Pop ups and google redirects

[ddouglas]

I have an Eeepc running windows xp--it is a legal copy, but I have no recovery/installation disk. Malwarebytes detected vundo, among other things, and deleted them. It no longer detects them, but pop ups, redirects, and high cpu usage continues.

Thank you for any help

DDS.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 11:30:57.00 on Sat 11/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.575 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\EeePC\Asus Power Management Utility\Asus Power Management Utility.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuspo~1.lnk - c:\program files\asus\eeepc\asus power management utility\Asus Power Management Utility.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: dezifamu.dll c:\windows\system32\jemitawa.dll c:\windows\system32\boserote.dll
STS: {7125c5ce-c251-4d12-b0aa-e2fa697d965b} - No File
LSA: Notification Packages = scecli veyevida.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\nhviimyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\nhviimyo.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-3-8 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2009-2-23 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-4 38400]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2009-3-8 306176]

=============== Created Last 30 ================

2009-11-14 20:56:54 268 ---ha-w- C:\sqmdata19.sqm
2009-11-14 20:56:54 244 ---ha-w- C:\sqmnoopt19.sqm
2009-11-14 16:55:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 16:55:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:55:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 16:45:19 268 ---ha-w- C:\sqmdata18.sqm
2009-11-14 16:45:19 244 ---ha-w- C:\sqmnoopt18.sqm
2009-11-14 15:39:50 268 ---ha-w- C:\sqmdata17.sqm
2009-11-14 15:39:49 244 ---ha-w- C:\sqmnoopt17.sqm
2009-11-14 01:10:55 268 ---ha-w- C:\sqmdata16.sqm
2009-11-14 01:10:54 244 ---ha-w- C:\sqmnoopt16.sqm
2009-11-13 17:53:15 268 ---ha-w- C:\sqmdata15.sqm
2009-11-13 17:53:15 244 ---ha-w- C:\sqmnoopt15.sqm
2009-11-13 0728 268 ---ha-w- C:\sqmdata14.sqm
2009-11-13 0728 244 ---ha-w- C:\sqmnoopt14.sqm
2009-11-13 03:36:39 268 ---ha-w- C:\sqmdata13.sqm
2009-11-13 03:36:39 244 ---ha-w- C:\sqmnoopt13.sqm
2009-11-13 02:09:57 0 d-----w- c:\windows\pss
2009-11-13 01:18:38 268 ---ha-w- C:\sqmdata12.sqm
2009-11-13 01:18:38 244 ---ha-w- C:\sqmnoopt12.sqm
2009-11-13 00:46:11 268 ---ha-w- C:\sqmdata11.sqm
2009-11-13 00:46:11 244 ---ha-w- C:\sqmnoopt11.sqm
2009-11-12 04:18:27 268 ---ha-w- C:\sqmdata10.sqm
2009-11-12 04:18:27 244 ---ha-w- C:\sqmnoopt10.sqm
2009-11-12 04:11:17 0 d-----w- c:\windows\system32\LogFiles
2009-11-12 04:03:43 268 ---ha-w- C:\sqmdata09.sqm
2009-11-12 04:03:43 244 ---ha-w- C:\sqmnoopt09.sqm
2009-11-12 03:56:35 268 ---ha-w- C:\sqmdata08.sqm
2009-11-12 03:56:35 244 ---ha-w- C:\sqmnoopt08.sqm
2009-11-12 02:57:46 268 ---ha-w- C:\sqmdata07.sqm
2009-11-12 02:57:46 244 ---ha-w- C:\sqmnoopt07.sqm
2009-11-12 02:47:23 268 ---ha-w- C:\sqmdata06.sqm
2009-11-12 02:47:23 244 ---ha-w- C:\sqmnoopt06.sqm
2009-11-12 02:37:22 268 ---ha-w- C:\sqmdata05.sqm
2009-11-12 02:37:22 244 ---ha-w- C:\sqmnoopt05.sqm
2009-11-12 02:23:14 268 ---ha-w- C:\sqmdata04.sqm
2009-11-12 02:23:14 244 ---ha-w- C:\sqmnoopt04.sqm
2009-11-12 02:09:14 268 ---ha-w- C:\sqmdata03.sqm
2009-11-12 02:09:14 244 ---ha-w- C:\sqmnoopt03.sqm
2009-11-12 0230 212 ----a-w- c:\windows\wininit.ini
2009-11-11 22:21:01 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 22:21:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-11 21:56:05 268 ---ha-w- C:\sqmdata02.sqm
2009-11-11 21:56:05 244 ---ha-w- C:\sqmnoopt02.sqm
2009-11-11 20:58:22 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-11 20:58:22 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-11 20:58:22 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-11 16:41:07 268 ---ha-w- C:\sqmdata01.sqm
2009-11-11 16:41:07 244 ---ha-w- C:\sqmnoopt01.sqm
2009-11-11 16:39:25 0 d-----w- C:\WINSSLog
2009-11-11 16:07:22 211 ----a-w- C:\boot.ini.save
2009-11-11 09:51:06 0 d-----w- c:\program files\1234
2009-11-11 09:41:05 0 d--h--w- c:\windows\PIF
2009-11-11 03:53:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-10 01:08:10 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2009-11-20 19:03:05 6894 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

============= FINISH: 11:33:22.31 ===============

[sjb007]

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator)

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[ddouglas]

Steve,

Thanks so much. I have attached the combofix text report.


