Persistent registry key can't be deleted - suspect malware

[alicia1234]

Hi. I am fairly knowledgeable in matters of malware detection and removal, and am quite religious about keeping my computer safe, but I've found myself "caught"!

My problem is that I have an entry in my registry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run that I cannot delete:
name: Fqucovidogosi
type: REG_SZ
data: rundll32.exe "C:\WINDOWS\ eraliwol.dll" .e

I delete it and it keeps coming back. I want to know how to get rid of it. I don't know what it is but I'm sure it's not good, and I don't want it hanging around like a time bomb!

Read on for what I've done so far.

I have:

Windows XP Pro SP3, totally up-to-date
AVG Anti-virus, free edition, vsn 8.5.285 with virus db 270.11.31/2028 (March 28th 3:16am)
SpyBot Search & Destroy 1.6.0
SpywareBlaster vsn 4.1
AdAware 2008 Free edition, vsn 7.1.0.12

My data is backed up regularly using the Carbonite backup service.

On March 26th, AVG popped up a Trojan alert. Unfortunately, I didn't write anything down at the time. I just let AVG to heal it and it appeared that it had. The virus vault (C:\$AVG8.VAULT$) has an entry for March 26th.

However, I noticed two days ago that when I restart my computer, I get a message that "Mwiqagox.dll" couldn't be started.

Note that my PC does seem to be running ok.

I ran regedit and searched for Mwiqagox.dll and found it here:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
name: Hsejunojagigete
type: REG_SZ
data: rundll32.exe "C:\WINDOWS\Mwiqagox.dll" .e

Also noticed right next to it:
name: Fqucovidogosi
type: REG_SZ
data: rundll32.exe "C:\WINDOWS\adigegobeyeyo.dll" .e

I Googled both Mwiqagox and adigegobeyeyo but could find nothing.

I looked in my processes and services lists and found nothing suspicious.

I deleted both entries. However, the Fqucovidogosi one keeps coming back; I don't even need to reboot. I delete it, then look in the registry a few seconds later and it's back.

I cannot delete the file adigegobeyeyo.dll from the C:\WINDOWS directory; I get an "access is denied" error.

I ran a complete system scan with AVG (1,038,585 objects; 4 hours 37 minutes ). Other than tracking cookies, it also found "Trojan horse Downloader.Generic8.ACOU" in these three files:

c:\Documents and Settings\SHEA\Local Settings\Temp\tmp321B.tmp.exe
c:\Documents and Settings\SHEA\Local Settings\Temp\tmp702D.tmp.exe
c:\Documents and Settings\SHEA\Local Settings\Temp\tmpB699.tmp.exe

When AVG finished, it said it found, removed and healed 3 infections; they were moved to the virus vault. There are now 6 entries for today in the virus vault.

I checked the registry again:

Fquocovidogosi is still there; deleted it closed registry; opened again – it's back
Rebooted; it's still there.

Ran Spybot scan: no threats were found

Ran AdAware SmartScan: no critical objects; 17 Privacy Objects (Tracking cookies); removed all

Still can't delete adigegobeyeyo.dll, but I renamed it to adigegobeyeyo-BAD.dll. After renaming it, I rebooted. Error from RUNDLL that specified module adigegobeyeyo .dll could not be found – during boot before desktop icons appeared. Then again after desktop icons appeared.
Opened regedit; deleted again. This time it took.
Deleted the file adigegobeyeyo-BAD.dll

Looked in registry again. Now Fqucovidogosi is back, but now the data has "eraliwol.dll" instead of "adigegobeyeyo.dll".

Can't delete it; access denied. Googled it – not found.

Ran AVG full scan again. No threats found.

I ran DDS and GMER as instructed here:
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help
and I've posted the results as instructed.

