Problem with icons, viruses, Google...

[Nela09]

I have very poor access to machine through Start button and everything goes with extremely difficulties. I think more and more that maybe I have again sort of Redirect Virus because I’m getting right web pages harder and harder and who know what else….

I downloaded gmer.exe and copied to my Desktop, but I don’t see it at Task menager...

I can’t copy what listed gmer but I will rewrite:
Type AttachedD
Name \FileSystem\Nfts \Nfts
Value amon.sys (Amon monitor/Eset)

I download dds.scr and I got teo Notepads
First
Attach - Notepad

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/29/2009 8:02:57 PM
System Uptime: 10/6/2009 8:01:53 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Kamet2
Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2074/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 269.737 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP27: 7/10/2009 9:07:58 PM - System Checkpoint
RP28: 7/11/2009 9:38:51 PM - System Checkpoint
RP29: 7/12/2009 7:03:24 PM - Installed Microsoft Office Home and Student 2007
RP30: 7/12/2009 7:04:26 PM - Installed Microsoft Office Home and Student 2007
RP31: 7/12/2009 7:07:29 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP32: 7/15/2009 6:50:49 AM - System Checkpoint
RP33: 7/17/2009 3:54:12 PM - System Checkpoint
RP34: 7/18/2009 4:25:50 PM - System Checkpoint
RP35: 7/19/2009 4:58:30 PM - System Checkpoint
RP36: 7/20/2009 8:03:20 PM - System Checkpoint
RP37: 7/21/2009 9:49:57 PM - System Checkpoint
RP38: 7/23/2009 8:51:33 PM - System Checkpoint
RP39: 7/24/2009 8:56:48 PM - System Checkpoint
RP40: 7/25/2009 9:01:32 PM - System Checkpoint
RP41: 7/26/2009 9:35:12 PM - System Checkpoint
RP42: 7/29/2009 8:30:34 PM - System Checkpoint
RP43: 7/30/2009 9:24:21 PM - System Checkpoint
RP44: 7/31/2009 9:44:55 PM - System Checkpoint
RP45: 8/1/2009 10:28:29 PM - System Checkpoint
RP46: 8/3/2009 6:38:21 AM - System Checkpoint
RP47: 8/4/2009 7:11:16 AM - System Checkpoint
RP48: 8/5/2009 8:52:31 PM - System Checkpoint
RP49: 8/8/2009 11:30:21 AM - System Checkpoint
RP50: 8/9/2009 3:40:13 PM - System Checkpoint
RP51: 8/10/2009 8:05:49 PM - System Checkpoint
RP52: 8/11/2009 10:34:00 PM - System Checkpoint
RP53: 8/13/2009 3:45:03 PM - System Checkpoint
RP54: 8/14/2009 6:04:23 PM - System Checkpoint
RP55: 8/16/2009 9:42:10 AM - System Checkpoint
RP56: 8/17/2009 9:44:54 AM - System Checkpoint
RP57: 8/18/2009 11:59:42 AM - System Checkpoint
RP58: 8/19/2009 5:02:51 PM - System Checkpoint
RP59: 8/20/2009 6:08:09 PM - System Checkpoint
RP60: 8/22/2009 10:38:15 AM - System Checkpoint
RP61: 8/23/2009 11:15:37 AM - System Checkpoint
RP62: 8/24/2009 8:08:11 PM - System Checkpoint
RP63: 8/28/2009 9:45:13 PM - System Checkpoint
RP64: 8/29/2009 6:49:44 PM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP65: 8/29/2009 9:54:51 PM - Advanced Registry Optimizer Sat, Aug 29, 09 21:54
RP66: 9/1/2009 11:21:19 PM - System Checkpoint
RP67: 9/3/2009 10:05:12 PM - System Checkpoint
RP68: 9/4/2009 11:31:13 PM - Software Distribution Service 3.0
RP69: 9/4/2009 11:37:35 PM - Installed MSN Toolbar
RP70: 9/4/2009 11:39:21 PM - Installed Windows Internet Explorer 8.
RP71: 9/4/2009 11:40:21 PM - Software Distribution Service 3.0
RP72: 9/5/2009 2:59:22 PM - Software Distribution Service 3.0
RP73: 9/6/2009 8:08:29 PM - System Checkpoint
RP74: 9/7/2009 8:37:48 PM - System Checkpoint
RP75: 9/8/2009 11:46:04 PM - Spybot-S&D Spyware removal
RP76: 9/10/2009 12:31:07 AM - System Checkpoint
RP77: 9/10/2009 12:57:56 AM - Software Distribution Service 3.0
RP78: 9/12/2009 12:14:24 AM - System Checkpoint
RP79: 9/13/2009 12:30:05 PM - System Checkpoint
RP80: 9/16/2009 9:54:37 PM - System Checkpoint
RP81: 9/17/2009 10:13:59 PM - System Checkpoint
RP82: 9/19/2009 10:08:06 AM - System Checkpoint
RP83: 9/20/2009 5:50:42 PM - System Checkpoint
RP84: 9/21/2009 10:33:25 PM - System Checkpoint
RP85: 9/24/2009 7:10:10 AM - System Checkpoint
RP86: 9/25/2009 7:33:34 AM - System Checkpoint
RP87: 9/26/2009 1:34:28 PM - System Checkpoint
RP88: 9/27/2009 2:03:03 PM - System Checkpoint
RP89: 9/28/2009 11:27:34 PM - Software Distribution Service 3.0
RP90: 9/29/2009 7:09:51 AM - Software Distribution Service 3.0
RP91: 9/30/2009 10:09:46 PM - System Checkpoint
RP92: 10/1/2009 8:57:54 AM - Installed iTunes
RP93: 10/2/2009 8:49:10 PM - Configured Microsoft Office Home and Student 2007 Trial
RP94: 10/3/2009 5:51:52 PM - Removed Bonjour
RP95: 10/3/2009 5:52:42 PM - Removed Microsoft Silverlight
RP96: 10/3/2009 5:53:11 PM - Removed MSN Toolbar
RP97: 10/3/2009 5:54:41 PM - Removed OpenOffice.org 3.0
RP98: 10/3/2009 8:59:26 PM - Removed QuickTime
RP99: 10/4/2009 12:52:46 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP100: 10/4/2009 10:00:56 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP101: 10/5/2009 11:46:43 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
DVD Decrypter (Remove Only)
DVD Region Killer
DVD Shrink 3.2
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
NOD32 antivirus system
NOD32 FiX v2.1
Picasa 3
PowerDVD
Quick View Plus
RealPlayer
Realtek AC'97 Audio
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3GSetup
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VCRedistSetup
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WinAce Archiver 2.0
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinRAR archiver
WinZip

