A LOT of Trojans Popping up on my symantec!

[no cxn]

A few days ago, I was browsing the web and started getting pop-up ads. I have never had pop ups before. Shortly thereafter, my symantec started detecting trojan viruses, the latest two being Trojan.Malscript!html and Trojan.Fakeavalert. Both were located in the Temporary Internet Files/Content.IE5 folder. I had a similar issue with trojans in the past and my debit card # wound up getting charged $500 before I caught and canceled. Please help!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:59:10.62 on Mon 04/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.566 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5d2a4cd2-cde2-4bb2-8826-956d630d0f4e} - c:\windows\system32\hekomuno.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [344b23c3] rundll32.exe "c:\windows\system32\tareniva.dll",b
mRun: [zoyonidasu] Rundll32.exe "c:\windows\system32\sumovena.dll",s
mRun: [CPM3778105f] Rundll32.exe "c:\windows\system32\zedomoje.dll",a
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\talefake.dll c:\windows\system32\zedomoje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zedomoje.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\zedomoje.dll
LSA: Notification Packages = scecli c:\windows\system32\talefake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3baeesrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npCID.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-8-19 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090410.003\naveng.sys [2009-4-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090410.003\navex15.sys [2009-4-10 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]

=============== Created Last 30 ================

2009-04-10 20:28 1,403,901 ---sh--- c:\windows\system32\avinerat.ini
2009-04-10 11:30 <DIR> --ds---- c:\documents and settings\owner\UserData
2009-04-10 08:28 1,403,673 ---sh--- c:\windows\system32\iyevepeg.ini

==================== Find3M ====================

2009-04-13 08:28 109,568 a--sh--- c:\windows\system32\puwohuwu.dll
2009-04-13 08:28 63,488 a--sh--- c:\windows\system32\dosozodu.exe
2009-04-12 20:28 107,520 a--sh--- c:\windows\system32\zedomoje.dll
2009-04-12 20:28 62,976 a--sh--- c:\windows\system32\vuzofafu.exe
2009-04-12 08:28 109,568 a--sh--- c:\windows\system32\mifijuhu.dll
2009-04-12 08:28 64,000 a--sh--- c:\windows\system32\yunuvofu.exe
2009-04-11 20:28 109,568 a--sh--- c:\windows\system32\dejezibi.dll
2009-04-11 20:28 62,976 a--sh--- c:\windows\system32\tibiyoni.exe
2009-04-11 08:28 109,056 a--sh--- c:\windows\system32\lihovoke.dll
2009-04-11 08:28 62,464 a--sh--- c:\windows\system32\lalilave.exe
2009-04-10 20:28 71,168 a--sh--- c:\windows\system32\dugeyene.dll
2009-04-10 20:28 100,864 a--sh--- c:\windows\system32\tareniva.dll
2009-04-10 20:28 109,568 a--sh--- c:\windows\system32\pipiwuhi.dll
2009-04-10 20:28 61,952 a--sh--- c:\windows\system32\nuvebode.exe
2009-04-10 08:28 63,488 a--sh--- c:\windows\system32\vadasiza.exe
2009-04-10 08:28 109,056 a--sh--- c:\windows\system32\tarahasi.dll
2009-04-10 08:28 101,888 -------- c:\windows\system32\gepeveyi.dll
2009-02-20 04:36 1,033,216 a------- c:\windows\explorer.exe
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2006-09-11 17:07 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-01-10 20:28 71,168 a--sh--- c:\windows\system32\hekomuno.dll
2009-01-10 20:28 71,168 a--sh--- c:\windows\system32\sumovena.dll
2009-01-10 20:28 71,168 a--sh--- c:\windows\system32\talefake.dll

============= FINISH: 19:00:44.97 ===============

[tetonbob]

Hello again.

You've returned fairly quickly after a disinfection....you must review the internet habits of all who access this and other machines you use.

