\gahiboru.dll
c:\windows\system32\gldx.exe
c:\windows\system32\hezozaba.exe
c:\windows\system32\janagehu.dll
c:\windows\system32\jorevuku.exe
c:\windows\system32\lavuzemo.exe
c:\windows\system32\lobejuno.dll
c:\windows\system32\nevujeho.dll
c:\windows\system32\newakoja.dll
c:\windows\system32\pavijifu.dll
c:\windows\system32\pohitelo.exe
c:\windows\system32\rafupoka.dll
c:\windows\system32\rahitelo.dll
c:\windows\system32\rusovudu.dll
c:\windows\system32\tajonoyi.dll
c:\windows\system32\vekujusi.exe
c:\windows\system32\vevapada.dll
c:\windows\system32\vijobaje.exe
c:\windows\system32\visugahu.dll
c:\windows\system32\vuhikube.dll
c:\windows\system32\wofetoha.dll
c:\windows\system32\yidefemo.exe
c:\windows\system32\zadasola.exe
c:\windows\system32\zomumuzo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\nidle
c:\documents and settings\Owner\Application Data\nidle\nidle.exe1p9
c:\program files\mozilla firefox\plugins\atgpcdec.dll
c:\program files\mozilla firefox\plugins\atgpcext.dll
c:\program files\mozilla firefox\plugins\atmccli.dll
c:\program files\mozilla firefox\plugins\ieatgpc.dll
c:\windows\system32\biduyayo.dll
c:\windows\system32\binuvete.dll
c:\windows\system32\birizori.exe
c:\windows\system32\bozaride.dll
c:\windows\system32\ekarafin.ini
c:\windows\system32\emanijag.ini
c:\windows\system32\etapujen.ini
c:\windows\system32\fabarupa.dll
c:\windows\system32\fikututi.dll
c:\windows\system32\gahiboru.dll
c:\windows\system32\gldx.exe
c:\windows\system32\hezozaba.exe
c:\windows\system32\janagehu.dll
c:\windows\system32\jorevuku.exe
c:\windows\system32\kugiboha.dll
c:\windows\system32\lavuzemo.exe
c:\windows\system32\linefaku.dll
c:\windows\system32\lobejuno.dll
c:\windows\system32\lulekosa.exe
c:\windows\system32\moriwami.dll
c:\windows\system32\nejupate.dll
c:\windows\system32\nevujeho.dll
c:\windows\system32\newakoja.dll
c:\windows\system32\nifarake.dll
c:\windows\system32\pavijifu.dll
c:\windows\system32\pefoginu.dll
c:\windows\system32\pohitelo.exe
c:\windows\system32\rafupoka.dll
c:\windows\system32\rahitelo.dll
c:\windows\system32\reperizu.dll
c:\windows\system32\rusovudu.dll
c:\windows\system32\tajonoyi.dll
c:\windows\system32\uhuzubiz.ini
c:\windows\system32\ukafenil.ini
c:\windows\system32\vekujusi.exe
c:\windows\system32\vevapada.dll
c:\windows\system32\vijobaje.exe
c:\windows\system32\visugahu.dll
c:\windows\system32\vuhikube.dll
c:\windows\system32\wofetoha.dll
c:\windows\system32\yidefemo.exe
c:\windows\system32\zadasola.exe
c:\windows\system32\zibuzuhu.dll
c:\windows\system32\zomumuzo.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 19:34 . 2009-04-07 19:34 389,120 --a------ c:\windows\system32\CF13347.exe
2009-03-30 09:04 . 2009-03-30 09:04 97,792 --a------ c:\windows\system32\krbclick1.exe
2009-03-29 08:07 . 2009-03-29 08:48 <DIR> d-------- c:\documents and settings\216\Application Data\OOVOOTOOLBAR
2009-03-28 21:22 . 2009-03-28 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-03-28 04:57 . 2009-03-28 04:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-27 23:35 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-27 23:20 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-27 23:17 . 2009-03-27 23:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-27 23:17 . 2009-03-27 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-27 20:48 . 2009-03-27 23:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 21:27 . 2009-03-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-03-24 21:23 . 2009-03-24 21:23 <DIR> d-------- c:\program files\Bonjour
2009-03-24 21:02 . 2009-03-24 21:02 <DIR> d-------- c:\program files\common files\Macrovision Shared
2009-03-23 21:47 . 2009-03-23 21:47 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-03-21 20:14 . 2009-04-02 22:01 <DIR> d-------- c:\program files\oovooToolbar
2009-03-21 20:14 . 2009-03-21 20:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\ooVoo Details
2009-03-13 21:35 . 2009-03-13 21:35 6,144 --ahsc--- c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 02:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 02:47 61,440 --sha-w c:\windows\system32\gufosaku.exe
2009-03-30 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-28 00:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 00:00 --------- d-----w c:\program files\Symantec
2009-03-27 23:33 --------- d-----w c:\program files\Common Files\Adobe
2009-03-21 00:21 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-11 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-17 05:24 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-17 05:16 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-16 04:09 --------- d-----w c:\program files\Common Files\Xara
2009-02-10 00:13 --------- d-----w c:\program files\PC Connectivity Solution
2009-02-10 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 04:06 --------- d-----w c:\documents and settings\Owner\Application Data\GoodSync
2009-02-09 03:59 --------- d-----w c:\program files\Siber Systems
2009-01-23 01:02 8,464 -c--a-w c:\windows\system32\sporder.dll
2005-06-16 01:57 645 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-06-16 01:57 0 -c-ha-w c:\documents and settings\Owner\hpothb07.dat
2005-04-18 17:20 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat
2008-11-30 18:18 56 --sh--r c:\windows\system32\77CFD94C88.sys
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110320081110\index.dat
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112620081127\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-31_21.30.30.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-03 18:57:32 1,660,928 ----a-w c:\windows\Downloaded Program Files\genipublisher.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NVIEW"="nview.dll" [2003-05-03 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"zinowuvovu"="c:\windows\system32\sizotasi.dll" [BU]
"nwiz"="nwiz.exe" [2003-05-03 c:\windows\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 552960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\program files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\program files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\program files\\Bonjour\\mDNSResponder.exe"=
"c:\\HP\\KBD\\kbd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-08-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-08-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-06-18 23680]
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-04-04 c:\windows\Tasks\Disable Compaq Connections.job
- c:\progra~1\COMPAQ~1\1940576\Program\TOGGLE~1.EXE [2003-07-24 06:03]