==== Event Viewer Messages From Past Week ========

10/4/2009 12:53:41 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 8:58:17 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

And second
DDS – Notepad

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 20:11:37.23 on Tue 10/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.313 [GMT -5:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0OY9PFEI\04vxl0qp[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NS7MS7U9\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [LTMSG] LTMSG.exe 7
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [RegKillElbyCheck] "c:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [3500064608] c:\windows\system32\config\systemprofile\application data\3500064608\3500064608.exe
mRun: [tifolonuf] Rundll32.exe "c:\windows\system32\nokanoza.dll",a
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5669/mcfscan.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
Filter: text/html - {c6dc691e-f640-4a4b-8fa7-e43de4e24d44} -
AppInit_DLLs: c:\windows\system32\vakibefa.dll dugabise.dll c:\windows\system32\nokanoza.dll
SSODL: dasuwepub - {a32e97d1-1a3a-4048-839c-73c9d97fc605} - c:\windows\system32\vakibefa.dll
SSODL: funokivoy - {ea540f1b-ddb8-4341-8f3a-1a8cc4fbd302} - c:\windows\system32\nokanoza.dll
STS: tokatiluy: {a32e97d1-1a3a-4048-839c-73c9d97fc605} - c:\windows\system32\vakibefa.dll
STS: mujuzedij: {c04d2cd2-62b2-4dd8-bbdc-3e00dd1a7f24} - c:\windows\system32\mesekaho.dll
STS: kupuhivus: {ea540f1b-ddb8-4341-8f3a-1a8cc4fbd302} - c:\windows\system32\nokanoza.dll
LSA: Notification Packages = scecli zurupadu.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-6-30 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-6-30 549256]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-3-9 6144]

