May have a virus

[Jacklao]

I think I have a virus but malwarebytes nor superantispyware can find it and whenever I try to access some sites it redirect me,I just need someone to check if I am infected or not,tyvm.Here are my logs

My DDS.txt log


DDS (Ver_09-09-29.01) - NTFSx86
Run by User at 22:29:14.32 on Tue 10/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.1555 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206029718390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206029712484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SSODL: foyerimaw - {eae62e27-51ee-4c92-af88-344d6e9e1888} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ei3asatk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-14 102448]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-7-29 38400]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091006.005\naveng.sys [2009-10-6 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091006.005\navex15.sys [2009-10-6 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-3-20 20160]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-3-20 29696]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-10-04 13:32 <DIR> --d----- c:\program files\Microsoft
2009-09-28 22:41 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-09-28 22:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2009-09-28 22:41 <DIR> --d----- C:\NVIDIA
2009-09-24 16:58 3,248 a------- c:\windows\system32\wbem\Outlook_01ca3d59bb9aba46.mof
2009-09-19 12:04 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 12:04 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 12:04 <DIR> --d----- c:\program files\jacklao folder
2009-09-19 11:30 <DIR> --d----- C:\jacklao.exe
2009-09-19 11:19 <DIR> a-dshr-- C:\cmdcons
2009-09-19 10:53 <DIR> --d----- c:\docume~1\user\applic~1\Windows Search
2009-09-18 22:39 <DIR> --d----- c:\program files\Mba
2009-09-18 21:26 <DIR> --d----- c:\windows\ERUNT
2009-09-18 21:01 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-09-18 21:01 153,088 a------- c:\windows\system32\unrar3.dll
2009-09-18 21:01 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-09-18 21:01 75,264 a------- c:\windows\system32\unacev2.dll
2009-09-18 21:01 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-09-18 21:01 <DIR> --d----- c:\docume~1\user\applic~1\Simply Super Software
2009-09-18 21:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-09-18 20:21 <DIR> --d-h--- c:\windows\PIF
2009-09-18 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-18 20:02 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-18 20:02 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-09-18 18:39 0 a----r-- c:\windows\sUBs
2009-09-16 18:03 <DIR> --d----- c:\program files\iPhone Configuration Utility
2009-09-16 18:01 <DIR> --d----- c:\program files\iPod
2009-09-16 18:01 <DIR> --d----- c:\program files\iTunes
2009-09-16 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 14:48 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 11:55 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-17 03:04 2,173,472 a------- c:\windows\system32\nvcplui.exe
2009-08-17 03:04 81,920 a------- c:\windows\system32\nvwddi.dll
2009-08-17 03:03 3,170,304 a------- c:\windows\system32\nvwss.dll
2009-08-17 03:03 4,026,368 a------- c:\windows\system32\nvvitvs.dll
2009-08-17 03:03 1,286,144 a------- c:\windows\system32\nvmobls.dll
2009-08-17 03:03 188,416 a------- c:\windows\system32\nvmccss.dll
2009-08-17 03:03 3,547,136 a------- c:\windows\system32\nvgames.dll
2009-08-17 03:03 4,923,392 a------- c:\windows\system32\nvdisps.dll
2009-08-17 03:03 13,877,248 a------- c:\windows\system32\nvcpl.dll
2009-08-17 03:03 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-08-17 03:03 143,360 a------- c:\windows\system32\nvcolor.exe
2009-08-17 03:03 86,016 a------- c:\windows\system32\nvmctray.dll
2009-08-17 03:02 229,376 a------- c:\windows\system32\nvmccs.dll
2009-08-17 00:57 10,457,088 a------- c:\windows\system32\nvoglnt.dll
2009-08-17 00:57 7,729,568 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 00:57 5,845,760 a------- c:\windows\system32\nv4_disp.dll
2009-08-17 00:57 2,189,856 a------- c:\windows\system32\nvcuvid.dll
2009-08-17 00:57 2,002,944 a------- c:\windows\system32\nvcuda.dll
2009-08-17 00:57 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-17 00:57 1,597,690 a------- c:\windows\system32\nvdata.bin
2009-08-17 00:57 868,352 a------- c:\windows\system32\nvapi.dll
2009-08-17 00:57 485,920 a------- c:\windows\system32\nvudisp.exe
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcodins.dll
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcod.dll
2009-08-14 13:36 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-08-11 12:35 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-08-06 21:43 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 00:21 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-08-03 00:21 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-08-03 00:21 23,320 a------- c:\windows\system32\PhysXDevice.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-08-03 00:21 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2006-06-24 18:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-03-20 12:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-10-10 14:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 22:31:09.23 ===============

[tetonbob]

Hello.

