computer running real slow

[tilliet]

Hi peoples, I am not sure exactly what the problem is but this computer is running really slow. I have found virtumonde with spybot S&D and it keeps coming back. I also suspect that this computer has viruses. Any help would be greatly appreciated.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Ash at 19:34:01.62 on Thu 07/30/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.906 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090730-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares Lite\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://enterpriselogin.disney.com/forms/signin.fcc?TYPE=33554433&REALMOID=06-000328b7-578c-104f-9668-83011c3c0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$%2f2NaOvkhLxBh12FWP%2fiikeGfkRWbLKHlB2r%2bFm3aONHiWbM8CJvs0v0v8zdelkHI&TARGET=$SM$HTTPS%3a%2f%2fenterpriseportal%2edisney%2ecom%2fsite%2fwdw%2findex%2ejsp%3fDEPTaxonomyNode-b9a939a7a9c3e616c53f1776faac01ca%3d570
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {2452463e-91e1-4f00-a8dc-af387a96aaf5} - c:\windows\system32\hgGywUnK.dll
BHO: {29733919-0310-46a3-9401-4eb9a2617ad9} - c:\windows\system32\geBuRjhE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {98431966-CECA-433E-BF32-CD4BC63B2C49} - No File
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\ash\local settings\application data\cyberdefender\cdmyidd.dll
BHO: {A6C54318-5AC7-477D-B0A7-49AF5189300C} - No File
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: {d13a3701-ad77-4f97-acab-a008dd662e69} - c:\windows\system32\cbXnkKAP.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\ash\local settings\application data\cyberdefender\cdmyidd.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ares lite] "c:\program files\ares lite\Ares.exe" -h
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: urqpNGYp - urqpNGYp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXnkKAP

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-22 138680]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-23 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-22 352920]

=============== Created Last 30 ================

2009-07-13 23:47 <DIR> --d----- c:\program files\iPod
2009-07-13 23:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-13 23:47 <DIR> --d----- c:\program files\iTunes
2009-07-13 23:37 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-13 23:27 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2006-09-14 23:57 36,848 ac------ c:\docume~1\ash\applic~1\GDIPFONTCACHEV1.DAT
2007-10-28 18:46 411,310 ac-sh--- c:\windows\system32\ijllm.bak1
2007-10-28 18:54 409,915 ac-sh--- c:\windows\system32\ijllm.bak2

============= FINISH: 19:35:00.46 ===============

[forhockey]

Hi tilliet,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Please re-run DDS and post the resulting logs

Thanks

[tilliet]

thanks so much for your help. Here is the DDS report again.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Ash at 17:02:38.35 on Sat 08/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.998 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ares Lite\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://enterpriselogin.disney.com/forms/signin.fcc?TYPE=33554433&REALMOID=06-000328b7-578c-104f-9668-83011c3c0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$%2f2NaOvkhLxBh12FWP%2fiikeGfkRWbLKHlB2r%2bFm3aONHiWbM8CJvs0v0v8zdelkHI&TARGET=$SM$HTTPS%3a%2f%2fenterpriseportal%2edisney%2ecom%2fsite%2fwdw%2findex%2ejsp%3fDEPTaxonomyNode-b9a939a7a9c3e616c53f1776faac01ca%3d570
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {2452463e-91e1-4f00-a8dc-af387a96aaf5} - c:\windows\system32\hgGywUnK.dll
BHO: {29733919-0310-46a3-9401-4eb9a2617ad9} - c:\windows\system32\geBuRjhE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {98431966-CECA-433E-BF32-CD4BC63B2C49} - No File
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\ash\local settings\application data\cyberdefender\cdmyidd.dll
BHO: {A6C54318-5AC7-477D-B0A7-49AF5189300C} - No File
BHO: {d13a3701-ad77-4f97-acab-a008dd662e69} - c:\windows\system32\cbXnkKAP.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\ash\local settings\application data\cyberdefender\cdmyidd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ares lite] "c:\program files\ares lite\Ares.exe" -h
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: urqpNGYp - urqpNGYp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXnkKAP

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-22 138680]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-23 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-22 352920]

=============== Created Last 30 ================

2009-07-13 23:47 <DIR> --d----- c:\program files\iPod
2009-07-13 23:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-13 23:47 <DIR> --d----- c:\program files\iTunes
2009-07-13 23:37 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-13 23:27 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2006-09-14 23:57 36,848 ac------ c:\docume~1\ash\applic~1\GDIPFONTCACHEV1.DAT
2007-10-28 18:46 411,310 ac-sh--- c:\windows\system32\ijllm.bak1
2007-10-28 18:54 409,915 ac-sh--- c:\windows\system32\ijllm.bak2

============= FINISH: 17:03:14.95 ===============

[forhockey]

tilliet,

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Disable S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Also see this step-by-step tutorial: http://www.malwarehelp.org/how-to-en...-teatimer.html


--------------------------------------------------------------------

1. Download Combofix from any of the links below. You must rename it before saving it.
   
   * IMPORTANT !!! Place combo-fix.exe on your Desktop
   
   Link 1
   Link 2
   
   
   
   
   
   
   --------------------------------------------------------------------
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combo-fix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
   
5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   
   **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   
   
   
   
   
   Click on Yes, to continue scanning for malware.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

[tilliet]

ComboFix 09-08-07.09 - Ash 08/08/2009 19:45.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1068 [GMT -4:00]
Running from: c:\documents and settings\Ash\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090808-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ash\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\AntiSpywareMaster
c:\program files\CPV
c:\program files\Temporary
c:\recycler\S-1-5-21-756675163-450111082-2657256198-1003
c:\temp\fCOe
c:\windows\BMe3018af7.txt
c:\windows\BMe3018af7.xml
c:\windows\cookies.ini
c:\windows\system32\EhjRuBeg.ini
c:\windows\system32\fcvgjesm.ini
c:\windows\system32\ijllm.bak1
c:\windows\system32\ijllm.bak2
c:\windows\system32\ijllm.tmp
c:\windows\system32\isgljemk.ini
c:\windows\system32\jvkytwxy.ini
c:\windows\system32\KnUwyGgh.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\ocexybnq.ini
c:\windows\system32\oTt02e
c:\windows\system32\pac.txt
c:\windows\system32\stfuhbpq.ini

.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-07-14 03:55 . 2009-07-14 03:56 -------- d-----w- c:\program files\Safari
2009-07-14 03:47 . 2009-07-14 03:47 -------- d-----w- c:\program files\iPod
2009-07-14 03:47 . 2009-07-14 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-14 03:47 . 2009-07-14 03:49 -------- d-----w- c:\program files\iTunes
2009-07-14 03:42 . 2009-07-14 03:44 -------- d-----w- c:\program files\QuickTime
2009-07-14 03:37 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-14 03:31 . 2009-07-14 03:31 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-07-14 03:27 . 2009-07-14 03:27 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 23:12 . 2008-01-06 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 22:02 . 2008-05-02 01:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:34 . 2006-09-03 19:01 -------- d-----w- c:\program files\lx_cats
2009-07-19 04:22 . 2009-02-25 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 04:21 . 2008-09-01 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-14 04:07 . 2008-09-01 19:44 -------- d-----w- c:\program files\Apple Software Update
2009-07-14 03:47 . 2008-09-01 19:41 -------- d-----w- c:\program files\Common Files\Apple
2009-07-10 07:11 . 2008-05-28 00:03 -------- d-----w- c:\documents and settings\Ash\Application Data\Apple Computer
2009-06-26 16:50 . 2004-08-10 17:51 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-05 15:42 . 2008-09-01 19:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2009-04-02 01:39 3851592 ----a-w- c:\documents and settings\Ash\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Ash\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-04-02 3851592]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares lite"="c:\program files\Ares Lite\Ares.exe" [2006-01-27 3763712]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-6 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/22/2008 11:35 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2008 11:35 PM 20560]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/23/2008 8:11 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - TCPIP_PATCHER
*Deregistered* - tcpip_patcher
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2452463E-91E1-4F00-A8DC-AF387A96AAF5} - c:\windows\system32\hgGywUnK.dll
BHO-{29733919-0310-46A3-9401-4EB9A2617AD9} - c:\windows\system32\geBuRjhE.dll
BHO-{98431966-CECA-433E-BF32-CD4BC63B2C49} - (no file)
BHO-{D13A3701-AD77-4F97-ACAB-A008DD662E69} - c:\windows\system32\cbXnkKAP.dll
Notify-urqpNGYp - urqpNGYp.dll