=============== Created Last 30 ================

2009-10-05 22:52 250 a------- c:\windows\gmer.ini
2009-10-05 21:25 153 a------- c:\windows\wininit.ini
2009-10-04 23:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-04 21:57 752 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-04 21:14 <DIR> --d----- c:\windows\pss
2009-10-04 14:27 <DIR> --d----- c:\windows\system32\NtmsData
2009-10-04 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-04 12:52 <DIR> --d----- c:\program files\common files\iS3
2009-10-04 12:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-04 11:25 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-10-04 10:52 7,168 a--sh--- c:\windows\Thumbs.db
2009-10-04 10:16 199,680 a------- C:\hufa.exe
2009-10-01 18:00 664 a------- c:\windows\system32\d3d9caps.dat
2009-10-01 08:59 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-10-01 08:59 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-01 08:58 <DIR> --d----- c:\program files\iPod
2009-10-01 08:57 <DIR> --d----- c:\program files\iTunes
2009-10-01 08:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-01 08:55 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-10-01 08:55 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-09-27 15:23 <DIR> --d----- c:\program files\common files\xing shared
2009-09-26 22:49 <DIR> --d----- c:\program files\common files\Real
2009-09-09 18:53 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-04 21:16 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2009-10-04 21:16 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2009-09-26 22:49 499,712 a------- c:\windows\system32\msvcp71.dll
2009-09-26 22:49 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-20 18:13 51,012 a---h--- c:\windows\system32\mlfcache.dat
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 21:25 1,048,611 a--sh--- c:\windows\system32\jolefayu.exe
2009-07-04 21:45 1,048,611 a--sh--- c:\windows\system32\jubevuto.exe
2009-07-03 09:24 1,048,611 a--sh--- c:\windows\system32\kanolalo.exe
2009-07-03 09:24 26,624 a--sh--- c:\windows\system32\nezovefo.dll
2009-07-05 21:25 88,064 a--sh--- c:\windows\system32\nokanoza.dll
2009-07-05 21:25 36,864 a--sh--- c:\windows\system32\rilalelu.dll
2009-07-03 21:23 1,048,099 a--sh--- c:\windows\system32\sipaneya.exe
2009-07-05 09:45 1,048,099 a--sh--- c:\windows\system32\tuvikize.exe
2009-07-04 09:23 1,048,099 a--sh--- c:\windows\system32\vorosuka.exe

============= FINISH: 20:14:03.79 ===============

[Ried]

Hi Nela09, I'm glad you found your way to the forum.

Let's get started. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[Nela09]

Hi Ried :)
I'm glad that I found the way to forum:)
I have one question - before I download ComboFix should I disable my NOD32 and Spybot?

[Ried]

Hi. :)

Disable them after you download ComboFix.

[Nela09]

I hardly opened only first link but at the end of downloading I got two dilagox box like Warning which combofix websites are fake and second that I can't rename combofix into Combofix1 even if I didn't try to do that. I think something cut down downloading.

[Ried]

Do you still have the old ComboFix.exe on your desktop? If so, delete it first, then try to download it again.

If you're still getting that error message, try again to download it but when the Save box comes up, rename Combofix to nela09 before saving it to your desktop.

[Nela09]

Hi Ried,

I don’t have ComboFix from earlier usage.

I tried last nihgt and this eveining to download ComboFix and in the beginning everything looks fine, I’m getting dialog box and it seems like downloading is going well. At the end I hear two beeps and then I got two boxes.

First has name ‘DISCLAIMER OF WARRANTY ON SOFTWARE’ and this is the text:

The following webisites are not in any way affiliated to ComboFix:
http://www.combofix.org
http://www.combofixdownoald.com/
If you have purchased anything from them, I suggest you instruct your financiers to cancel the transaction. (I must say that I didn’t buy anything from them, but since I bought used computer I wonder did previous owner did that).
……………………………
A guide on proper ComboFix usage may be found at: http://bleepingcomputer.com/combofix...o-use-combofix
ComboFiz is meant for private use. If should never be used in an unsupervised environment. If infection are found, it will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
This software is provided ‘as is’, without warranty of any kind. All implied warranties are expressly disclaimed. If you don’t agree to the above terms, please click No to exit.
(I clicked every time Yes and then after that nothing happened!)
…………………………………………………………………………………………………..



Second dialog I’m getting every time I tried to download ComboFix is this:
“You cannot rename ComboFix as ComboFix1. Please use another name, preferably made up of alphanumeric characters.“
………………………………………………………………….

This is all I got from ComboFix – nothing else. I check my Desktop (through Start menu) and I don’t have ComboFix. Also I used Search and I didn’t find ComboFix.
So I pretty much puzzled and don’t what to do now.
Thank you very, very much again:)

[Ried]

On your keyboard, press the key that has the Windows flag symbol on it, and the letter E (press both keys at the same time) to bring up Windows Explorer.