===================================================
DDS.txt
=============================
DDS (Ver_09-03-16.01) - NTFSx86
Run by SHEA at 8:16:40.14 on Sun 03/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1288 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
svchost.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\SHEA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.615.5858\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
mRun: [Epson RX500 on Print Server] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P27 "Epson RX500 on Print Server" /O16 "IP_192.168.0.190" /M "Stylus Photo RX500"
mRun: [Auto EPSON Stylus Photo R300 Series on PAZZO2] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p45 "auto epson stylus photo r300 series on pazzo2" /o19 "\\pazzo2\Epson R300" /M "Stylus Photo R300"
mRun: [Auto EPSON Stylus Photo R300 Series on WOODIE] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p45 "auto epson stylus photo r300 series on woodie" /o23 "\\woodie\EpsonPhotoR300" /M "Stylus Photo R300"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Auto EPSON Stylus Photo RX500 on WOODIE] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2k1.exe /p39 "auto epson stylus photo rx500 on woodie" /o17 "\\woodie\Printer4" /M "Stylus Photo RX500"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [\\WOODIE\EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p39 "\\woodie\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Fqucovidogosi] rundll32.exe "c:\windows\eraliwol.dll",e
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: netlibrary.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - hxxps://myvpn.ford.com/sametime/MSJavX86.exe,DanaInfo=.ainBfsqrhjIpz3qNr43,CT=java+
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} - hxxps://myvpn.ford.com/sametime/javaconnect/InstallSTConnAgent.cab,DanaInfo=.ainBfsqrhjIpz3qNr43,CT=java+
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FE28FA1A-E046-42DC-9DE7-605DC53A1B61} - hxxps://www.patientgateway.org/ptgw/ptcomp3f.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\eudora\EuShlExt.dll
LSA: Notification Packages = scecli dplosr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shea\applic~1\mozilla\firefox\profiles\qb69oycl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {033973F7-05A1-499B-8E03-8898D4CC57ED} - c:\documents and settings\shea\local settings\application data\{033973F7-05A1-499B-8E03-8898D4CC57ED}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-29 108552]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-30 298264]
R2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;c:\cfusionmx7\runtime\bin\jrunsvc.exe [2006-8-18 61440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-6 24652]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-8-18 80384]
S3 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;c:\cfusionmx7\db\slserver54\bin\swagent.exe "coldfusion mx 7 odbc agent" --> c:\cfusionmx7\db\slserver54\bin\swagent.exe ColdFusion MX 7 ODBC Agent [?]
S3 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;c:\cfusionmx7\db\slserver54\bin\swstrtr.exe "coldfusion mx 7 odbc server" --> c:\cfusionmx7\db\slserver54\bin\swstrtr.exe ColdFusion MX 7 ODBC Server [?]
S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\cfusionmx7\verity\k2\_nti40\bin\k2admin.exe [2006-8-18 2711312]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-6-12 58240]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-8-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-8-15 369688]

=============== Created Last 30 ================

2009-03-03 20:32 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-03 20:32 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-28 11:24 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-03-27 09:43 110,592 a------- c:\windows\system32\imm32.dll
2009-03-27 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-20 10:02 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-20 10:02 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-25 15:09 60,528 a---h--- c:\windows\system32\mlfcache.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2003-08-27 14:19 36,963 -------- c:\program files\common files\SM1updtr.dll
2008-08-30 15:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 8:17:22.95 ===============

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[alicia1234]

I disabled Windows Firewall and AVG (that's all that applies). Then ran ComboFix. The blue window popped up; nothing in it. Then a pop saying "Parasites found: the following files were trying to attach to ComboFix: c:\WINDOWS\system32\msrvvl.dll.

I clicked OK (I'm sending this from another computer).

Then got a popup that said CF9543.exe: The application failed to start because msrvvl.dll was not found. I clicked ok.

The same error about msrvvl.dll popped up over and over - with different names in the title bar. I gave up counting after a hundred.

The blue ComboFix window said it was preparing to run; then the blue box went blank and my computer let out a few very loud beeps. Then the blue box said it was downloading from microsoft, and it appeared to be downloading the recovery center.
The blue ComboFix window said it was attempting to create a restore point.

Then I got more errors about msrvvl.dll not being found.

Kept clicking ok until they stopped.

Blue window indicates 100% at the end of a row of #####.

Then the messages started up again. Clicked ok until they stopped.

Finally got a window that said the recovery console had been successfully installed. Click Yes to continue scanning for malware or No to exit.

WHAT SHOULD I DO? Is this normal behavior?

[Angelfire777]

Click Yes.