From our pre-posting sticky:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

It is not our intent to repeatedly remove malware from the same member's machines. The intent of this free service performed by volunteers is to help remove malware from your machine, educate you on how it may have happened, and how to prevent that from happening again. To this end, we provide links to articles and tools which should make your visit to the Virus/Trojan/Spyware Help section of TSF a one time event. Please do enjoy the rest of Tech Support Forum as many times as you like!

You'll need to take more care on the internet, and ensure everyone using the machine is doing the same.

You also abandoned your previous topic. I would expect you to complete this topic, and stick with me until I give the all clear.

==================================

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------

[no cxn]

I can appreciate your policy for re-offenders such as myself, I apologize for abandoning the previous thread and thank you for your consideration on this issue. The log:

ComboFix 09-04-15.08 - Owner 04/15/2009 19:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.378 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - explorer.exe: deleted 576 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\avinerat.ini
c:\windows\system32\dejezibi.dll
c:\windows\system32\dugeyene.dll
c:\windows\system32\ezukotef.ini
c:\windows\system32\iyevepeg.ini
c:\windows\system32\lihovoke.dll
c:\windows\system32\mawaboga.dll
c:\windows\system32\pipiwuhi.dll
c:\windows\system32\sijuwuji.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-14 00:18 . 2009-04-14 00:18 -------- d-s---w c:\documents and settings\LocalService\UserData
2009-04-10 16:30 . 2009-04-10 16:30 -------- d-s---w c:\documents and settings\Owner\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 00:25 . 2006-09-01 18:14 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-15 23:42 . 2009-01-15 23:42 108032 --sha-w c:\windows\system32\woyobizi.dll
2009-04-15 23:42 . 2009-01-15 23:42 108032 --sha-w c:\windows\system32\woyobizi.dll
2009-04-15 23:42 . 2009-01-15 23:42 100352 --sha-w c:\windows\system32\fetokuze.dll
2009-04-15 23:42 . 2009-01-15 23:42 100352 --sha-w c:\windows\system32\fetokuze.dll
2009-04-14 13:29 . 2009-01-14 13:29 70144 --sha-w c:\windows\system32\lirutoga.dll
2009-04-14 13:29 . 2009-01-14 13:29 70144 --sha-w c:\windows\system32\lirutoga.dll
2009-04-14 01:29 . 2009-01-14 01:29 63488 --sha-w c:\windows\system32\ligamosa.exe
2009-04-14 01:29 . 2009-01-14 01:29 63488 --sha-w c:\windows\system32\ligamosa.exe
2009-04-14 01:29 . 2009-01-14 01:29 107008 --sha-w c:\windows\system32\vahuyayu.dll
2009-04-14 01:29 . 2009-01-14 01:29 107008 --sha-w c:\windows\system32\vahuyayu.dll
2009-04-13 13:28 . 2009-01-13 13:28 109568 --sha-w c:\windows\system32\puwohuwu.dll
2009-04-13 13:28 . 2009-01-13 13:28 109568 --sha-w c:\windows\system32\puwohuwu.dll
2009-04-13 13:28 . 2009-01-13 13:28 63488 --sha-w c:\windows\system32\dosozodu.exe
2009-04-13 13:28 . 2009-01-13 13:28 63488 --sha-w c:\windows\system32\dosozodu.exe
2009-04-13 01:28 . 2009-01-13 01:28 62976 --sha-w c:\windows\system32\vuzofafu.exe
2009-04-13 01:28 . 2009-01-13 01:28 62976 --sha-w c:\windows\system32\vuzofafu.exe
2009-04-13 01:28 . 2009-01-13 01:28 107520 --sha-w c:\windows\system32\zedomoje.dll
2009-04-13 01:28 . 2009-01-13 01:28 107520 --sha-w c:\windows\system32\zedomoje.dll
2009-04-12 13:28 . 2009-01-12 13:28 64000 --sha-w c:\windows\system32\yunuvofu.exe
2009-04-12 13:28 . 2009-01-12 13:28 64000 --sha-w c:\windows\system32\yunuvofu.exe
2009-04-12 13:28 . 2009-01-12 13:28 109568 --sha-w c:\windows\system32\mifijuhu.dll
2009-04-12 13:28 . 2009-01-12 13:28 109568 --sha-w c:\windows\system32\mifijuhu.dll