You've returned fairly quickly after a disinfection....you must review the internet habits of all who access this machine.

From our pre-posting sticky:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

It is not our intent to repeatedly remove malware from the same member's machines. The intent of this free service performed by volunteers is to help remove malware from your machine, educate you on how it may have happened, and how to prevent that from happening again. To this end, we provide links to articles and tools which should make your visit to the Virus/Trojan/Spyware Help section of TSF a one time event. Please do enjoy the rest of Tech Support Forum as many times as you like!

You'll need to take more care on the internet, and ensure everyone using the machine is doing the same. I would hope and expect this to be the last time you need our help in this section of the forum.


=================================

Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

It may be in your best interest to simply format the machine and start over with better safe surfing habits.

I will attempt to help you once more, but again, I would hope and expect this to be the last time our VOLUNTEERS are asked to help you disinfect your machine.

=================================

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   To Disable Symantec, see if this helps:
   
   http://grok.lsu.edu/Article.aspx?articleId=10682
   
   Open Symantec AntiVirus, in the left pane, click Configure, then Auto-Protect. In the right pane, uncheck Enable Auto-Protect. Recheck it to turn it back on.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[Jacklao]

well the problem seem to went away after I used combofix,tyvm for helping this noob once again.I'll try not to get infected again

here is my combofix log

ComboFix 09-10-08.04 - User 10/09/2009 10:35.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2717 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Cmbofixer.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iniasd.txt

.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-08 20:37 . 2009-10-08 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 01:34 . 2009-10-08 01:34 195584 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-2ffd13f7-n\WMINative.dll
2009-10-07 22:04 . 2009-10-07 22:04 -------- d-----w- c:\program files\uTorrent
2009-10-04 17:32 . 2009-10-04 17:33 -------- d-----w- c:\program files\Microsoft
2009-09-29 02:41 . 2009-09-29 02:41 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-29 02:41 . 2009-09-29 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-29 02:41 . 2009-09-29 02:41 -------- d-----w- C:\NVIDIA
2009-09-29 02:25 . 2009-09-29 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-09-20 04:56 . 2009-09-20 04:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-19 16:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 16:04 . 2009-09-19 16:06 -------- d-----w- c:\program files\jacklao folder
2009-09-19 16:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 14:53 . 2009-09-19 14:53 -------- d-----w- c:\documents and settings\User\Application Data\Windows Search
2009-09-19 03:36 . 2009-09-19 03:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-19 02:39 . 2009-09-19 02:40 -------- d-----w- c:\program files\Mba
2009-09-19 01:26 . 2009-09-19 01:26 -------- d-----w- c:\windows\ERUNT
2009-09-19 01:01 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-09-19 01:01 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-09-19 01:01 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-09-19 01:01 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-09-19 01:01 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-09-19 01:01 . 2009-10-08 22:02 -------- d-----w- c:\documents and settings\User\Application Data\Simply Super Software
2009-09-19 01:01 . 2009-09-19 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-19 00:21 . 2009-09-19 15:00 -------- d--h--w- c:\windows\PIF
2009-09-19 00:02 . 2009-09-19 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-19 00:02 . 2009-10-08 21:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-16 22:03 . 2009-09-16 22:03 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-16 22:01 . 2009-09-16 22:01 -------- d-----w- c:\program files\iPod
2009-09-16 22:01 . 2009-09-16 22:01 -------- d-----w- c:\program files\iTunes
2009-09-16 22:01 . 2009-09-16 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-16 22:00 . 2009-09-16 22:00 -------- d-----w- c:\program files\QuickTime
2009-09-09 18:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 14:31 . 2007-05-14 18:51 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-08 23:25 . 2009-08-01 04:13 -------- d-----w- c:\program files\Steam
2009-10-08 21:44 . 2009-10-08 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-08 21:44 . 2009-10-08 21:44 -------- d-----w- c:\program files\IObit
2009-10-08 21:42 . 2009-07-30 03:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 23:57 . 2009-07-29 07:34 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-10-07 21:50 . 2008-03-20 17:05 -------- d-----w- c:\program files\Google
2009-10-04 17:33 . 2009-07-29 07:19 -------- d-----w- c:\program files\Windows Live
2009-09-29 02:42 . 2009-07-30 03:56 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-25 20:25 . 2009-07-29 07:59 -------- d-----w- c:\program files\World of Warcraft
2009-09-17 21:27 . 2008-10-10 18:55 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-16 22:01 . 2008-10-10 19:37 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 18:57 . 2008-03-20 16:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 18:51 . 2009-07-30 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-08 15:57 . 2009-09-08 15:56 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2009-09-08 15:55 . 2009-09-08 15:55 -------- d-----w- c:\program files\VideoLAN
2009-09-08 15:47 . 2009-09-08 15:47 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2009-09-07 20:16 . 2008-10-10 19:44 -------- d-----w- c:\program files\Final Codecs
2009-08-29 01:43 . 2009-08-29 01:43 -------- d-----w- c:\documents and settings\User\Application Data\Octoshape
2009-08-28 23:42 . 2008-10-10 19:37 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2008-10-10 19:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-24 00:34 . 2009-08-22 07:27 -------- d-----w- c:\documents and settings\User\Application Data\The Creative Assembly
2009-08-19 22:19 . 2009-08-19 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-17 15:17 . 2009-08-17 15:17 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-08-17 15:17 . 2009-08-17 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-17 15:02 . 2009-08-17 15:02 -------- d-----w- c:\program files\Trend Micro
2009-08-17 12:23 . 2009-08-17 12:22 76192 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 06:00 . 2008-10-10 18:55 76192 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 04:57 . 2009-08-17 04:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2009-07-30 03:56 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2008-10-10 19:11 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2008-10-10 19:11 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-17 04:57 . 2008-10-07 17:33 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2008-10-07 17:33 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2008-10-07 17:33 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2008-10-07 17:33 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2008-10-07 17:33 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 01:56 . 2009-07-29 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-17 01:54 . 2009-07-29 07:04 -------- d-----w- c:\program files\Yahoo!
2009-08-14 17:36 . 2009-08-14 17:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-11 16:35 . 2009-07-30 03:56 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-07 01:43 . 2009-08-07 01:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 01:43 . 2009-08-07 01:43 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelSwedish.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelSpanish.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelPortugese.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelKorean.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelJapanese.dll
2009-08-03 04:21 . 2009-08-03 04:21 288024 ----a-w- c:\windows\system32\PhysXCplUI.exe
2009-08-03 04:21 . 2009-08-03 04:21 288024 ----a-w- c:\windows\system32\PhysXCompatCplUI.exe
2009-08-03 04:21 . 2009-08-03 04:21 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelGerman.dll
2009-08-03 04:21 . 2009-08-03 04:21 58648 ----a-w- c:\windows\system32\AgCPanelFrench.dll
2009-07-29 07:34 . 2009-07-29 07:34 0 ----a-w- c:\windows\nsreg.dat
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2007-03-21 21:39 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-07 149280]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-17 17676288]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\tendyer\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe"=
"c:\\WINDOWS\\system32\\searchindexer.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/8/2009 5:44 PM 309008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2009 12:49 AM 102448]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [7/29/2009 11:48 PM 38400]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [3/20/2008 7:14 AM 20160]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-09 c:\windows\Tasks\User_Feed_Synchronization-{066A772D-0CBC-4888-A2D7-F81D213996FC}.job
- c:\windows\system32\msfeedssync.exe [2007-05-14 08:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ei3asatk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-Google Quick Search Box - c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
SSODL-foyerimaw-{eae62e27-51ee-4c92-af88-344d6e9e1888} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 10:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-09 10:38
ComboFix-quarantined-files.txt 2009-10-09 14:38
ComboFix2.txt 2009-09-19 17:00