[alicia1234]

OK. I clicked yes. Got a gazillion more msgs about the msrvvl.dll file; just kept clicking ok. ComboFix went through 50 stages, then said it had to reboot. It rebooted my pc, then came back up and said it was preparing the the log. Here's the log:

====================================================================
ComboFix 09-03-29.02 - SHEA 2009-03-29 19:03:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1215 [GMT -4:00]
Running from: c:\documents and settings\SHEA\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\msrvvl.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\system32\drivers\fad.sys
c:\windows\system32\mdm.exe

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\imm32.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-03 20:32 . 2009-03-03 20:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-03 20:32 . 2009-03-03 20:32 73,728 --a------ c:\windows\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 21:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 21:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 21:26 --------- d-----w c:\program files\SpywareBlaster
2009-03-27 13:01 108,552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-25 18:19 --------- d-----w c:\program files\Quicken
2009-03-22 21:00 --------- d-----w c:\documents and settings\SHEA\Application Data\FileZilla
2009-03-20 14:02 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-20 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-03-20 12:03 --------- d-----w c:\documents and settings\SHEA\Application Data\Move Networks
2009-03-19 14:58 --------- d-----w c:\documents and settings\SHEA\Application Data\MySQL
2009-03-14 11:11 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-13 22:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-04 00:32 --------- d-----w c:\program files\Java
2009-02-28 15:45 --------- d-----w c:\program files\TechSmith
2009-02-11 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 00:28 --------- d-----w c:\documents and settings\SHEA\Application Data\Download Manager
2009-01-29 13:44 --------- d-----w c:\program files\Eudora
2003-08-27 18:19 36,963 ------w c:\program files\Common Files\SM1updtr.dll
2008-08-30 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"Epson RX500 on Print Server"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"Auto EPSON Stylus Photo R300 Series on PAZZO2"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Auto EPSON Stylus Photo R300 Series on WOODIE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-20 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Auto EPSON Stylus Photo RX500 on WOODIE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"\\WOODIE\EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-03 148888]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"Fqucovidogosi"="c:\windows\eraliwol.dll" [2008-04-13 154112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 11:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-20 10:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dplosr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-07-06 21:00 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
-ra------ 2009-01-09 16:13 669840 c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 09:04 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWRTOOLBOX]
--a------ 2005-06-15 01:33 344064 c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 04:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2005-10-07 16:42 139264 c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 04:10 55824 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)
"WLANKEEPER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp deskjet 460 series\\Toolbox\\HPWRTBX.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Alicia\\Tech Stuff\\LinkSys\\APSetup.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-29 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-30 298264]
R2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;c:\cfusionmx7\runtime\bin\jrunsvc.exe [2006-08-18 61440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-06 24652]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-08-18 80384]
S3 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;c:\cfusionmx7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent" --> c:\cfusionmx7\db\slserver54\bin\swagent.exe ColdFusion MX 7 ODBC Agent [?]
S3 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;c:\cfusionmx7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server" --> c:\cfusionmx7\db\slserver54\bin\swstrtr.exe ColdFusion MX 7 ODBC Server [?]
S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\cfusionmx7\verity\k2\_nti40\bin\k2admin.exe [2006-08-18 2711312]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-01-30 9728]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-06-12 58240]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-08-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-15 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\User_Feed_Synchronization-{C16A562F-06D1-4E4F-A4B9-3EC17839353C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: netlibrary.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} - hxxps://myvpn.ford.com/sametime/javaconnect/InstallSTConnAgent.cab,DanaInfo=.ainBfsqrhjIpz3qNr43,CT=java+
DPF: {FE28FA1A-E046-42DC-9DE7-605DC53A1B61} - hxxps://www.patientgateway.org/ptgw/ptcomp3f.cab
FF - ProfilePath - c:\documents and settings\SHEA\Application Data\Mozilla\Firefox\Profiles\qb69oycl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 19:14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(528)
c:\windows\dplosr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\cfusionmx7\runtime\bin\jrun.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\SetPoint\LBTWiz.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-29 19:20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 23:20:38

Pre-Run: 38,700,216,320 bytes free
Post-Run: 38,554,198,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

260 --- E O F --- 2009-03-17 19:20:09

[Angelfire777]

Hi,

*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
c:\windows\system32\msrvvl.dll
c:\windows\eraliwol.dll
c:\windows\dplosr.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fqucovidogosi"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.