2009-04-12 01:28 . 2009-01-12 01:28 62976 --sha-w c:\windows\system32\tibiyoni.exe
2009-04-12 01:28 . 2009-01-12 01:28 62976 --sha-w c:\windows\system32\tibiyoni.exe
2009-04-11 13:28 . 2009-01-11 13:28 62464 --sha-w c:\windows\system32\lalilave.exe
2009-04-11 13:28 . 2009-01-11 13:28 62464 --sha-w c:\windows\system32\lalilave.exe
2009-04-11 01:28 . 2009-01-11 01:28 100864 --sha-w c:\windows\system32\tareniva.dll
2009-04-11 01:28 . 2009-01-11 01:28 100864 --sha-w c:\windows\system32\tareniva.dll
2009-04-10 13:28 . 2009-01-10 13:28 63488 --sha-w c:\windows\system32\vadasiza.exe
2009-04-10 13:28 . 2009-01-10 13:28 63488 --sha-w c:\windows\system32\vadasiza.exe
2009-04-10 13:28 . 2009-01-10 13:28 109056 --sha-w c:\windows\system32\tarahasi.dll
2009-04-10 13:28 . 2009-01-10 13:28 109056 --sha-w c:\windows\system32\tarahasi.dll
2009-04-10 13:28 . 2009-01-10 13:28 101888 ------w c:\windows\system32\gepeveyi.dll
2009-03-21 04:59 . 2009-03-21 04:59 182 ----a-w C:\drwtsn32.log
2009-02-20 09:36 . 2005-01-09 23:48 1033216 ----a-w c:\windows\explorer.exe
2009-02-15 00:57 . 2009-02-15 00:56 -------- d-----w c:\program files\iTunes
2009-02-15 00:57 . 2009-02-15 00:56 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-15 00:57 . 2009-02-15 00:57 -------- d-----w c:\program files\iPod
2009-02-15 00:57 . 2009-02-15 00:54 -------- d-----w c:\program files\Common Files\Apple
2009-02-15 00:56 . 2009-02-15 00:56 -------- d-----w c:\program files\Bonjour
2009-02-15 00:56 . 2009-02-15 00:55 -------- d-----w c:\program files\QuickTime
2009-02-15 00:54 . 2009-02-15 00:54 -------- d-----w c:\program files\Apple Software Update
2009-02-15 00:54 . 2009-02-15 00:54 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-09 10:19 . 2008-10-24 23:42 1846272 ----a-w c:\windows\system32\win32k.sys
2008-12-12 15:24 . 2005-01-10 01:26 33968 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-11 22:07 . 2006-09-11 22:07 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2005-01-10 01:26 . 2006-08-30 02:01 13104 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d2a4cd2-cde2-4bb2-8826-956d630d0f4e}]
2009-01-14 13:29 70144 --sha-w c:\windows\system32\tamuyali.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-03 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"zoyonidasu"="c:\windows\system32\kesibahi.dll" [2009-01-14 70144]
"344b23c3"="c:\windows\system32\fetokuze.dll" [2009-04-15 100352]
"CPM3778105f"="c:\windows\system32\woyobizi.dll" [2009-04-15 108032]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-3-25 217088]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-2-7 2168360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-3-25 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\woyobizi.dll" [2009-04-15 108032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\woyobizi.dll [2009-04-15 108032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\woyobizi.dll,c:\windows\system32\jazukimo.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\jazukimo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ab965b-980d-11da-921b-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94ae581-9805-11da-b621-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3baeesrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 19:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\jazukimo.dll

- - - - - - - > 'explorer.exe'(2856)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\fetokuze.dll
c:\windows\system32\tamuyali.dll
c:\windows\system32\kesibahi.dll
c:\windows\system32\woyobizi.dll
c:\windows\system32\jazukimo.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-04-16 19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 00:28
ComboFix2.txt 2008-11-03 18:26

