Have Trojans and Virus

[mb61]

Problem all started with AntivirusPro2010. Also pulled in PushU, Stinkbreath among other malware.

Currently have WebRoot antivirus and spysweeper on machine. Was able to quarantine some, but that did not solve the problem.

To frustrated at this point called BB G Squad. AntivirusPro2010 then morphed into Police something..... They guy spent 1 hour removing stuff and the system appeared to work much better after he left. He also loaded malwarebytes and removed approx add'l 75 files. However all is still not well. Next day (today Oct 4th) spysweeper and malwarebytes still showing stuff that cannot seem to be removed.

Vicious cycle occurring. There must still be remnants of all these things on my computer as now I see vundo now showing and rudadiza.dll, gadonesi.dll and tipigola.dll, which neither Webroot or malwarebytes seems to be able to remove as they all say access denied when trying to delete or change the protection status on the files.

What's next? Does anyone have any suggestions for next steps I can try? If so what type of additional info do you require?

Thanks

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please follow the process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post/attach as instructed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your next reply.

------------------------------------------------------

[mb61]

Thank you will follow instructions and post results from DDS later today.

[mb61]

DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by Compaq_Administrator at 14:16:09.89 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.728 [GMT -4:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dazuhulu.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PlaxoUpdate] "c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe" -a
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [PlaxoSysTray] "c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [AlwaysReady Power Message APP] "ARPWRMSG.EXE"
mRun: [PCDrProfiler]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe"
mRun: [LVCOMS] "c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE"
mRun: [LogitechGalleryRepair] "c:\program files\logitech\imagestudio\ISStart.exe"
mRun: [LogitechImageStudioTray] "c:\program files\logitech\imagestudio\LogiTray.exe"
mRun: [KBD] "c:\hp\kbd\KBD.EXE"
mRun: [ps2] "c:\windows\system32\ps2.exe"
mRun: [AlcxMonitor] "ALCXMNTR.EXE"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
mRun: [RECGUARD] "c:\windows\sminst\RECGUARD.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [hugokebuf] Rundll32.exe "c:\windows\system32\potibubi.dll",a
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139153969953
DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
Filter: text/html - {0931adba-b396-4a05-a1b9-8ee609cd1a08} -
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: gadonesi.dll c:\windows\system32\potibubi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: monasuloj - {370dcb89-61e4-4ff7-aa5b-a247947b982e} - c:\windows\system32\rudadiza.dll
SSODL: sifonebup - {df57f770-7fea-4bab-aa52-5f2d7c536acd} - c:\windows\system32\potibubi.dll
STS: jugezatag: {370dcb89-61e4-4ff7-aa5b-a247947b982e} - c:\windows\system32\rudadiza.dll
STS: gahurihor: {df57f770-7fea-4bab-aa52-5f2d7c536acd} - c:\windows\system32\potibubi.dll
LSA: Notification Packages = scecli tipigola.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\3v3qhed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R2 wrconsumerservice;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-9-26 1205760]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S2 mrtRate;mrtRate; [x]
S2 webrootspysweeperservice;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2009-7-2 45344]