2009-03-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]

2005-07-22 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1112669313.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-04-04 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-07-30 14:45]

2009-04-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 19:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{94c97c02-56f0-4e0a-b416-53383e8b110e} - c:\windows\system32\biduyayo.dll
WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-qus9.hpwis.com/
mSearch Bar = hxxp://srch-qus9.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Geni Publisher - hxxp://www.geni.com/plugins/genipublisher.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 20:10:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2009-04-07 20:15:53
ComboFix-quarantined-files.txt 2009-04-08 00:14:33
ComboFix2.txt 2009-04-01 01:41:22

Pre-Run: 34,820,448,256 bytes free
Post-Run: 34,822,615,040 bytes free

283 --- E O F --- 2009-03-21 08:03:40




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 00:54:34
Records in database: 2021752
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 178435
Threat name: 18
Infected objects: 36
Suspicious objects: 0
Duration of the scan: 06:31:37


File name / Threat name / Threats count
C:\PCtools\hijackthis\backups\backup-20060718-190055-392.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.s 1
C:\PCtools\hijackthis\backups\backup-20060718-190055-603.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\program files\filesubmit\swanfamilywa.exe\NNWDAC638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\nidle\nidle.exe1p9.vir Infected: Trojan-Downloader.Win32.Agent.bnve 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\binuvete.dll.vir Infected: Trojan-Spy.Win32.Agent.akct 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\birizori.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gldx.exe.vir Infected: Trojan.Win32.Agent.bxcu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hezozaba.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jorevuku.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lavuzemo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pohitelo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.bwvn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekahasfnqql.dll.vir Infected: Trojan.Win32.Tdss.sbq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalywiwoui.dll.vir Infected: Trojan.Win32.Tdss.sbm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vekujusi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vijobaje.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yidefemo.exe.vir Infected: Trojan.Win32.AntiAV.aug 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zadasola.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c00258BA_.dat.zip Infected: Trojan.Win32.Agent2.gnv 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@22.10.zip Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\WINDOWS\system32\ConTest.dll Infected: not-a-virus:FraudTool.Win32.Ascentive.b 1
C:\WINDOWS\system32\gufosaku.exe Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\WINDOWS\system32\krbclick1.exe Infected: Backdoor.Win32.Rbot.kpe 1
E:\!Submit\NDNuninstall5_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall5_64.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g 1
E:\!Submit\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\newdotnet6_38.dll Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\!Submit\uninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\Documents and Settings\Guest\.jpi_cache\jar\1.0\ar3.jar-7dbaf4a8-268c2097.zip Infected: Trojan.Java.ClassLoader.k 1
E:\RECYCLER\NPROTECT\00001883.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet 1
E:\WINDOWS\system32\FM20.exe Infected: Trojan.Win32.Dialer.ce 1
E:\WINDOWS\system32\rk.bin Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k 1
E:\WINDOWS\system32\rk.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k 1

