infected

[Sarge, USMC]

tr cryptredol.18432.2.6. With the AntiVir guard running, I get the popup telling me it finds this schmutz with almost everything I do, calling out a dll file in the system32 directory that isn't there....I looked:

hjgruioxecdcer.dll
hjgruioxsdemeif.dll
hjgruiiytsahmy.sys

here's the info from this thing:

DDS (Ver_09-07-30.01) - NTFSx86
Run by xxxxxxxxxxxxxx at 21:01:54.41 on Fri 07/31/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.417 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Security Applications\AdAware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot\SDWinSec.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
F:\dds.scr
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [sysav] c:\users\robert j rosso sr\appdata\roaming\pcdefender.exe
uRunOnce: [SpybotDeletingB8508] command.com /c del "c:\windows\system32\drivers\hjgruiiytsahmy.sys"
uRunOnce: [SpybotDeletingD2731] cmd.exe /c del "c:\windows\system32\drivers\hjgruiiytsahmy.sys"
uRunOnce: [SpybotDeletingB2261] command.com /c del "c:\windows\system32\hjgruiosdemeif.dll"
uRunOnce: [SpybotDeletingD3015] cmd.exe /c del "c:\windows\system32\hjgruiosdemeif.dll"
uRunOnce: [SpybotDeletingB2875] command.com /c del "c:\windows\system32\hjgruioxecdcer.dll"
uRunOnce: [SpybotDeletingD3283] cmd.exe /c del "c:\windows\system32\hjgruioxecdcer.dll"
uRunOnce: [SpybotDeletingB735] command.com /c del "c:\windows\temp\hjgruiuprgmetbbn.tmp"
uRunOnce: [SpybotDeletingD5413] cmd.exe /c del "c:\windows\temp\hjgruiuprgmetbbn.tmp"
uRunOnce: [SpybotDeletingB4623] command.com /c del "c:\windows\system32\hjgruityxromkv.dat"
uRunOnce: [SpybotDeletingD826] cmd.exe /c del "c:\windows\system32\hjgruityxromkv.dat"
uRunOnce: [SpybotDeletingB8652] command.com /c del "c:\windows\system32\hjgruiwvsviiqr.dat"
uRunOnce: [SpybotDeletingD7903] cmd.exe /c del "c:\windows\system32\hjgruiwvsviiqr.dat"
mRun: [1A:Stardock TrayMonitor]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [SpybotDeletingA9815] command.com /c del "c:\windows\system32\drivers\hjgruiiytsahmy.sys"
mRunOnce: [SpybotDeletingC8167] cmd.exe /c del "c:\windows\system32\drivers\hjgruiiytsahmy.sys"
mRunOnce: [SpybotDeletingA4619] command.com /c del "c:\windows\system32\hjgruiosdemeif.dll"
mRunOnce: [SpybotDeletingC7423] cmd.exe /c del "c:\windows\system32\hjgruiosdemeif.dll"
mRunOnce: [SpybotDeletingA6450] command.com /c del "c:\windows\system32\hjgruioxecdcer.dll"
mRunOnce: [SpybotDeletingC7411] cmd.exe /c del "c:\windows\system32\hjgruioxecdcer.dll"
mRunOnce: [SpybotDeletingA4166] command.com /c del "c:\windows\temp\hjgruiuprgmetbbn.tmp"
mRunOnce: [SpybotDeletingC5388] cmd.exe /c del "c:\windows\temp\hjgruiuprgmetbbn.tmp"
mRunOnce: [SpybotDeletingA6254] command.com /c del "c:\windows\system32\hjgruityxromkv.dat"
mRunOnce: [SpybotDeletingC5293] cmd.exe /c del "c:\windows\system32\hjgruityxromkv.dat"
mRunOnce: [SpybotDeletingA1944] command.com /c del "c:\windows\system32\hjgruiwvsviiqr.dat"
mRunOnce: [SpybotDeletingC4824] cmd.exe /c del "c:\windows\system32\hjgruiwvsviiqr.dat"
mRunServices: [1A:Stardock TrayMonitor]
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1216238888496&h=8f3a37262ab6c2fbd49374a408f56708/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-27 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot\SDWinSec.exe [2009-7-28 1153368]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-6-24 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-07-28 16:47 1,076 a------- c:\windows\wininit.ini
2009-07-28 07:25 <DIR> --d----- c:\program files\Spybot
2009-07-27 22:30 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-27 22:30 <DIR> --d----- c:\programdata\Avira
2009-07-27 22:30 <DIR> --d----- c:\program files\Avira
2009-07-27 22:30 <DIR> --d----- c:\progra~2\Avira
2009-07-15 08:10 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 08:10 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 08:10 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 08:10 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-05 20:12 90,480 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-07-26 10:04 1,514 a------- c:\users\robert~1\appdata\roaming\SAS7_000.DAT
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-04 09:21 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-04 09:21 86,016 a------- c:\windows\inf\infstor.dat
2009-06-04 09:21 51,200 a------- c:\windows\inf\infpub.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2008-10-24 17:45 174 a--sh--- c:\program files\desktop.ini
2008-10-24 17:36 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:04:58.78 ===============