Double click on the C:\ drive

Do you see a ComboFix folder there? (the folders are listed alphabetically)

[Nela09]

I did what you said but unfortunatelly there is no ComboFix:(

[Ried]

Ah! I think I know what is happening.

You still have ComboFix on your desktop, correct?

When you get to this part:

Quote:

This software is provided ‘as is’, without warranty of any kind. All implied warranties are expressly disclaimed. If you don’t agree to the above terms, please click No to exit.
(I clicked every time Yes and then after that nothing happened!)

Only click Yes one time, then wait. It may take a while for ComboFix to start, but it shouldn't take more than a couple of minutes.

[Nela09]

I'm gonna try that, but I think I already did exactly that.
And unfortunatelly I don't have ComboFix anywhere!
That is strange - I don't have it at my computer, but something prevent me to install/download new ComboFix!

[Ried]

Okay, turn off Nod32 and Spybot and try again to download it.

[Nela09]

I did everything - moved completelly NOD32 and Spybot (I can't only delete it from C:\Program Files) and then try to download ComboFix, but got again the same - first box ‘DISCLAIMER OF WARRANTY ON SOFTWARE’. I clicked Yes, but after a while I got the same second dialog box: “You cannot rename ComboFix as ComboFix1. Please use another name, preferably made up of alphanumeric characters.“

[Ried]

Is ComboFix.exe on your desktop?

[Nela09]

No, there is not!

[Ried]

Click one of the links I gave for downloading ComboFix. You should see a box pop open that says Save or Run. Click Save.

Once you click 'Save', another box will open for you. Look to the top and you'll see 'Save in'. Make sure that says 'Desktop'. If it doesn't, click the little arrow toward the right of that line and a drop down box should appear. Double click 'Desktop'.

At the bottom right of that box, click 'Save' and it should be on your desktop.

Once it is on your desktop, double click to run it and okay all the prompts.

Post the ComboFix.txt when it has finished.

[Nela09]

OMG - you are genius!
I did everything you said and FINALLY I downolad ComboFix.
I got this (and yes I have already my icons and Google:)


ComboFix 09-10-06.04 - Owner 10/07/2009 22:24.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.730 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\program files\Shared\_lib.dll
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\windows\system32\nezovefo.dll
c:\windows\system32\nokanoza.dll
c:\windows\system32\rilalelu.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-06 03:09 . 2009-10-06 03:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-06 02:26 . 2009-10-06 02:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\3500064608
2009-10-05 14:45 . 2009-10-06 23:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\9030391011
2009-10-05 14:45 . 2009-10-05 14:45 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-05 04:46 . 2009-10-08 03:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-05 03:52 . 2009-10-05 03:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-10-05 02:46 . 2009-10-06 23:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\5171715743
2009-10-04 19:27 . 2009-10-04 20:05 -------- d-----w- c:\windows\system32\NtmsData
2009-10-04 17:54 . 2009-10-04 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-04 17:52 . 2009-10-04 17:52 -------- d-----w- c:\program files\Common Files\iS3
2009-10-04 17:52 . 2009-10-05 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-04 16:25 . 2009-10-04 16:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-04 15:16 . 2009-10-04 15:16 199680 ----a-w- C:\hufa.exe
2009-10-03 22:49 . 2009-10-03 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-01 23:00 . 2009-10-01 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-01 13:59 . 2009-10-03 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-10-01 13:59 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-01 13:59 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-01 13:58 . 2009-10-01 13:58 -------- d-----w- c:\program files\iPod
2009-10-01 13:57 . 2009-10-01 13:59 -------- d-----w- c:\program files\iTunes
2009-10-01 13:57 . 2009-10-01 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-01 13:56 . 2009-10-01 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-01 13:56 . 2009-10-01 13:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-10-01 13:56 . 2009-10-01 13:56 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 13:55 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-10-01 13:55 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-10-01 13:55 . 2009-10-01 13:58 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 13:55 . 2009-10-01 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 13:53 . 2009-10-03 01:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-09-29 04:30 . 2009-09-29 04:30 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-09-27 20:43 . 2009-09-27 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Real
2009-09-27 20:33 . 2009-10-03 18:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-09-27 20:33 . 2009-09-27 20:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-27 20:23 . 2009-09-27 20:23 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-27 20:22 . 2009-09-27 20:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-27 03:49 . 2009-09-27 03:49 -------- d-----w- c:\program files\Real
2009-09-27 03:49 . 2009-09-27 20:24 -------- d-----w- c:\program files\Common Files\Real
2009-09-09 23:53 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 03:27 . 2009-09-02 23:55 -------- d-----w- c:\program files\Shared
2009-10-08 02:39 . 2009-06-30 18:03 -------- d-----w- c:\program files\ESET
2009-10-08 01:24 . 2009-06-30 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 04:41 . 2009-06-30 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-05 02:58 . 2009-10-05 02:57 752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-05 02:16 . 2009-06-30 18:44 -------- d-----w- c:\program files\DVDFab 5
2009-10-05 02:16 . 2009-06-30 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-10-05 02:16 . 2009-06-30 18:44 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-10-03 22:56 . 2009-06-30 19:35 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-03 22:52 . 2009-06-30 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 22:50 . 2009-08-29 23:49 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-03 22:45 . 2009-07-02 05:53 -------- d-----w- c:\program files\Google
2009-10-03 01:58 . 2009-07-13 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-01 14:03 . 2009-07-01 01:43 53560 ------w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 04:29 . 2009-07-13 00:07 -------- d-----w- c:\program files\Microsoft Works
2009-09-27 03:49 . 2009-06-04 11:37 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-27 03:49 . 2009-06-04 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-15 02:45 . 2009-06-30 19:24 -------- d-----w- c:\program files\Quick View Plus
2009-09-03 01:10 . 2009-09-03 01:10 0 ----a-w- c:\windows\nsreg.dat
2009-08-20 23:13 . 2009-08-20 23:13 51012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 02:25 . 2009-07-06 02:25 1048611 --sha-w- c:\windows\system32\jolefayu.exe
2009-07-05 02:45 . 2009-07-05 02:45 1048611 --sha-w- c:\windows\system32\jubevuto.exe
2009-07-03 14:24 . 2009-07-03 14:24 1048611 --sha-w- c:\windows\system32\kanolalo.exe
2009-07-04 02:23 . 2009-07-04 02:23 1048099 --sha-w- c:\windows\system32\sipaneya.exe
2009-07-05 14:45 . 2009-07-05 14:45 1048099 --sha-w- c:\windows\system32\tuvikize.exe
2009-07-04 14:23 . 2009-07-04 14:23 1048099 --sha-w- c:\windows\system32\vorosuka.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2001-12-06 45056]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-27 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexStoreSvr.exe"=