The selected area was scanned.



Windows aren't popping up all the time now trying to get me to download all the spyware and malware problams. It's still a bit slow though and still freezes up sometimes. Thanks for your help. I'll be waiting to hear from you. Thanks!

[Ried]

We still have a bit more to do.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361065-please-read-my-hijackthis-file-post2069120.html#post2069120

Collect::
C:\WINDOWS\system32\gufosaku.exe

File::
C:\PCtools\hijackthis\backups\backup-20060718-190055-392.dll
C:\PCtools\hijackthis\backups\backup-20060718-190055-603.dll
C:\program files\filesubmit
C:\WINDOWS\system32\ConTest.dll
C:\WINDOWS\system32\krbclick1.exe
E:\WINDOWS\system32\FM20.exe
E:\WINDOWS\system32\rk.bin
E:\WINDOWS\system32\rk.exe
c:\windows\system32\krbclick1.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zinowuvovu"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

Post the C:\ComboFix.txt and another update on system behavior.

[bosslady]

Ok, I think I made a mistake. I followed the instructions but after I got the log created by ComboFix, I copied it, but before I pasted it, I realized that I had deleted the Combofix.txt, I copied the last one I had sent you and pasted it into a new notepad. Then since I didnt have the log anymore. I went ahead and started from the beginning of your last post. I dragged the CFScript into ComboFix.exe but it wouldn't work, it gave me an error box that reads: PING.EXE - BAD IMAGE The application DLL C:/windows/system32.spsublsp.dll is not a valid window image.

Sorry! What do I do now? Hope you can still help.

[Ried]

Just try running ComboFix.exe by double clicking it. Do not drag and drop the script. Post the resultant ComboFix.txt

[bosslady]