then the attachment. I hope I did this right. If I didn't or if I need to provide more info, just let me know.

Semper Fi,

Sarge

[CatByte]

Hello, and welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.
To do this click Thread Tools, then click Subscribe to this Thread.
Make sure it is set to Instant Notification, then click Subscribe.

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

• Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

[Sarge, USMC]

Thanks for helping me with dad's doggone machine here. Here's the log file from ComboFix:

ComboFix 09-08-01.01 - Robert J Rosso Sr 08/01/2009 18:12.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.493 [GMT -4:00]
Running from: c:\users\Robert J Rosso Sr\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
C:\ARKDC83.tmp
c:\programdata\CrucialSoft Ltd
c:\users\Robert J Rosso Sr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MS AntiSpyware 2009
c:\users\Robert J Rosso Sr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MS AntiSpyware 2009\MS AntiSpyware 2009.lnk
c:\users\Robert J Rosso Sr\AppData\Roaming\SpyGuarder
c:\windows\system32\drivers\hjgruiiytsahmy.sys
c:\windows\system32\hjgruiosdemeif.dll
c:\windows\system32\hjgruioxecdcer.dll
c:\windows\system32\hjgruityxromkv.dat
c:\windows\system32\hjgruiwvsviiqr.dat
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiicuuekwq


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 22:21 . 2009-08-01 22:21 -------- d-----w- c:\users\Robert J Rosso Sr\AppData\Local\temp
2009-07-28 20:58 . 2009-07-18 16:06 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-28 20:58 . 2009-07-18 16:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-28 20:58 . 2009-07-18 09:46 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-28 11:25 . 2009-07-30 11:27 -------- d-----w- c:\program files\Spybot
2009-07-28 02:30 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-28 02:30 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-28 02:30 . 2009-07-28 02:30 -------- d-----w- c:\programdata\Avira
2009-07-28 02:30 . 2009-07-28 02:30 -------- d-----w- c:\program files\Avira
2009-07-24 21:04 . 2009-07-24 21:04 713992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-07-15 12:10 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 12:10 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 12:10 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 12:10 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-06 00:12 . 2009-07-06 00:12 90480 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 22:11 . 2009-06-24 11:30 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 11:27 . 2008-11-25 23:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-28 02:27 . 2008-11-25 18:15 -------- d-----w- c:\program files\Security Applications
2009-07-26 14:04 . 2008-07-12 10:54 1514 ----a-w- c:\users\Robert J Rosso Sr\AppData\Roaming\SAS7_000.DAT
2009-07-24 14:41 . 2008-11-30 00:38 -------- d-----w- c:\users\Robert J Rosso Sr\AppData\Roaming\BitDownload
2009-07-16 14:57 . 2008-09-23 23:45 -------- d-----w- c:\programdata\Apple
2009-07-13 12:45 . 2008-11-27 20:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 13:34 . 2008-11-28 05:05 -------- d-----w- c:\program files\Brunswick Bowling
2009-06-24 11:30 . 2008-11-02 22:44 -------- d-----w- c:\program files\Windows Live
2009-06-24 11:29 . 2008-11-12 10:08 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-24 11:29 . 2009-06-24 11:29 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-06-24 11:24 . 2009-06-24 11:24 -------- d-----w- c:\program files\Microsoft
2009-06-24 11:23 . 2009-06-24 11:23 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-24 11:09 . 2009-06-24 11:09 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-23 07:25 . 2008-09-24 00:06 -------- d-----w- c:\users\Robert J Rosso Sr\AppData\Roaming\LimeWire
2009-06-04 13:25 . 2009-06-04 13:25 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 13:25 . 2009-06-04 13:25 -------- d-----w- c:\program files\iTunes
2009-06-04 13:25 . 2009-06-04 13:25 -------- d-----w- c:\program files\iPod
2009-06-04 13:25 . 2008-09-23 23:45 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 13:24 . 2009-06-04 13:23 -------- d-----w- c:\program files\QuickTime
2009-06-04 13:11 . 2009-06-04 13:11 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 13:03 . 2008-10-07 23:08 -------- d-----w- c:\program files\Safari
2009-06-04 12:58 . 2009-06-04 12:58 -------- d-----w- c:\program files\Bonjour
2009-06-03 01:25 . 2009-06-01 08:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-03 01:24 . 2009-06-01 08:27 -------- d-----w- c:\programdata\Symantec
2009-06-03 01:23 . 2009-06-01 08:27 -------- d-----w- c:\program files\Symantec
2009-06-01 02:38 . 2009-06-01 02:38 0 ----a-w- c:\users\Robert J Rosso Sr\AppData\Roaming\~ygw.tmp
2009-05-29 17:36 . 2009-05-29 17:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-15 22:46 . 2009-05-15 22:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD2731"="del" [X]
"SpybotDeletingD3015"="del" [X]
"SpybotDeletingD3283"="del" [X]
"SpybotDeletingD5413"="del" [X]
"SpybotDeletingD826"="del" [X]
"SpybotDeletingD7903"="del" [X]
"SpybotDeletingB8508"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]
"SpybotDeletingB2261"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]
"SpybotDeletingB2875"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]
"SpybotDeletingB735"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]
"SpybotDeletingB4623"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]
"SpybotDeletingB8652"="command.com" - c:\windows\System32\COMMAND.COM [2006-11-02 50648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1628368764-3268107943-445239591-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A4AE9FB4-DDD2-40B0-99A4-03B9D7EBAB96}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1940A668-986B-4FE8-BEDB-745AC69BCECA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A1521A96-8717-4D09-933A-41B1ACCAEFE7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{50DCA724-1DFA-4F0E-AA7C-6A2167CD7C51}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A02BA70-A60A-434A-9847-51CF31B5B125}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{86689A06-BC5F-4F35-847A-E27F6BAAA8C6}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{51DA030E-C77D-40C3-9B4C-DE1DAA2B7152}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/27/2009 10:30 PM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot\SDWinSec.exe [7/28/2009 7:25 AM 1153368]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [6/24/2009 7:30 AM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\User_Feed_Synchronization-{E53B7CAC-C4F8-476A-9711-D83BF5B4E5FC}.job
- c:\windows\system32\msfeedssync.exe [2008-07-18 07:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sysav - c:\users\Robert J Rosso Sr\AppData\Roaming\pcdefender.exe
HKLM-Run-1A:Stardock TrayMonitor - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 18:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-08-01 18:24
ComboFix-quarantined-files.txt 2009-08-01 22:24

Pre-Run: 230,320,742,400 bytes free
Post-Run: 230,389,428,224 bytes free

162 --- E O F --- 2009-08-01 01:01

[CatByte]

Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

[Sarge, USMC]

kaspersky scan:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, August 1, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, August 01, 2009 22:28:33
Records in database: 2570997
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 91681
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:27:40

No malware has been detected. The scan area is clean.

The selected area was scanned.