Pre-Run: 32,978,399,232 bytes free
Post-Run: 33,040,031,744 bytes free

220 --- E O F --- 2009-03-15 08:01

[tetonbob]

Ok, thanks for understanding...let's clean up the rest of this mess.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Code:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/366449-lot-trojans-popping-up-my-symantec.html#post2083485
   
   Registry::
   [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
   "AppInit_DLLs"=-
   "LoadAppInit_DLLs"=-
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
   "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 
   Collect::
   c:\windows\system32\woyobizi.dll
   c:\windows\system32\fetokuze.dll
   c:\windows\system32\lirutoga.dll
   c:\windows\system32\ligamosa.exe
   c:\windows\system32\vahuyayu.dll
   c:\windows\system32\puwohuwu.dll
   c:\windows\system32\dosozodu.exe
   c:\windows\system32\vuzofafu.exe
   c:\windows\system32\zedomoje.dll
   c:\windows\system32\yunuvofu.exe
   c:\windows\system32\mifijuhu.dll
   c:\windows\system32\tibiyoni.exe
   c:\windows\system32\lalilave.exe
   c:\windows\system32\tareniva.dll
   c:\windows\system32\vadasiza.exe
   c:\windows\system32\tarahasi.dll
   c:\windows\system32\gepeveyi.dll
   c:\windows\system32\fetokuze.dll
   c:\windows\system32\tamuyali.dll
   c:\windows\system32\kesibahi.dll
   c:\windows\system32\woyobizi.dll
   c:\windows\system32\jazukimo.dll
   
   
   File::

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. Follow the prompts.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

[no cxn]

Here is the latest log... fyi, it's been about 5 minutes and it appears that the pop-ups have stopped:

ComboFix 09-04-15.08 - Owner 04/15/2009 21:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.351 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dosozodu.exe
c:\windows\system32\ezukotef.ini
c:\windows\system32\fetokuze.dll
c:\windows\system32\gepeveyi.dll
c:\windows\system32\jazukimo.dll
c:\windows\system32\kesibahi.dll
c:\windows\system32\lalilave.exe
c:\windows\system32\ligamosa.exe
c:\windows\system32\lirutoga.dll
c:\windows\system32\mifijuhu.dll
c:\windows\system32\puwohuwu.dll
c:\windows\system32\tamuyali.dll
c:\windows\system32\tarahasi.dll
c:\windows\system32\tareniva.dll
c:\windows\system32\tibiyoni.exe
c:\windows\system32\vadasiza.exe
c:\windows\system32\vahuyayu.dll
c:\windows\system32\vuzofafu.exe
c:\windows\system32\woyobizi.dll
c:\windows\system32\yunuvofu.exe
c:\windows\system32\zedomoje.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-14 00:18 . 2009-04-14 00:18 -------- d-s---w c:\documents and settings\LocalService\UserData
2009-04-10 16:30 . 2009-04-10 16:30 -------- d-s---w c:\documents and settings\Owner\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 02:29 . 2006-09-01 18:14 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-21 04:59 . 2009-03-21 04:59 182 ----a-w C:\drwtsn32.log
2009-02-20 09:36 . 2005-01-09 23:48 1033216 ----a-w c:\windows\explorer.exe
2009-02-09 10:19 . 2008-10-24 23:42 1846272 ----a-w c:\windows\system32\win32k.sys
2008-12-12 15:24 . 2005-01-10 01:26 33968 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-11 22:07 . 2006-09-11 22:07 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2005-01-10 01:26 . 2006-08-30 02:01 13104 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_00.25.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-16 02:30 . 2009-04-16 02:30 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat
+ 2009-04-16 02:28 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-16 00:22 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-03 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-3-25 217088]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-2-7 2168360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-3-25 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ab965b-980d-11da-921b-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94ae581-9805-11da-b621-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5d2a4cd2-cde2-4bb2-8826-956d630d0f4e} - c:\windows\system32\tamuyali.dll
HKLM-Run-zoyonidasu - c:\windows\system32\kesibahi.dll
HKLM-Run-344b23c3 - c:\windows\system32\fetokuze.dll
HKLM-Run-CPM3778105f - c:\windows\system32\woyobizi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3baeesrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCID.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3212)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\rundll32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\788a709ca6976915e46d02310f43b6dc\update\update.exe
.
**************************************************************************
.
Completion time: 2009-04-16 21:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 02:34
ComboFix2.txt 2009-04-16 00:28
ComboFix3.txt 2008-11-03 18:26