=============== Created Last 30 ================

2009-10-04 10:02 664 a------- c:\windows\system32\d3d9caps.dat
2009-10-03 14:36 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-03 12:20 <DIR> a-d----- c:\windows\system32\images
2009-10-03 12:20 131,731 a------- c:\windows\system32\dbsinit.exe
2009-10-03 12:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-10-03 12:17 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-10-03 12:17 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 12:17 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-03 12:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-03 12:16 103 a------- c:\windows\system32\wwp.htm
2009-09-27 13:08 0 a------- c:\windows\system32\19687.exe
2009-09-27 12:08 0 a------- c:\windows\system32\12956.exe
2009-09-27 10:36 <DIR> --d----- c:\windows\pss
2009-09-27 09:27 17,873 a------- c:\windows\ugicowinyd.com
2009-09-27 09:27 17,529 a------- c:\program files\common files\ejucika.pif
2009-09-27 09:27 16,327 a------- c:\windows\siwyv.inf
2009-09-27 09:27 15,041 a------- c:\windows\osecot.dl
2009-09-27 09:27 14,846 a------- c:\windows\ufodigevyb.dl
2009-09-27 09:27 13,966 a------- c:\program files\common files\ewubidof.pif
2009-09-27 09:27 13,495 a------- c:\windows\inykoxafyd.inf
2009-09-27 09:27 11,454 a------- c:\windows\system32\bybyd.sys
2009-09-27 09:27 11,434 a------- c:\windows\ucehyw.sys
2009-09-27 09:27 11,040 a------- c:\program files\common files\peza.dat
2009-09-27 09:27 10,797 a------- c:\windows\hoti.reg
2009-09-26 23:56 <DIR> --d----- c:\program files\MSSOAP
2009-09-26 23:56 1,563,008 a------- c:\windows\WRSetup.dll
2009-09-26 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-09-26 23:53 164 a------- c:\windows\install.dat
2009-09-26 23:44 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Webroot
2009-09-26 23:25 <DIR> --d----- c:\program files\Webroot
2009-09-26 21:38 0 a------- c:\windows\system32\41.exe
2009-09-23 19:25 <DIR> --d----- c:\program files\Shared
2009-09-09 19:09 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-09 12:57 1,011,015 a--sh--- c:\windows\system32\dazuhulu.exe
2009-10-09 12:57 91,136 a--sh--- c:\windows\system32\potibubi.dll
2009-10-09 12:57 39,424 a--sh--- c:\windows\system32\penitoro.dll
2009-10-09 11:57 91,136 a--sh--- c:\windows\system32\ramobugu.dll
2009-10-09 11:57 28,160 a--sh--- c:\windows\system32\yunukino.dll
2009-10-04 09:10 90,624 -------- c:\windows\system32\rudadiza.dll
2009-10-03 12:15 25,600 a--sh--- c:\windows\system32\buhefoli.dll
2009-09-27 09:27 19,481 a------- c:\program files\common files\lihosecima._dl
2009-09-27 09:27 13,308 a------- c:\program files\common files\ihucuv._dl
2009-08-13 11:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 20:01 81,736 a------- c:\windows\system32\lmdimon8.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2006-04-28 12:46 28,672 a------- c:\documents and settings\compaq_administrator\atwbxdet.dll
2006-02-05 15:12 0 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2006-03-31 10:30 22 a--sh--- c:\windows\sminst\HPCD.sys
2009-07-09 11:57 1,050,147 a--sh--- c:\windows\system32\hukovefo.exe
2009-07-09 11:57 1,011,298 a--sh--- c:\windows\system32\kizosewa.exe
2009-07-09 11:57 39,424 a--sh--- c:\windows\system32\tatetimo.dll
2009-07-09 11:57 194,056 a--sh--- c:\windows\system32\zawibavu.exe

============= FINISH: 14:16:53.07 ===============

[mb61]

I have run the DDS and GMER as instructed. Attached is the .zip

[mb61]

How do I ensure anything I copied (Files backed up) to my stick does not contain virus or malware files?

Also had to boot in SAFE mode with Networking in order to be able to do anything on my machine and ran the DDS and GMER from there. Not sure if I would be able to run it in normal mode as the computer never seems to fully come up.

Thanks Marcy

[chemist]

Hello again, Marcy.

Quote:

How do I ensure anything I copied (Files backed up) to my stick does not contain virus or malware files?

You can't, unless you scanned them. We'll do that later.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[mb61]

OK ran ComboFix and have attached the ComboFix.txt

ComboFix 09-10-08.04 - Compaq_Administrator 10/09/2009 21:23.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.750 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\fybiji._dl
c:\documents and settings\Compaq_Administrator\Application Data\iniasd.txt
c:\program files\Common Files\ejucika.pif
c:\program files\Common Files\ewubidof.pif
c:\program files\Common Files\ihucuv._dl
c:\program files\Common Files\lihosecima._dl
c:\program files\Shared
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\Temp
c:\windows\hoti.reg
c:\windows\Installer\58f7f8.msp
c:\windows\inykoxafyd.inf
c:\windows\kb913800.exe
c:\windows\osecot.dl
c:\windows\siwyv.inf
c:\windows\system32\12956.exe
c:\windows\system32\19687.exe
c:\windows\system32\41.exe
c:\windows\system32\buhefoli.dll
c:\windows\system32\bybyd.sys
c:\windows\system32\gadonesi.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\penitoro.dll
c:\windows\system32\potibubi.dll
c:\windows\system32\ps2.bat
c:\windows\system32\ramobugu.dll
c:\windows\system32\tipigola.dll
c:\windows\system32\yunukino.dll
c:\windows\ucehyw.sys
c:\windows\ufodigevyb.dl
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_I386SI
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NICSK32
-------\Legacy_PORT135SIK
-------\Legacy_SECURENTM
-------\Legacy_SYSTEMNTMI