R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [3/9/2002 10:37 PM 6144]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-tifolonuf - c:\windows\system32\nokanoza.dll
SharedTaskScheduler-{a32e97d1-1a3a-4048-839c-73c9d97fc605} - c:\windows\system32\vakibefa.dll
SharedTaskScheduler-{c04d2cd2-62b2-4dd8-bbdc-3e00dd1a7f24} - c:\windows\system32\mesekaho.dll
SharedTaskScheduler-{ea540f1b-ddb8-4341-8f3a-1a8cc4fbd302} - c:\windows\system32\nokanoza.dll
SSODL-dasuwepub-{a32e97d1-1a3a-4048-839c-73c9d97fc605} - c:\windows\system32\vakibefa.dll
SSODL-funokivoy-{ea540f1b-ddb8-4341-8f3a-1a8cc4fbd302} - c:\windows\system32\nokanoza.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3204)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-08 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 03:32

Pre-Run: 289,525,354,496 bytes free
Post-Run: 289,793,916,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

189 --- E O F --- 2009-09-29 12:11

[Ried]

Wonderful!

We still have more to take care of. I've created the CFScript.txt for you. Click this link --> http://www.techsupportforum.com/atta...1&d=1254973445 and same as you did to get ComboFix to your desktop, do the same to Save the cfscript.txt to your desktop.

Once the cfscript.txt is on your desktop...




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post that log in your next reply.


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[Nela09]

Great!
Thanks again!
I'm sending you first ComboFix.txt.
I download Kaspersky and scanning is in progres now. The process is pretty slow and since here is already midnight I will live it to finish everything during the night and send the rest tomorrow.