*Your Java is out of date.

Java(TM) 6 Update 10 can be updated from the Java control panel

Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.


*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[alicia1234]

Hi. Thanks. I'm traveling today and can't get to this until tomorrow. Will check back then.

[Angelfire777]

Ok. I shall wait for your logs.

[alicia1234]

I am about to do what you suggested but wanted to first report that, since I ran ComboFix, whenever I reboot my pc, the "My Documents" window now opens everytime. I searched for a solution. It's not an issue with the userinit registry key, and it's not in my Startup folder.

Also, after running ComboFix, my default browser was changed from FireFox to IE. I changed it back.

Also: I've noticed over the past several days (probably since I got the notice about the Trojan), that when I Google something and then click on one of the links, sometimes I'm redirected somewhere else (even though the link is legitimate). For example, today when I was looking for a solution to the My Documents window problem, I clicked on a link and was taken to NYTimes online!

[alicia1234]

I removed "Viewpoint Media Player" (that's the only "Viewpoint" I had).
I ran the ComboFix script and here is the log. (I'm about to do the rest of the stuff now).
==================================================================
ComboFix 09-03-29.02 - SHEA 2009-03-31 9:07:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1274 [GMT -4:00]
Running from: c:\documents and settings\SHEA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SHEA\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\dplosr.dll
c:\windows\eraliwol.dll
c:\windows\system32\msrvvl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\dplosr.dll
c:\windows\eraliwol.dll
c:\windows\system32\msrvvl.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-03 20:32 . 2009-03-03 20:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-03 20:32 . 2009-03-03 20:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-28 11:45 . 2009-02-28 11:45 <DIR> d-------- c:\program files\TechSmith
2009-02-28 11:24 . 2009-01-09 15:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-02-26 13:29 . 2009-03-03 13:46 <DIR> d-------- C:\Alicia's Websites
2009-02-25 15:09 . 2009-02-25 15:09 60,528 --ah----- c:\windows\system32\mlfcache.dat
2009-02-16 19:29 . 2009-03-04 13:02 <DIR> d-------- C:\Websites for Hire
2009-02-06 16:30 . 2009-02-06 20:28 <DIR> d-------- c:\documents and settings\SHEA\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 13:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-29 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 21:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 21:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 21:26 --------- d-----w c:\program files\SpywareBlaster
2009-03-27 13:01 108,552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-25 18:19 --------- d-----w c:\program files\Quicken
2009-03-22 21:00 --------- d-----w c:\documents and settings\SHEA\Application Data\FileZilla
2009-03-20 14:02 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-20 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-03-20 12:03 --------- d-----w c:\documents and settings\SHEA\Application Data\Move Networks
2009-03-19 14:58 --------- d-----w c:\documents and settings\SHEA\Application Data\MySQL
2009-03-14 11:11 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-13 22:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-04 00:32 --------- d-----w c:\program files\Java
2009-02-11 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-29 13:44 --------- d-----w c:\program files\Eudora
2003-08-27 18:19 36,963 ------w c:\program files\Common Files\SM1updtr.dll
2008-08-30 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_19.18.31.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-29 23:12:44 229,276 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-31 13:15:55 229,270 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-31 13:15:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2009-03-31 13:15:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"Epson RX500 on Print Server"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"Auto EPSON Stylus Photo R300 Series on PAZZO2"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Auto EPSON Stylus Photo R300 Series on WOODIE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-20 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Auto EPSON Stylus Photo RX500 on WOODIE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"\\WOODIE\EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-03 148888]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 11:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-20 10:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-07-06 21:00 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
-ra------ 2009-01-09 16:13 669840 c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 09:04 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWRTOOLBOX]
--a------ 2005-06-15 01:33 344064 c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 04:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2005-10-07 16:42 139264 c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 04:10 55824 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)
"WLANKEEPER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp deskjet 460 series\\Toolbox\\HPWRTBX.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Alicia\\Tech Stuff\\LinkSys\\APSetup.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-29 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-30 298264]
R2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;c:\cfusionmx7\runtime\bin\jrunsvc.exe [2006-08-18 61440]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-08-18 80384]
S3 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;c:\cfusionmx7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent" --> c:\cfusionmx7\db\slserver54\bin\swagent.exe ColdFusion MX 7 ODBC Agent [?]
S3 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;c:\cfusionmx7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server" --> c:\cfusionmx7\db\slserver54\bin\swstrtr.exe ColdFusion MX 7 ODBC Server [?]
S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\cfusionmx7\verity\k2\_nti40\bin\k2admin.exe [2006-08-18 2711312]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-01-30 9728]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-06-12 58240]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-08-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-15 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\User_Feed_Synchronization-{C16A562F-06D1-4E4F-A4B9-3EC17839353C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: netlibrary.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} - hxxps://myvpn.ford.com/sametime/javaconnect/InstallSTConnAgent.cab,DanaInfo=.ainBfsqrhjIpz3qNr43,CT=java+
DPF: {FE28FA1A-E046-42DC-9DE7-605DC53A1B61} - hxxps://www.patientgateway.org/ptgw/ptcomp3f.cab
FF - ProfilePath - c:\documents and settings\SHEA\Application Data\Mozilla\Firefox\Profiles\qb69oycl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 09:16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\cfusionmx7\runtime\bin\jrun.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-31 9:23:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 13:23:00
ComboFix2.txt 2009-03-29 23:20:56