MBam log:

Malwarebytes' Anti-Malware 1.39
Database version: 2542
Windows 6.0.6001 Service Pack 1

8/1/2009 7:17:57 PM
mbam-log-2009-08-01 (19-17-57).txt

Scan type: Quick Scan
Objects scanned: 75996
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 8
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\igrd.tieadvbho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bitdownload (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Lang (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Media (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin (Trojan.Lop) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
C:\Users\Robert J Rosso Sr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\bitdownload\BitDownload.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\BitDownload.ico (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\EndProg.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\iphox_downloader_p.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\player.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\RegExt.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\rtl70.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\tcpip_patcher.sys (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Uninstall.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Units.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\vcl70.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\vclshlctrls70.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\vclx70.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\VersionChecker.exe (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\WinSkinD7R.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Lang\English.lng (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Lang\Russian.lng (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Media\FileComplete.wav (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\CDBurningPlugin.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\CDRipper.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\ClosestSearch.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\Notification.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\PeerInfoSearch.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\Search.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\VirtualTracker.bpl (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\akrip32.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\cdcache.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\lame_enc.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\Rip.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\vorb_enc.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\plug-ins\rip\xtenc.dll (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin\Aqua.skn (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin\Default.skn (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin\Desert.skn (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin\Forest.skn (Trojan.Lop) -> Quarantined and deleted successfully.
c:\program files\bitdownload\Skin\Sea.skn (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\bitdownload\BitDownload Downloads.lnk (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\bitdownload\BitDownload Uninstall.lnk (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\bitdownload\BitDownload.lnk (Trojan.Lop) -> Quarantined and deleted successfully.
C:\Users\Robert J Rosso Sr\Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

Semper Fi

[CatByte]

How is the computer running now? Are there any outstanding issues?

Please post a fresh DDS log

[Sarge, USMC]

dds log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Robert J Rosso Sr at 22:41:03.95 on Sat 08/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.391 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Security Applications\AdAware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot\SDWinSec.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Robert J Rosso Sr\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1216238888496&h=8f3a37262ab6c2fbd49374a408f56708/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-6-24 55280]

=============== Created Last 30 ================

2009-08-01 19:04 <DIR> --d----- c:\users\robert~1\appdata\roaming\Malwarebytes
2009-08-01 19:04 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 19:04 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:04 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-01 19:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 19:04 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-01 18:24 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-01 17:14 219,648 a------- c:\windows\PEV.exe
2009-08-01 17:14 161,792 a------- c:\windows\SWREG.exe
2009-08-01 17:14 98,816 a------- c:\windows\sed.exe
2009-08-01 17:14 <DIR> --ds---- C:\Combo-Fix
2009-07-28 16:47 1,076 a------- c:\windows\wininit.ini
2009-07-28 07:25 <DIR> --d----- c:\program files\Spybot
2009-07-27 22:30 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-27 22:30 <DIR> --d----- c:\programdata\Avira
2009-07-27 22:30 <DIR> --d----- c:\program files\Avira
2009-07-27 22:30 <DIR> --d----- c:\progra~2\Avira
2009-07-15 08:10 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 08:10 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 08:10 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 08:10 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-05 20:12 90,480 a---h--- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-07-26 10:04 1,514 a------- c:\users\robert~1\appdata\roaming\SAS7_000.DAT
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-04 09:21 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-04 09:21 86,016 a------- c:\windows\inf\infstor.dat
2009-06-04 09:21 51,200 a------- c:\windows\inf\infpub.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2008-10-24 17:45 174 a--sh--- c:\program files\desktop.ini
2008-10-24 17:36 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:42:01.33 ===============

The thing seems to be working now. What whacked the rootkit....Malware? I've never used that tool before. I run Spybot and AdAware.....should I ace those two and just use Malware? What do you recommend?

Thanks for the help. 'preciate it immensly.

Semper Fi,

Sarge

[CatByte]

Hi,

You are clean,

just some housekeeping to do now.

Quote:

What whacked the rootkit

ComboFix took care of it. Combofix is an extremely powerful tool and should never be used without supervision.

Keep the MalwareBytes program, run it once a month or so.

P2P - I see you have P2P software Limewire installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.


NEXT


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

• Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection.
  
  Refer to this Microsoft article
  Strong passwords: How to create and use them
  
  Then consider a password keeper, to keep all your passwords safe.
  
  
• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
  
  
  If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.