Pre-Run: 32,943,579,136 bytes free
Post-Run: 32,886,886,400 bytes free

182 --- E O F --- 2009-03-15 08:01

[tetonbob]

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

[no cxn]

Here is the log:

2009-04-16 02:34:14 . 2009-04-16 02:34:14 149 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-344b23c3.reg.dat
2009-04-16 02:34:14 . 2009-04-16 02:34:14 152 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CPM3778105f.reg.dat
2009-04-16 02:34:14 . 2009-04-16 02:34:14 151 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-zoyonidasu.reg.dat
2009-04-16 02:34:12 . 2009-04-16 02:34:12 374 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{5d2a4cd2-cde2-4bb2-8826-956d630d0f4e}.reg.dat
2009-04-16 02:27:14 . 2009-04-16 02:27:14 1,568,043 ----a-w C:\Qoobox\Quarantine\[4]-Submit_2009-04-16@21.26.zip
2009-04-16 00:27:57 . 2009-04-16 00:50:38 1,409,212 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ezukotef.ini.vir
2009-04-11 01:28:16 . 2009-04-15 01:52:15 1,408,899 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\avinerat.ini.vir
2009-04-10 13:28:17 . 2009-04-10 20:30:27 1,403,673 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\iyevepeg.ini.vir
2009-01-15 23:42:40 . 2009-04-16 02:26:22 100,352 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\fetokuze.dll.vir
2009-01-15 23:42:40 . 2009-04-16 02:27:10 108,032 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\woyobizi.dll.vir
2009-01-15 01:29:24 . 2009-04-15 01:29:25 109,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\mawaboga.dll.vir
2009-01-14 13:29:45 . 2009-04-16 02:26:28 70,144 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\jazukimo.dll.vir
2009-01-14 13:29:45 . 2009-04-16 02:26:31 70,144 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\kesibahi.dll.vir
2009-01-14 13:29:45 . 2009-04-16 02:26:44 70,144 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tamuyali.dll.vir
2009-01-14 13:29:12 . 2009-04-16 02:26:37 70,144 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lirutoga.dll.vir
2009-01-14 13:29:12 . 2009-04-14 13:29:14 109,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\sijuwuji.dll.vir
2009-01-14 01:29:06 . 2009-04-16 02:27:04 107,008 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vahuyayu.dll.vir
2009-01-14 01:29:06 . 2009-04-16 02:26:35 63,488 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ligamosa.exe.vir
2009-01-13 13:28:52 . 2009-04-16 02:26:19 63,488 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dosozodu.exe.vir
2009-01-13 13:28:52 . 2009-04-16 02:26:41 109,568 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\puwohuwu.dll.vir
2009-01-13 01:28:47 . 2009-04-16 02:27:08 62,976 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vuzofafu.exe.vir
2009-01-13 01:28:47 . 2009-04-16 02:27:14 107,520 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\zedomoje.dll.vir
2009-01-12 13:28:37 . 2009-04-16 02:26:38 109,568 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\mifijuhu.dll.vir
2009-01-12 13:28:37 . 2009-04-16 02:27:13 64,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\yunuvofu.exe.vir
2009-01-12 01:28:30 . 2009-04-12 01:28:32 109,568 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dejezibi.dll.vir
2009-01-12 01:28:30 . 2009-04-16 02:26:55 62,976 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tibiyoni.exe.vir
2009-01-11 13:28:22 . 2009-04-11 13:28:23 109,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lihovoke.dll.vir
2009-01-11 13:28:22 . 2009-04-16 02:26:33 62,464 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lalilave.exe.vir
2009-01-11 01:28:14 . 2009-04-11 01:28:15 100,864 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tareniva.dll.vir
2009-01-11 01:28:12 . 2009-04-11 01:28:44 71,168 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dugeyene.dll.vir
2009-01-11 01:28:12 . 2009-04-11 01:28:14 109,568 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pipiwuhi.dll.vir
2009-01-10 13:28:06 . 2009-04-16 02:26:59 63,488 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\vadasiza.exe.vir
2009-01-10 13:28:04 . 2009-04-16 02:26:48 109,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\tarahasi.dll.vir
2009-01-10 13:28:04 . 2009-04-10 13:28:06 101,888 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\gepeveyi.dll.vir
2008-11-03 18:26:28 . 2008-11-03 18:26:28 626 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VSOCheckTask.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 604 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VirusScan Online.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 592 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-OASClnt.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 596 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MSKAGENTEXE.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 590 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MPFExe.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 598 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MCUpdateExe.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 592 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MCAgentExe.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 664 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-HostManager.reg.dat