So first ComboFix.txt

I got this box first - cfscript
File::
C:\hufa.exe
c:\windows\system32\jolefayu.exe
c:\windows\system32\jubevuto.exe
c:\windows\system32\kanolalo.exe
c:\windows\system32\sipaneya.exe
c:\windows\system32\tuvikize.exe
c:\windows\system32\vorosuka.exe

…………………………………………………………………………………

And now C:\ComboFix.txt


ComboFix 09-10-06.04 - Owner 10/07/2009 23:00.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.652 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt

FILE ::
"C:\hufa.exe"
"c:\windows\system32\jolefayu.exe"
"c:\windows\system32\jubevuto.exe"
"c:\windows\system32\kanolalo.exe"
"c:\windows\system32\sipaneya.exe"
"c:\windows\system32\tuvikize.exe"
"c:\windows\system32\vorosuka.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hufa.exe
c:\program files\Shared
c:\windows\system32\jolefayu.exe
c:\windows\system32\jubevuto.exe
c:\windows\system32\kanolalo.exe
c:\windows\system32\sipaneya.exe
c:\windows\system32\tuvikize.exe
c:\windows\system32\vorosuka.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-06 03:09 . 2009-10-06 03:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-06 02:26 . 2009-10-06 02:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\3500064608
2009-10-05 14:45 . 2009-10-06 23:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\9030391011
2009-10-05 14:45 . 2009-10-05 14:45 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-05 04:46 . 2009-10-08 03:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-05 03:52 . 2009-10-05 03:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-10-05 02:46 . 2009-10-06 23:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\5171715743
2009-10-04 19:27 . 2009-10-04 20:05 -------- d-----w- c:\windows\system32\NtmsData
2009-10-04 17:54 . 2009-10-04 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-04 17:52 . 2009-10-04 17:52 -------- d-----w- c:\program files\Common Files\iS3
2009-10-04 17:52 . 2009-10-05 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-04 16:25 . 2009-10-04 16:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-03 22:49 . 2009-10-03 22:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-01 23:00 . 2009-10-01 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-01 13:59 . 2009-10-03 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-10-01 13:59 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-01 13:59 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-01 13:58 . 2009-10-01 13:58 -------- d-----w- c:\program files\iPod
2009-10-01 13:57 . 2009-10-01 13:59 -------- d-----w- c:\program files\iTunes
2009-10-01 13:57 . 2009-10-01 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-01 13:56 . 2009-10-01 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-01 13:56 . 2009-10-01 13:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-10-01 13:56 . 2009-10-01 13:56 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 13:55 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-10-01 13:55 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-10-01 13:55 . 2009-10-01 13:58 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 13:55 . 2009-10-01 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 13:53 . 2009-10-03 01:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-09-29 04:30 . 2009-09-29 04:30 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-09-27 20:43 . 2009-09-27 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Real
2009-09-27 20:33 . 2009-10-03 18:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-09-27 20:33 . 2009-09-27 20:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-27 20:23 . 2009-09-27 20:23 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-27 20:22 . 2009-09-27 20:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-27 03:49 . 2009-09-27 03:49 -------- d-----w- c:\program files\Real
2009-09-27 03:49 . 2009-09-27 20:24 -------- d-----w- c:\program files\Common Files\Real
2009-09-09 23:53 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 02:39 . 2009-06-30 18:03 -------- d-----w- c:\program files\ESET
2009-10-08 01:24 . 2009-06-30 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 04:41 . 2009-06-30 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-05 02:58 . 2009-10-05 02:57 752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-05 02:16 . 2009-06-30 18:44 -------- d-----w- c:\program files\DVDFab 5
2009-10-05 02:16 . 2009-06-30 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-10-05 02:16 . 2009-06-30 18:44 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-10-03 22:56 . 2009-06-30 19:35 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-03 22:52 . 2009-06-30 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 22:50 . 2009-08-29 23:49 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-03 22:45 . 2009-07-02 05:53 -------- d-----w- c:\program files\Google
2009-10-03 01:58 . 2009-07-13 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-01 14:03 . 2009-07-01 01:43 53560 ------w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 04:29 . 2009-07-13 00:07 -------- d-----w- c:\program files\Microsoft Works
2009-09-27 03:49 . 2009-06-04 11:37 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-27 03:49 . 2009-06-04 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-15 02:45 . 2009-06-30 19:24 -------- d-----w- c:\program files\Quick View Plus
2009-09-03 01:10 . 2009-09-03 01:10 0 ----a-w- c:\windows\nsreg.dat
2009-08-20 23:13 . 2009-08-20 23:13 51012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2001-12-06 45056]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-27 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexStoreSvr.exe"=

R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [3/9/2002 10:37 PM 6144]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-08 23:04
ComboFix-quarantined-files.txt 2009-10-08 04:04
ComboFix2.txt 2009-10-08 03:32

Pre-Run: 289,791,954,944 bytes free
Post-Run: 289,793,368,064 bytes free

155 --- E O F --- 2009-09-29 12:11

[Ried]

Well done.

Agreed, let the scan finish overnight and we'll finish tomorrow.