((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-04 14:02 . 2009-10-09 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 20:43 . 2009-10-03 20:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Mozilla
2009-10-03 16:48 . 2009-10-03 16:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-03 16:20 . 2009-10-03 16:20 131731 ----a-w- c:\windows\system32\dbsinit.exe
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-10-03 16:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 16:17 . 2009-10-03 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 16:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 13:27 . 2009-09-27 13:27 17873 ----a-w- c:\windows\ugicowinyd.com
2009-09-27 13:27 . 2009-09-27 13:27 11040 ----a-w- c:\program files\Common Files\peza.dat
2009-09-27 13:26 . 2009-09-27 13:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Wildtangent
2009-09-27 03:56 . 2009-09-27 03:56 -------- d-----w- c:\program files\MSSOAP
2009-09-27 03:56 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-27 03:56 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-27 03:53 . 2009-09-27 03:54 164 ----a-w- c:\windows\install.dat
2009-09-27 03:44 . 2009-09-27 03:44 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Webroot
2009-09-27 03:30 . 2009-09-27 03:30 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-27 03:25 . 2009-09-27 03:25 -------- d-----w- c:\program files\Webroot
2009-09-27 03:25 . 2009-09-27 03:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 01:32 . 2006-02-05 20:12 -------- d-----w- c:\program files\Plaxo
2009-10-09 16:57 . 2009-07-09 16:57 1011015 --sha-w- c:\windows\system32\dazuhulu.exe
2009-10-03 17:54 . 2007-09-17 01:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-03 17:27 . 2006-02-06 00:46 -------- d-----w- c:\program files\Palm
2009-09-25 15:59 . 2005-11-11 21:15 85296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 23:40 . 2008-12-19 19:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 20:43 . 2008-10-12 12:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 00:01 . 2009-08-06 01:04 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-01-07 20:20 . 2005-01-07 20:20 278528 ----a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 20:20 . 2005-01-07 20:20 143360 ----a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
2006-03-31 14:30 . 2006-03-31 14:30 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-07-09 15:57 . 2009-07-09 15:57 1050147 --sha-w- c:\windows\system32\hukovefo.exe
2009-07-09 15:57 . 2009-07-09 15:57 1011298 --sha-w- c:\windows\system32\kizosewa.exe
2009-07-09 15:57 . 2009-07-09 15:57 39424 --sha-w- c:\windows\system32\tatetimo.dll
2009-07-09 15:57 . 2009-07-09 15:57 194056 --sha-w- c:\windows\system32\zawibavu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ps2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-1-30 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-2-5 36953]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-11 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\webrootspysweeperservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrconsumerservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"MHN"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\WRConsumerService.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 wrconsumerservice;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [9/26/2009 11:59 PM 1205760]
S2 mrtRate;mrtRate; [x]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [7/2/2009 6:20 PM 45344]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\3v3qhed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{7103a31b-d0f8-4910-8bd4-3215c708236b} - bedinuni.dll
HKLM-Run-hugokebuf - c:\windows\system32\potibubi.dll
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-dunakotiwo - tipigola.dll
SharedTaskScheduler-{370dcb89-61e4-4ff7-aa5b-a247947b982e} - c:\windows\system32\rudadiza.dll
SharedTaskScheduler-{df57f770-7fea-4bab-aa52-5f2d7c536acd} - c:\windows\system32\potibubi.dll
SSODL-monasuloj-{370dcb89-61e4-4ff7-aa5b-a247947b982e} - c:\windows\system32\rudadiza.dll
SSODL-sifonebup-{df57f770-7fea-4bab-aa52-5f2d7c536acd} - c:\windows\system32\potibubi.dll
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 21:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(428)
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\Plaxo\3.22.0.7\plx_hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Logitech\ImageStudio\LowLight.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-10 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 01:38

Pre-Run: 129,493,413,888 bytes free
Post-Run: 128,324,505,600 bytes free

279 --- E O F --- 2009-09-10 23:01

[chemist]