ComboFix 09-04-04.01 - Owner 2009-04-10 2:05:59.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.78 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-07 20:23 . 2009-04-07 20:23 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-07 20:23 . 2009-04-07 20:23 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-29 08:07 . 2009-03-29 08:48 <DIR> d-------- c:\documents and settings\216\Application Data\OOVOOTOOLBAR
2009-03-28 21:22 . 2009-03-28 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-03-28 04:57 . 2009-03-28 04:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-27 23:35 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-27 23:20 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-27 23:17 . 2009-03-27 23:17 <DIR> d-------- c:\program files\Lavasoft
2009-03-27 23:17 . 2009-03-27 23:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-27 20:48 . 2009-03-27 23:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 21:27 . 2009-03-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-03-24 21:23 . 2009-03-24 21:23 <DIR> d-------- c:\program files\Bonjour
2009-03-24 21:02 . 2009-03-24 21:02 <DIR> d-------- c:\program files\common files\Macrovision Shared
2009-03-23 21:47 . 2009-03-23 21:47 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-03-21 20:14 . 2009-04-02 22:01 <DIR> d-------- c:\program files\oovooToolbar
2009-03-21 20:14 . 2009-03-21 20:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\ooVoo Details
2009-03-13 21:35 . 2009-03-13 21:35 6,144 --ahsc--- c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 00:22 --------- d-----w c:\program files\Java
2009-04-03 02:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-30 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-28 00:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 00:00 --------- d-----w c:\program files\Symantec
2009-03-27 23:33 --------- d-----w c:\program files\Common Files\Adobe
2009-03-21 00:21 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-11 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-17 05:24 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-17 05:16 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-02-17 05:14 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-17 03:57 0 -c-ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-16 04:09 --------- d-----w c:\program files\Common Files\Xara
2009-02-10 00:13 --------- d-----w c:\program files\PC Connectivity Solution
2009-02-10 00:04 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-23 01:02 8,464 -c--a-w c:\windows\system32\sporder.dll
2005-06-16 01:57 645 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-06-16 01:57 0 -c-ha-w c:\documents and settings\Owner\hpothb07.dat
2005-04-18 17:20 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat
2008-11-30 18:18 56 --sh--r c:\windows\system32\77CFD94C88.sys
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110320081110\index.dat
2008-11-26 08:15 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112620081127\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-31_21.30.30.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-03 18:57:32 1,660,928 ----a-w c:\windows\Downloaded Program Files\genipublisher.dll
- 2003-02-20 21:42:34 24,677 -c----w c:\windows\system32\java.exe
+ 2009-04-08 00:23:12 144,792 ----a-w c:\windows\system32\java.exe
- 2003-02-20 21:42:34 28,775 -c----w c:\windows\system32\javaw.exe
+ 2009-04-08 00:23:12 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-04-08 00:23:12 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-04-10 03:35:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NVIEW"="nview.dll" [2003-05-03 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-07 148888]
"nwiz"="nwiz.exe" [2003-05-03 c:\windows\system32\nwiz.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 552960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 06:50 40960 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\program files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\program files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\program files\\Bonjour\\mDNSResponder.exe"=
"c:\\HP\\KBD\\kbd.exe"=
"c:\\program files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-27 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-08-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-08-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-06-18 23680]
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-04-04 c:\windows\Tasks\Disable Compaq Connections.job
- c:\progra~1\COMPAQ~1\1940576\Program\TOGGLE~1.EXE [2003-07-24 06:03]

2009-03-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]

2005-07-22 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1112669313.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-04-04 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-07-30 14:45]

2009-04-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 19:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-qus9.hpwis.com/
mSearch Bar = hxxp://srch-qus9.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Geni Publisher - hxxp://www.geni.com/plugins/genipublisher.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 02:11:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2009-04-10 2:16:49
ComboFix-quarantined-files.txt 2009-04-10 06:15:27
ComboFix2.txt 2009-04-10 04:09:33
ComboFix3.txt 2009-04-10 03:17:46
ComboFix4.txt 2009-04-08 00:15:55
ComboFix5.txt 2009-04-10 06:05:19

Pre-Run: 34,750,570,496 bytes free
Post-Run: 34,737,704,960 bytes free

198 --- E O F --- 2009-03-21 08:03:40

[Ried]

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

Also, how is the system behaving?

[bosslady]

It's gotten alot better. Thank you. Are there any more steps I'll need to take at this point? Here's the requested report.