Pre-Run: 38,477,373,440 bytes free
Post-Run: 38,453,301,248 bytes free

251 --- E O F --- 2009-03-17 19:20:09

[alicia1234]

I tried to update Java as you said, but when I click on "Update now", it tells me I already have the latest version. (It's set for automatic updates anyways.)

[alicia1234]

I ran kaspersky as instructed. It did not find any threats, and the "scan report" is empty (blank).

[alicia1234]

FYI: I looked in the registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Run; the entry for "Fqucovidogosi" is no longer there.
Please tell me what, of all the things I did, got rid of it. Was in ComboFix?
Thanks.

[Angelfire777]

Yes it was combofix.


*click start > run > copy and paste:

cmd /c rd /s/q "c:\documents and settings\All Users\Application Data\Viewpoint"

press enter.


Can you check java in control panel > add or remove programs and see which update is currently installed.

Also, I would like to know how's it running.

[alicia1234]

I ran the "cmd" - a black (DOS) window flashed up and disappeared so quickly I couldn't see what it said. That's all that happened.

Java 6 Update 12

The pc is running fine.

[Angelfire777]

That's normal.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • Java(TM) 6 Update 12
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

*Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[alicia1234]

Thanks. I am confused about how I got infected since I have AVG AntiVirus and it updates automatically so it's always up-to-date. Also have SpywareBlaster that I update regularly. And Spybot that I update and run scans regularly. Also AdAware. Should I be using something else?
Thanks for your help. Much appreciated.

[alicia1234]

I successfully installed "Java(TM) 6 Update 13", and uninstalled ComboFix. Thank you.

I read through "How did I get infected in the first place?" and just wanted you to know:
1) My IE settings for ActiveX controls were already set as recommended. However, FireFox is my default browser now and has been for a couple of months.
2) I already have SpywareBlaster installed with all protection enabled.
3) I already have Spybot Search & Destroy installed, although I DID NOT have the TeaTimer option. I will set that.
4) I have been using the Windows Firewall. I will look into switching to either Comodo or Online Armor.
5) I already have AVG Anti-virus installed and set for automatic updates.

Thanks again.

[alicia1234]

I installed Free COMODO Internet Security, installing only the firewall and not the antivirus (since I'm using AVG for that). I found it odd that it did not tell me to disable my Windows firewall? Since what I read was that you should only run one firewall.
So - should I turn off the Windows firewall?
Thanks. This is my last question, I promise! ;-)

[Angelfire777]

Quote:

Thanks. I am confused about how I got infected since I have AVG AntiVirus and it updates automatically so it's always up-to-date. Also have SpywareBlaster that I update regularly. And Spybot that I update and run scans regularly. Also AdAware. Should I be using something else?

Thing is, no matter how many antivirus scanners you have, there's no way for them to detect every known infection. There's just too many of them.

The best protection one person could have is awareness while surfing, downloading, etc.

Yes, please turn of windows firewall. Usually, the 3rd party firewalls disable windows firewall automatically.