ComboFix 09-11-22.02 - Owner 11/22/2009 17:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.768 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-839522115-562591055-842925246-1003

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-14 16:55 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 16:55 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:55 . 2009-11-14 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 04:11 . 2009-11-12 04:11 -------- d-----w- c:\windows\system32\LogFiles
2009-11-11 22:21 . 2009-11-12 02:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 22:21 . 2009-11-12 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-11 20:58 . 2003-03-18 22:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-11 20:58 . 2003-03-18 21:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-11 20:58 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-11 20:58 . 2009-11-11 20:58 -------- d-----w- c:\program files\Alwil Software
2009-11-11 16:39 . 2009-11-11 16:40 -------- d-----w- C:\WINSSLog
2009-11-11 09:51 . 2009-11-11 17:53 -------- d-----w- c:\program files\1234
2009-11-11 09:41 . 2009-11-11 15:26 -------- d--h--w- c:\windows\PIF
2009-11-11 03:53 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-10 01:45 . 2009-11-10 01:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 01:08 . 2009-11-10 01:09 -------- dc-h--w- c:\windows\ie8
2009-11-05 06:40 . 2009-11-05 06:40 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 19:03 . 2009-05-24 03:07 6894 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-11-13 00:40 . 2009-05-24 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-11 14:18 . 2008-08-01 16:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-08-01 16:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-08-01 16:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 16:02 . 2009-03-08 07:33 60080 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:00 . 2008-08-01 16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-05-07 08:34 . 2009-03-08 06:49 15523560 ----a-w- c:\program files\U1 Setup.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-06 16858112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Asus Power Management Utility.lnk - c:\program files\ASUS\EeePC\Asus Power Management Utility\Asus Power Management Utility.exe [2009-3-8 294912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [3/8/2009 1:45 AM 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2/23/2009 12:09 AM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 1:23 AM 38400]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [3/8/2009 1:45 AM 306176]
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nhviimyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nhviimyo.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{7125c5ce-c251-4d12-b0aa-e2fa697d965b} - (no file)
SafeBoot-MsMpSvc
SafeBoot-OneCareMP



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2009-11-22 17:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 22:26

Pre-Run: 143,702,327,296 bytes free
Post-Run: 143,701,585,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B59287EA4324A2E9F865ECFFDB5DEE3B

[sjb007]

Hi there

I want you to create and run a batch file for me...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Quote:

DIR /A/S/B c:\windows\system32\eventlog.dl* >Logit.txt

Save this as search.bat Choose to "Save type as - All Files"
It should look like this:
Double click on search.bat & allow it to run

Post back with the log it provides

------------------------------------------------

I notice that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me..
First I want you to update MBAM so we have the latest definitions onboard
Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button

• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

------------------------------------------------

Post back in you next post with:

The batch file results
The MBAM log

[ddouglas]

Steve,

Thanks again. I have attached the mbam results--there was nothing detected.

The search.bat would not run. A window appears for a second then disappears.

[sjb007]

Hi there

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Here are a few very good free Antivirus products which are available:

• Avira PersonalEdition Classic
• Avast!
• AVG

Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Install, update definitions, and run a full system scan with the Anti-Virus of your choice.

-------------------------------------------------------

I noitice combofix was not saved to the desktop as it should have been. Please delete the version that you have and download a fresh copy of combofix to the desktop from one of the locations below.

Link 1
Link 2

Once done.....

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

FCopy 
c:\windows\system32\dllcache\eventlog.dll | c:\windows\system32\eventlog.dll

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

-------------------------------------------------------

Lets clear out some system junk.....

1. Download Temp File Cleaner by OldTimer to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

-------------------------------------------------------

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please post the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

-------------------------------------------------------

Post back on your next reply with:

The new combofix log
The log from Panda
An update on how things are running

[ddouglas]

Steve,

Everything seems to be running great now. Thank you very much.

[sjb007]

Hi there ddouglas

Im glad to hear all is much better, I do advise that you follow through with the last set of instructions and post back with the resulting logs. Although the original sympoms may have disapeared, there may be still leftovers from the infection that need removal.

[ddouglas]

Steve,

Thanks for all your help. Here are results.

Dave

[sjb007]

Hi there

The Panda scan looks good, what was found was trapped in system restore which we will flush out at the end of the fix.
I do need to check whether the last run of combofix was successfull as I directed it to replace files. Do you have the last combofix log. You can find this at C:\Combofix.txt

[ddouglas]

Steve,

Here is the combofix log. Thanks again and happy American Thanksgiving.

[sjb007]

Hi there

All appologies for any delays in replying, for some reason I missed you reply here.

The file we tried to replace is still showing as missing. I want you to run another script with combofix.

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

SkipFix::

FCopy::
c:\windows\system32\dllcache\eventlog.dll | c:\windows\System32\eventlog.dll

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[ddouglas]

Here is th log from today. Thank you.

[sjb007]

Hi there ddouglas

Great news! All is looking good logwise. Just a spot of updating left...

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
• Click Download
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Now that you appear to be free from malware lets help you stay that way!

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK:

Windows Vista Users: Press the Windows key and r to bring up the run dialogue, copy and paste the text below into the run box and click OK:


ComboFix /Uninstall

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

[ddouglas]

Steve,

Thanks again for everything. I will take the steps you you suggested.

I am confident that this issue is resolved.

Ddouglas

[sjb007]

As this issue is now resolved I will now stop monitoring this thread for any further replies and request for the topic to be moved to the resolved section of the forum. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!