0000-00-00 00:00:00 A------- 47,616 C:\Qoobox\Quarantine\C\WINDOWS\system32\biduyayo.dll.vir
0000-00-00 00:00:00 A------- 47,616 C:\Qoobox\Quarantine\C\WINDOWS\system32\luduyufe.dll.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\birizori.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\hezozaba.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\jorevuku.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\lavuzemo.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\lulekosa.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\pohitelo.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\vekujusi.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\vijobaje.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\yidefemo.exe.vir
0000-00-00 00:00:00 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\zadasola.exe.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\fikututi.dll.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\janagehu.dll.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\nevujeho.dll.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\rafupoka.dll.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\tajonoyi.dll.vir
0000-00-00 00:00:00 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\vuhikube.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\binuvete.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\bozaride.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\fabarupa.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\gahiboru.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\lobejuno.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\newakoja.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\pavijifu.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\rahitelo.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\rusovudu.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\vevapada.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\visugahu.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\wofetoha.dll.vir
0000-00-00 00:00:00 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\zomumuzo.dll.vir
0000-00-00 00:00:00 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\kawowuzu.dll.vir
0000-00-00 00:00:00 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\logowazu.dll.vir
0000-00-00 00:00:00 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\nilekiza.dll.vir
0000-00-00 00:00:00 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\wanoraza.dll.vir
2005-05-14 14:55:50 AC------ 262,144 C:\Qoobox\Quarantine\C\PCtools\hijackthis\backups\backup-20060718-190055-392.dll.vir
2005-05-14 14:55:54 AC------ 57,344 C:\Qoobox\Quarantine\C\PCtools\hijackthis\backups\backup-20060718-190055-603.dll.vir
2005-06-06 01:01:40 AC------ 10 C:\Qoobox\Quarantine\C\WINDOWS\smdat32m.sys.vir
2005-06-06 16:54:05 AC------ 1,024 C:\Qoobox\Quarantine\C\program files\Need2Find\bar\History\search.vir
2005-06-19 23:34:16 AC------ 905 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\acrsecI.fon.vir
2005-06-19 23:34:16 AC------ 1,761 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\acrsecB.fon.vir
2006-07-07 02:47:39 AC------ 324 C:\Qoobox\Quarantine\C\program files\Security Toolbar\Uninstall.bat.vir
2007-01-30 23:33:04 AC------ 41,472 C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plugins\npclntax.dll.vir
2008-01-29 23:33:10 AC------ 209 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\urlredir.cfg.vir
2008-11-04 20:28:43 AC------ 0 C:\Qoobox\Quarantine\C\WINDOWS\system32\iAlmcoin.dll.vir
2008-11-07 17:51:56 AC------ 208,896 C:\Qoobox\Quarantine\C\WINDOWS\system32\ConTest.dll.vir
2008-11-27 22:57:17 AC------ 65,536 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll.vir
2008-11-27 22:57:17 AC------ 119,879 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll.vir
2008-11-27 22:57:18 AC------ 65,536 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll.vir
2008-11-27 22:57:18 AC------ 135,168 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll.vir
2008-11-27 22:57:19 AC------ 270,336 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll.vir
2008-11-27 22:57:20 AC------ 5,702 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll.vir
2008-11-27 22:57:20 AC------ 24,576 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll.vir
2008-11-27 22:57:20 AC------ 49,152 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll.vir
2008-11-27 22:57:21 AC------ 110,592 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll.vir
2008-11-27 22:57:21 AC------ 339,968 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll.vir
2008-11-27 22:57:22 AC------ 77,383 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll.vir
2008-11-27 22:57:23 AC------ 23,106 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll.vir
2008-11-27 22:57:23 AC------ 81,408 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll.vir