2008-11-03 18:26:28 . 2008-11-03 18:26:28 668 ----a-w C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AOL Spyware Protection.reg.dat
2008-11-03 18:26:27 . 2008-11-03 18:26:27 270 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-dimsntfy.reg.dat
2008-11-03 18:26:27 . 2008-11-03 18:26:27 472 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-Csrss.reg.dat
2008-11-03 18:19:36 . 2009-04-16 02:28:29 5,865 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-03 18:16:31 . 2009-04-16 02:25:02 232 ----a-w C:\Qoobox\Quarantine\catchme.log
2008-08-02 23:54:09 . 2008-08-02 23:54:12 53 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML.vir
2005-01-09 23:49:02 . 2004-08-10 19:00:00 2,897,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003502_.tmp.dll.vir
2005-01-09 23:48:33 . 2006-08-17 12:28:27 132,096 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003442_.tmp.dll.vir
2005-01-09 23:48:33 . 2004-08-10 19:00:00 146,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003443_.tmp.dll.vir
2005-01-09 23:48:33 . 2004-08-10 19:00:00 101,888 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003444_.tmp.dll.vir
2005-01-09 23:48:33 . 2008-09-15 11:57:41 1,846,016 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003445_.tmp.dll.vir
2005-01-09 23:48:29 . 2004-12-07 19:32:34 96,768 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003452_.tmp.dll.vir
2005-01-09 23:48:25 . 2004-08-10 19:00:00 22,040 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003453_.tmp.dll.vir
2005-01-09 23:48:25 . 2004-08-10 19:00:00 50,688 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003454_.tmp.dll.vir
2005-01-09 23:48:24 . 2004-08-10 19:00:00 983,552 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003455_.tmp.dll.vir
2005-01-09 23:48:24 . 2004-08-10 19:00:00 108,032 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003457_.tmp.dll.vir
2005-01-09 23:48:24 . 2007-04-25 14:21:15 144,896 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003458_.tmp.dll.vir
2005-01-09 23:48:24 . 2004-08-10 19:00:00 415,744 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003461_.tmp.dll.vir
2005-01-09 23:48:24 . 2004-08-10 19:00:00 64,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003462_.tmp.dll.vir
2005-01-09 23:48:22 . 2004-08-10 19:00:00 58,880 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003464_.tmp.dll.vir
2005-01-09 23:48:22 . 2004-08-10 19:00:00 61,440 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003465_.tmp.dll.vir
2005-01-09 23:48:22 . 2004-08-10 19:00:00 657,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003466_.tmp.dll.vir
2005-01-09 23:48:22 . 2004-08-10 19:00:00 236,544 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003468_.tmp.dll.vir
2005-01-09 23:48:20 . 2005-07-26 04:39:49 37,888 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003471_.tmp.dll.vir
2005-01-09 23:48:20 . 2007-12-04 18:38:13 550,912 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003472_.tmp.dll.vir
2005-01-09 23:48:17 . 2004-08-10 19:00:00 8,192 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003476_.tmp.dll.vir
2005-01-09 23:48:17 . 2004-08-10 19:00:00 708,096 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003477_.tmp.dll.vir
2005-01-09 23:48:11 . 2004-08-10 19:00:00 129,536 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003479_.tmp.dll.vir
2005-01-09 23:48:06 . 2007-11-07 09:26:56 721,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003482_.tmp.dll.vir
2005-01-09 23:48:06 . 2004-08-10 19:00:00 341,504 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003484_.tmp.dll.vir
2005-01-09 23:48:06 . 2004-08-10 19:00:00 249,270 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003485_.tmp.dll.vir
2005-01-09 23:48:06 . 2004-08-10 19:00:00 13,824 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003486_.tmp.dll.vir
2005-01-09 23:48:06 . 2007-04-16 15:52:53 984,576 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003487_.tmp.dll.vir
2005-01-09 23:48:05 . 2004-08-10 19:00:00 144,384 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003488_.tmp.dll.vir
2005-01-09 23:47:53 . 2006-05-19 12:59:41 111,616 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003491_.tmp.dll.vir
2005-01-09 23:47:52 . 2004-08-10 19:00:00 135,168 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003492_.tmp.dll.vir
2005-01-09 23:47:52 . 2004-08-10 19:00:00 32,768 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003493_.tmp.dll.vir
2005-01-09 23:47:51 . 2004-08-10 19:00:00 276,992 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003494_.tmp.dll.vir
2005-01-09 23:47:51 . 2006-08-25 15:45:58 617,472 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003495_.tmp.dll.vir
2005-01-09 23:47:49 . 2004-08-10 19:00:00 616,960 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_003500_.tmp.dll.vir