Pre-Run: 410,948,382,720 bytes free
Post-Run: 411,467,571,200 bytes free

251 --- E O F --- 2009-09-09 18:52

[tetonbob]

Please download a fresh copy of gmer using the link below, and use it according to these settings:

Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are NOT checked...
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Jacklao]

here is my gmer log

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-09 12:22:49
Windows 5.1.2600 Service Pack 3
Running: dzolw200[1].exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\fxdyapog.sys


---- System - GMER 1.0.15 ----

SSDT 8A9AC868 ZwAlertResumeThread
SSDT 8A975180 ZwAlertThread
SSDT 8A98A160 ZwAllocateVirtualMemory
SSDT 8AB8E350 ZwConnectPort
SSDT 8A9872D0 ZwCreateMutant
SSDT 8AB0C2D0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB4781350]
SSDT 8AAD71B8 ZwFreeVirtualMemory
SSDT 8A9832D0 ZwImpersonateAnonymousToken
SSDT 8A7DF0A0 ZwImpersonateThread
SSDT 8A92AA08 ZwMapViewOfSection
SSDT 8A97C2D0 ZwOpenEvent
SSDT 8AB986A0 ZwOpenProcessToken
SSDT 8A960158 ZwOpenThreadToken
SSDT 8A88BD30 ZwQueryValueKey
SSDT 8AB44230 ZwResumeThread
SSDT 8AB6B518 ZwSetContextThread
SSDT 8AAE60A8 ZwSetInformationProcess
SSDT 8AB6D0A8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB4781580]
SSDT 8AA29458 ZwSuspendProcess
SSDT 8ABEA0A8 ZwSuspendThread
SSDT 8AB40B68 ZwTerminateProcess
SSDT 8AB281B8 ZwTerminateThread
SSDT 8A932568 ZwUnmapViewOfSection
SSDT 8A9AD160 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

[tetonbob]

Looks like you dodged a bullet, the infection I suspected to be present may have only been in %temp% location. Please be careful about what websites you're visiting.