Hello again, Marcy. Please tell us how your system is behaving.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have Spyware Begone installed on your system. This application was previously listed as a rogue program because of concerns with false positives. Please read here and here

Although no longer listed as such, we recommend uninstalling it and downloading antispyware programs that have proven themselves tried and true. See here for a list of trustworthy antispyware products.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if they still exist:

Viewpoint Manager
Viewpoint Media Player

The above are considered foistware instead of malware since they are installed without users approval, but don't spy or do anything "bad". Please read here and here

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/419583-have-trojans-virus.html#post2382946

Collect::
c:\windows\system32\dbsinit.exe
c:\windows\ugicowinyd.com
c:\program files\Common Files\peza.dat
c:\windows\system32\dazuhulu.exe
c:\windows\system32\hukovefo.exe
c:\windows\system32\kizosewa.exe
c:\windows\system32\tatetimo.dll
c:\windows\system32\zawibavu.exe

DDS::
mSearch Bar =

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Driver::
mrtRate

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

[chemist]

Still with us, Marcy? Any trouble with those last instructions?

[mb61]

Working on them right now, sorry was unavailable this past weekend

[mb61]

I have not been using my computer as I wanted to ensure I followed all your steps before using. I have a separate laptop that I have been using for my daily work and email, which is clean. I have purchaseed Webroot AntiVirus and Spyware and when all this started has loaded it on both this problem machine and my laptop.

Ok, I have removed Viewpoint Manager, Viewpoint Media Player. I have also previously removed Spyware BeGone, however it still shows in my add/remove program. When I try and delete it I get the following error: Could not load initialization file. I search on my c: drive but could not find it.

Here is ComboFix.txt

ComboFix 09-10-12.02 - Compaq_Administrator 10/12/2009 19:29.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.564 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
* Created a new restore point

file zipped: c:\program files\Common Files\peza.dat
file zipped: c:\windows\system32\dazuhulu.exe
file zipped: c:\windows\system32\dbsinit.exe
file zipped: c:\windows\system32\hukovefo.exe
file zipped: c:\windows\system32\kizosewa.exe
file zipped: c:\windows\system32\tatetimo.dll
file zipped: c:\windows\system32\zawibavu.exe
file zipped: c:\windows\ugicowinyd.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator\Local Settings\temp\IadHide5.dll
c:\program files\Common Files\peza.dat
c:\windows\system32\dazuhulu.exe
c:\windows\system32\dbsinit.exe
c:\windows\system32\hukovefo.exe
c:\windows\system32\kizosewa.exe
c:\windows\system32\tatetimo.dll
c:\windows\system32\zawibavu.exe
c:\windows\ugicowinyd.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPOL
-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-10 01:30 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-04 14:02 . 2009-10-09 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 20:43 . 2009-10-03 20:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Mozilla
2009-10-03 16:48 . 2009-10-03 16:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-10-03 16:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 16:17 . 2009-10-03 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 16:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 13:26 . 2009-09-27 13:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Wildtangent
2009-09-27 03:56 . 2009-09-27 03:56 -------- d-----w- c:\program files\MSSOAP
2009-09-27 03:56 . 2009-09-27 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-27 03:56 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-27 03:53 . 2009-09-27 03:54 164 ----a-w- c:\windows\install.dat
2009-09-27 03:44 . 2009-09-27 03:44 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Webroot
2009-09-27 03:30 . 2009-09-27 03:30 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-27 03:25 . 2009-09-27 03:25 -------- d-----w- c:\program files\Webroot
2009-09-27 03:25 . 2009-09-27 03:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 23:37 . 2006-02-05 20:12 -------- d-----w- c:\program files\Plaxo
2009-10-12 23:20 . 2006-02-05 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-03 17:54 . 2007-09-17 01:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-03 17:27 . 2006-02-06 00:46 -------- d-----w- c:\program files\Palm
2009-09-25 15:59 . 2005-11-11 21:15 85296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 23:40 . 2008-12-19 19:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 20:43 . 2008-10-12 12:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-05 09:01 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 00:01 . 2009-08-06 01:04 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2009-07-17 19:01 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2005-01-07 20:20 . 2005-01-07 20:20 278528 ----a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 20:20 . 2005-01-07 20:20 143360 ----a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
2006-03-31 14:30 . 2006-03-31 14:30 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-10_01.32.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-10-10 01:33 . 2009-10-10 01:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-10 01:33 . 2009-10-12 23:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-03 16:52 . 2009-10-12 23:37 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-03 16:52 . 2009-10-10 01:31 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-03 16:52 . 2009-10-12 23:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-10-03 16:52 . 2009-10-10 01:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PlaxoUpdate"="c:\program files\Plaxo\3.22.0.7\PlaxoHelper_en.exe" [2009-07-10 378951]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
"PlaxoSysTray"="c:\program files\Plaxo\3.22.0.7\PlaxoSysTray.exe" [2009-07-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ps2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-1-30 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-2-5 36953]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-11 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\webrootspysweeperservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrconsumerservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"MHN"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\WRConsumerService.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 wrconsumerservice;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [9/26/2009 11:59 PM 1205760]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [7/2/2009 6:20 PM 45344]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\3v3qhed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 19:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3656)
c:\program files\Plaxo\3.22.0.7\plx_hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Logitech\ImageStudio\LowLight.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-12 19:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 23:43
ComboFix2.txt 2009-10-10 01:38