2008-11-27 22:57:24 AC------ 17,296 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe.vir
2008-11-27 22:57:24 AC------ 105,541 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll.vir
2008-11-27 22:57:25 AC------ 391,751 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll.vir
2008-11-27 22:57:26 AC------ 36,864 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll.vir
2008-11-27 22:57:27 AC------ 1,564,672 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll.vir
2008-11-27 22:57:28 AC------ 516,096 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll.vir
2008-11-27 22:57:29 AC------ 315,392 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui6.dll.vir
2008-11-27 22:57:29 AC------ 2,195,456 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll.vir
2008-11-27 22:57:30 AC------ 152,904 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe.vir
2008-11-27 22:57:31 AC------ 111,944 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe.vir
2008-11-27 22:57:32 AC------ 81,920 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll.vir
2008-11-27 22:57:32 AC------ 184,320 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\msess.dll.vir
2008-11-27 22:57:33 AC------ 507,904 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mmssl32.dll.vir
2008-11-27 22:57:34 AC------ 77,824 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mticket.dll.vir
2008-11-27 22:57:34 AC------ 581,632 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mutiltpd.dll.vir
2008-11-27 22:57:35 AC------ 221,254 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\h264enc.dll.vir
2008-11-27 22:57:36 AC------ 294,989 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\h264dec.dll.vir
2008-11-27 22:57:36 AC------ 364,544 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mvc.dll.vir
2008-11-27 22:57:51 AC------ 106 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini.vir
2008-11-30 19:32:46 AC------ 27,976 C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plugins\atgpcdec.dll.vir
2008-11-30 19:32:46 AC------ 126,360 C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plugins\atgpcext.dll.vir
2008-11-30 19:32:55 AC------ 98,712 C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plugins\ieatgpc.dll.vir
2008-11-30 19:32:57 AC------ 46,408 C:\Qoobox\Quarantine\C\program files\Mozilla Firefox\plugins\atmccli.dll.vir
2008-12-31 22:47:17 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\gufosaku.exe.vir
2008-12-31 22:47:17 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\linefaku.dll.vir
2008-12-31 22:47:17 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\kugiboha.dll.vir
2009-01-01 10:47:36 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\zibuzuhu.dll.vir
2009-01-01 10:47:36 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\reperizu.dll.vir
2009-01-01 22:47:47 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\nifarake.dll.vir
2009-01-01 22:47:47 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\moriwami.dll.vir
2009-01-02 10:47:59 A------- 79,872 C:\Qoobox\Quarantine\C\WINDOWS\system32\nejupate.dll.vir
2009-01-02 10:47:59 A------- 84,992 C:\Qoobox\Quarantine\C\WINDOWS\system32\pefoginu.dll.vir
2009-03-24 22:38:24 A------- 59,801 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir
2009-03-24 22:42:38 A------- 75,264 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekadcbsgpji.sys.vir
2009-03-24 22:42:42 A------- 56,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaayoovkss.dll.vir
2009-03-24 22:42:45 A------- 18,432 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekahasfnqql.dll.vir
2009-03-24 22:42:45 A------- 56,854 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaakolmuec.dat.vir
2009-03-24 22:43:54 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\nrcbas.dll.vir
2009-03-24 22:45:03 A------- 56,832 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\nidle\nidle.exe1p9.vir
2009-03-24 22:45:19 A------- 4,095 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Temporary Internet Files\fbk.sts.vir
2009-03-24 22:47:53 A------- 43 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaieeoabka.dat.vir
2009-03-24 23:09:57 A------- 133,120 C:\Qoobox\Quarantine\C\WINDOWS\omutejef.dll.vir
2009-03-25 10:02:03 A------- 3,290,183 C:\Qoobox\Quarantine\C\WINDOWS\system32\enewonoy.ini.vir
2009-03-25 22:44:25 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\mpoqhk.dll.vir
2009-03-25 22:45:11 A------- 3,291,095 C:\Qoobox\Quarantine\C\WINDOWS\system32\okokijib.ini.vir
2009-03-26 10:44:28 A------- 124,928 C:\Qoobox\Quarantine\C\WINDOWS\system32\cfczdw.dll.vir
2009-03-26 10:44:33 A------- 3,291,173 C:\Qoobox\Quarantine\C\WINDOWS\system32\itutukif.ini.vir
2009-03-26 12:50:29 A------- 36,352 C:\Qoobox\Quarantine\C\WINDOWS\system32\gldx.exe.vir
2009-03-26 12:50:30 A------- 27,648 C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00258BA.dat.vir