1. Download TFC (Temp File Cleaner) to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

---------------------------------------------------------------------------------------------


Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[tetonbob]

Also, in addition to my previous post, please do this after the online scan...

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[Jacklao]

here is my Kasperky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 9, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 09, 2009 17:35:56
Records in database: 2941893
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 62422
Threats found: 3
Infected objects found: 32
Suspicious objects found: 0
Scan duration: 00:51:42


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\015C0000\4BDD4A21.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C00000\4BC8EAC9.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C00001.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C00002.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C00003.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C00004\4BC8ED3F.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01DC0000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01DC0001\4BDCF654.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01DC0002\4BDCF6C2.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01DC0003\4BDCF795.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01DC0004\4BDCF7FA.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A80000\4EBD2E65.VBN Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080002\4A88F0A4.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080003\4A88F11D.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080004.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080005.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080006.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080007.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080008.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080009.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000A.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000B.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000C.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000D.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000E.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0808000F.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080010.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080011.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080012.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08080013.VBN Infected: Trojan-Downloader.Win32.FraudLoad.woia 1
C:\Documents and Settings\User\My Documents\Downloads\MPC-6.4.9.exe Infected: not-a-virus:AdWare.Win32.Agent.lmz 1

Selected area has been scanned.


and here is my qoobox log

µTorrent
Ad-Aware SE Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Bonjour
Counter-Strike: Source
Critical Update for Windows Media Player 11 (KB959772)
DVD Shrink 3.2
Empire: Total War
FinalCodecs 2008 Olympic Edition
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
IObit Security 360
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
K-Lite Mega Codec Pack 5.0.0
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.1)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
neroxml
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Picasa 2
PowerDVD
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
Software Update for Web Folders
Steam
Symantec AntiVirus
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb973514)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Ventrilo Client
WebFldrs XP
WinAVI MP4 Converter
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Presentation Foundation
Windows Search 4.0
Windows System Scanner
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Software Update

[tetonbob]

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 15 alone, as it has the most recent security updates. There is a more recent version of Java, Java(TM) 6 Update 15, but it made non-security changes, so it's not yet considered a critical update. You can install it from the SunJava site.

http://java.sun.com/javase/downloads/index.jsp

---------------------------------------------------------------------------------------------

Some of the items found are in Symantec Quarantine. The items are safe there, as they've been rendered inert. Symantec empties it's quarantine on a schedule. You should also be able to finally remove those items from quarantine manually. See if this helps:

http://www.d.umn.edu/itss/security/nav/quarantine.html

---------------------------------------------------------------------------------------------


This item would seem to be an installed for Media Player Classic. It's listed as adware, your choice to keep or delete.

C:\Documents and Settings\User\My Documents\Downloads\MPC-6.4.9.exe

I would delete it.

---------------------------------------------------------------------------------------------

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( µTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

It would appear that you have an outdated version of Ad-Aware installed. If you wish to continue using it, ensure it is the most recent version.

Free version here:

http://www.lavasoft.com/products/ad_aware_free.php

---------------------------------------------------------------------------------------------

I see you have Malwarebytes' AntiMalware installed.

Please update it's definitions, and run a new Quick Scan.

• Launch Malwarebytes' Antimalware
• On the updates tab, click on Check for Updates
• If an update is found, it will begin. Once the update is complete..
• Click on the Scanner tab. Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

[Jacklao]

I updated malware to the latest version and it found nothing to remove

Malwarebytes' Anti-Malware 1.41
Database version: 2932
Windows 5.1.2600 Service Pack 3

10/9/2009 2:56:55 PM
mbam-log-2009-10-09 (14-56-55).txt

Scan type: Quick Scan
Objects scanned: 114267
Time elapsed: 1 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[tetonbob]

That should be it, then...

Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Jacklao]

tyvm for devoting your free time for my problems,I'll try to stop getting infected

[tetonbob]

Thanks, we'd sure appreciate that. :smile;

We're happy to help, but we do try to educate along the way also. In the end, it's the person at the keyboard responsible for their security.

You may wish to consider virtualizing software, or sandboxed browsing. Sandboxie and Returnil are quite useful, check them out.