.
------- Supplementary Scan -------
.
uStart Page = https://enterpriselogin.disney.com/forms/signin.fcc?TYPE=33554433&REALMOID=06-000328b7-578c-104f-9668-83011c3c0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$%2f2NaOvkhLxBh12FWP%2fiikeGfkRWbLKHlB2r%2bFm3aONHiWbM8CJvs0v0v8zdelkHI&TARGET=$SM$HTTPS%3a%2f%2fenterpriseportal%2edisney%2ecom%2fsite%2fwdw%2findex%2ejsp%3fDEPTaxonomyNode-b9a939a7a9c3e616c53f1776faac01ca%3d570
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1134103184-1024905128-3632118137-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\lxcrcoms.exe
.
**************************************************************************
.
Completion time: 2009-08-09 20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 00:09

Pre-Run: 19,940,085,760 bytes free
Post-Run: 19,826,683,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
189 --- E O F --- 2009-07-29 07:03

[forhockey]

tilliet,

P2P Software

I see you have P2P software ( Ares Lite 2.0) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

MyWay Search Assistant
Viewpoint Manager (Remove Only)
Viewpoint Media Player

--------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 15 -"
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u14 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Delete the following Folders indicated in BLUE

c:\program files\Viewpoint
c:\program files\mywaysa


--------------------------------------------------------------

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Also, please update me on your systems behaviour.

[tilliet]

I followed all of the steps as far and right now the Panda active scan has been scanning for over 50 hours non-stop and it is only at 42%. I don't understand why it is taking so long. Is this normal?

[forhockey]

Hello Tilliet,

No, that scan shouldn't take that long. What is the size of your hard drive in GB's?

You can try the following...


Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

[tilliet]

I have tried and tried and tried again to run Kapersky online Scanner but it fails every time. This is the message I keep getting:

Update has failed. Program has failed to start. Close Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the kaspersky online scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use kaspersky online scanner 7.0 [ERROR: Antivirus bases have been updated after key expiration.

[forhockey]

I've been seeing that error lately with a few of the users on this forum. Lets try another online scanner..

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[tilliet]

Here is the Eset scan log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=4a7f2caf670fd4409bff27d53d8ad7ac
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-13 12:48:49
# local_time=2009-08-12 08:48:49 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 37 100 93 211900468750
# scanned=60118
# found=10
# cleaned=0
# scan_time=13994
C:\Qoobox\Quarantine\C\WINDOWS\system32\EhjRuBeg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\fcvgjesm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ijllm.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ijllm.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ijllm.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\isgljemk.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jvkytwxy.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\KnUwyGgh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ocexybnq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\stfuhbpq.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

[forhockey]

How is your system behaving?

[tilliet]

It seems to be working ok. Did it take out the infected files that I noticed were virtumonde?

[forhockey]

Hi tilliet,

The scan just detected the viruses in the quarantine folder which we will take care of now.



Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Firewall Pro
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• How Did I Get Infected In The First Place?
• PC SAFETY AND SECURITY
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[tilliet]

Thank you so very much. I really appreciate your help.

[forhockey]

You're welcome. Safe surfing