2009-03-26 16:50:31 A------- 27,136 C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir
2009-03-26 17:05:32 A------- 27,136 C:\Qoobox\Quarantine\C\WINDOWS\system32\1000.exe.vir
2009-03-27 00:28:26 A------- 3,290,383 C:\Qoobox\Quarantine\C\WINDOWS\system32\iyonojat.ini.vir
2009-03-27 1931 A------- 3,290,243 C:\Qoobox\Quarantine\C\WINDOWS\system32\ebukihuv.ini.vir
2009-03-27 22:47:17 A------- 75,264 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir
2009-03-27 22:50:19 A------- 3,290,234 C:\Qoobox\Quarantine\C\WINDOWS\system32\ujilevoh.ini.vir
2009-03-28 08:08:25 A------- 18,944 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalywiwoui.dll.vir
2009-03-28 10:46:00 A------- 3,290,247 C:\Qoobox\Quarantine\C\WINDOWS\system32\ebavirek.ini.vir
2009-03-28 22:46:11 A------- 3,290,247 C:\Qoobox\Quarantine\C\WINDOWS\system32\ohejiwam.ini.vir
2009-03-29 10:46:23 A------- 3,290,247 C:\Qoobox\Quarantine\C\WINDOWS\system32\uheganaj.ini.vir
2009-03-29 22:47:41 A------- 122 C:\Qoobox\Quarantine\C\WINDOWS\system32\ivavidom.ini.vir
2009-03-30 09:04:18 A------- 97,792 C:\Qoobox\Quarantine\C\WINDOWS\system32\krbclick1.exe.vir
2009-03-30 10:46:42 A------- 3,293,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\ulapejuz.ini.vir
2009-03-30 22:47:21 A------- 2,510,293 C:\Qoobox\Quarantine\C\WINDOWS\system32\ohejuven.ini.vir
2009-03-31 20:20:49 A------- 949 C:\Qoobox\Quarantine\catchme.log
2009-03-31 20:23:54 A------- 920 C:\Qoobox\Quarantine\Registry_backups\Service_SENEKA.reg.dat
2009-03-31 20:47:24 A------- 23,370 C:\Qoobox\Quarantine\C\WINDOWS\system32\___c00258BA_.dat.zip
2009-03-31 20:49:39 A------- 7,486 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-03-31 20:50:22 A------- 790 C:\Qoobox\Quarantine\Registry_backups\Legacy_NNSERV.reg.dat
2009-03-31 20:50:22 A------- 3,322 C:\Qoobox\Quarantine\Registry_backups\Service_NNServ.reg.dat
2009-03-31 21:18:47 A------- 1,403,233 C:\Qoobox\Quarantine\C\WINDOWS\system32\emanijag.ini.vir
2009-03-31 21:30:39 A------- 416 C:\Qoobox\Quarantine\Registry_backups\BHO-{455b6958-9422-4627-8a57-67024c9e7981}.reg.dat
2009-03-31 21:30:56 A------- 99 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-WebCamRT.exe.reg.dat
2009-03-31 21:30:56 A------- 168 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Performance Center.reg.dat
2009-03-31 21:30:56 A------- 181 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Uniblue RegistryBooster 2009.reg.dat
2009-03-31 21:30:56 A------- 235 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-nidle.reg.dat
2009-03-31 21:31:00 A------- 144 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Blorupalirikiji.reg.dat
2009-03-31 21:31:00 A------- 151 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-zinowuvovu.reg.dat
2009-03-31 21:31:10 A------- 135 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-InetChk.reg.dat
2009-03-31 21:31:10 A------- 138 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-A00F2A4A2CF.exe.reg.dat
2009-03-31 21:31:49 A------- 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c00258BA.reg.dat
2009-03-31 21:31:58 A------- 558 C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Wdf01000.sys.reg.dat
2009-03-31 22:47:31 A------- 1,403,233 C:\Qoobox\Quarantine\C\WINDOWS\system32\ukafenil.ini.vir
2009-04-01 10:47:37 A------- 1,425,753 C:\Qoobox\Quarantine\C\WINDOWS\system32\uhuzubiz.ini.vir
2009-04-01 22:47:48 A------- 1,425,753 C:\Qoobox\Quarantine\C\WINDOWS\system32\ekarafin.ini.vir
2009-04-02 10:48:00 A------- 1,425,753 C:\Qoobox\Quarantine\C\WINDOWS\system32\etapujen.ini.vir
2009-04-02 22:11:14 A------- 72,678 C:\Qoobox\Quarantine\[4]-Submit_2009-04-02@22.10.zip
2009-04-07 20:04:35 A------- 28,361 C:\Qoobox\Quarantine\[4]-Submit_2009-04-07@20.04.zip
2009-04-07 20:11:58 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{94c97c02-56f0-4e0a-b416-53383e8b110e}.reg.dat
2009-04-07 20:12:00 A------- 171 C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986}.reg.dat
2009-04-09 23:07:31 A------- 64,458 C:\Qoobox\Quarantine\[4]-Submit_2009-04-09@23.07.zip
2009-04-09 23:13:20 A------- 11,776 C:\Qoobox\Quarantine\E\WINDOWS\system32\FM20.exe.vir
2009-04-09 23:13:20 A------- 864,256 C:\Qoobox\Quarantine\E\WINDOWS\system32\rk.bin.vir
2009-04-09 23:13:21 A------- 864,256 C:\Qoobox\Quarantine\E\WINDOWS\system32\rk.exe.vir
2009-04-09 23:57:50 A------- 39,123 C:\Qoobox\Quarantine\[4]-Submit_2009-04-09@23.57.zip

[Ried]

Thanks, I wanted to confirm the deletions I gave you in my last script.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

In the event you wish to contribute to the ongoing development of ComboFix, donations can be made via PayPal.



To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[bosslady]

I just want to thank you so much. My computer is running so much better. You're the best!!!!

Consider this thread resolved.

[Ried]

Glad to hear that, and you're quite welcome.

Take care and surf safely.