Pre-Run: 128,294,559,744 bytes free
Post-Run: 128,255,102,976 bytes free

222 --- E O F --- 2009-09-10 23:01

[mb61]

I have also uploaded the .zip file to the location provided.

[chemist]

Hello again, Marcy. Thanks for submitting the file. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
• Click Continue The page will refresh.
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u16-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[mb61]

All right, followed all steps - scan ran for over 2 hours. System appears to be running ok, I haven't done much on it besides what you have asked. No popup windows and response time is good. Here it the Kaspersky report.txt

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 13, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 13, 2009 15:09:40
Records in database: 2967358
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 141423
Threats found: 5
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 02:44:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\gadonesi.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\penitoro.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\potibubi.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ramobugu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tipigola.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yunukino.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-12_19.28.42.zip Infected: Packed.Win32.Krap.x 2
C:\Qoobox\Quarantine\[4]-Submit_2009-10-12_19.28.42.zip Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-12_19.28.42.zip Infected: Trojan.Win32.Scar.zgn 1
D:\I386\Apps\APP15894\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\Apps\APP15894\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

[chemist]

Hello again, Marcy. QooBox is ComboFix's quarantine folder. It will get deleted when we uninstall ComboFix. Those 2 Spring06.exe finds by Kaspersky came factory installed on your recovery partition, so we will leave those be.

Quote:

I haven't done much on it besides what you have asked

It's OK to use the machine. Try it out and let me know how it behaves.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "c:\documents and settings\All Users\Application Data\Viewpoint"

A DOS window will open and close again, this is normal.

------------------------------------------------------

I see you already have MBAM on your machine.

• Launch Malwarebytes' Anti-Malware
• Under the Update tab, click Check for Updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy/Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

[mb61]

Ok ran MalwareBytes scan. Here is the results:

Malwarebytes' Anti-Malware 1.41
Database version: 2955
Windows 5.1.2600 Service Pack 3

10/13/2009 2:12:41 PM
mbam-log-2009-10-13 (14-12-41).txt

Scan type: Quick Scan
Objects scanned: 111169
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[mb61]

Interestingly I was working on my work computer and not using this computer that had issues, and webroot popped up indicating that it quarantined something that tried to come in. 3 Items were quarantined that were not there before all 4 -5 risk rating:

Mal/EncPk-KP
App/Forcelib-A
rogue security products

All appears to be running much better, I will continue to start using throughout the remainder of today and post more tonight.

Thank you for all this help, it is greatly appreciated and you can be sure I will Donate. Wish I had done this first before wasting my money with the BB G Squad guy.

[chemist]

You're very welcome, Marcy!

I'll be here.

[chemist]

Hello again, Marcy. Forgot about that Spyware BeGone entry remaining in Add or Remove Programs.

• Download RegSearch.zip and Save it to your Desktop.
• Click 'Extract all files' and follow the prompts. Use the 'Browse' button to Save it to your Desktop.
• Double-click RegSearch.exe to launch the program and click Run
• Copy/paste the following bolded text into the very first Enter search strings box and click OK
  
  Spyware BeGone
  
  
• After completion Notepad will be opened with all the found instances of the string.
• The resulting file is saved in the same location as RegSearch.exe
• Please copy/paste that file in your next reply.

------------------------------------------------------