[tetonbob]

• Please visit this site:
  
  
  http://www.bleepingcomputer.com/subm....php?channel=4
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  
  
  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/366449-lot-trojans-popping-up-my-symantec.html#post2085500
  
  
  
• In the Browse to the file you want to submit: area, copy and paste this
  
  
  
  C:\Qoobox\Quarantine\[4]-Submit_2009-04-16@21.26.zip
  
  
  
• Then click Send File.
  
• Once it shows:
  

  Quote:

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and continue with the steps below.

---------------------------------------------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.


---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving now?







---------------------------------------------------------------------------------------------

[no cxn]

By all appearances, the machine is behaving normally. Here is the kaspersky scan report, I did uncheck the mail databases as it said in the instructions, so I'm not sure why it is saying yes:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 17, 2009 03:50:12
Records in database: 2052138
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 62528
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 07:11:25


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100000.VBN Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100002.VBN Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC00000.VBN Infected: Backdoor.Win32.Agent.acks 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\775d249d-26c8a956 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-25df2a8e Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-36cc7e21.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-4a8f2732.zip Infected: Exploit.Java.Gimsh.b 1

The selected area was scanned.

[tetonbob]

Some of the items found are in Symantec Quarantine. The items are safe there, as they've been rendered inert. Symantec empties it's quarantine on a schedule. You should also be able to finally remove those items from quarantine manually. See if this helps:

http://www.d.umn.edu/itss/security/nav/quarantine.html

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\775d249d-26c8a956"
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-25df2a8e"
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-36cc7e21.zip"
"C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-4a8f2732.zip"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[no cxn]

It says:

Deleted Successfully!!
Press any key to continue...

[tetonbob]

Just what we want.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[no cxn]

Thank you for the proactive resources, and for your time in resolving this. Do you guys accept donations towards the costs to keep this site/board running?

[tetonbob]

I'm glad to hear things are much better with the machine, and thank you for your consideration of support.

If you want to donate to the forum, there's a drop down menu near the top of the page, the link is here

http://www.techsupportforum.com/donate.php

Those donations go to the costs of maintaining the board.

[no cxn]

Thank you. I've performed all the actions as directed in your post above (winpatrol/spyblaster/WOT/McAfee SA/MVPS Hosts, etc etc). Thanks again!

[tetonbob]

You're welcome.

Surf Safely, and Think Prevention! The internet's a jungle.

Since this issue is resolved, this topic will be archived.