Please help...can't get rid of this one

[Canuck78]

Yes the redirects are gone now.

Here is the ComboFix Report:

ComboFix 09-08-29.01 - USER 08/29/2009 23:45.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2567 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090829-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"C:\994bb1b65eb8bd7bddb4"
"c:\program files\Common Files\isikusicy.lib"
"c:\program files\Common Files\mexohysu.inf"
"c:\windows\sadir.com"
"c:\windows\suzibim.dat"
"c:\windows\system32\irilyp.dat"
"c:\windows\system32\ivalitib.com"
.
/wow section - STAGE 7
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\syrevu.lib
c:\documents and settings\USER\Application Data\jufatug._sy
c:\documents and settings\USER\Application Data\nade._sy
c:\documents and settings\USER\Application Data\ufogoz.inf
c:\documents and settings\USER\Cookies\pucan.inf
c:\program files\Common Files\isikusicy.lib
c:\program files\Common Files\mexohysu.inf
c:\windows\AegisP.inf
c:\windows\qivifom.inf
c:\windows\sadir.com
c:\windows\suzibim.dat
c:\windows\system32\irilyp.dat
c:\windows\system32\ivalitib.com

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-28 02:38 . 2009-08-28 02:38 -------- d-----w- c:\documents and settings\USER\DoctorWeb
2009-08-25 00:42 . 2009-08-25 00:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-23 19:31 . 2009-08-23 19:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 02:40 . 2009-08-23 02:40 -------- d-----w- c:\program files\Trend Micro
2009-08-23 02:38 . 2009-08-23 02:38 -------- d-----w- c:\program files\ERUNT
2009-08-23 02:07 . 2009-08-23 02:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-23 00:41 . 2009-08-23 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 00:41 . 2009-08-23 01:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 00:10 . 2009-08-23 00:10 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2009-08-23 00:10 . 2009-08-23 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 08:19 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-14 08:19 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-14 08:19 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-14 08:19 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- c:\program files\MSBuild
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- C:\994bb1b65eb8bd7bddb4
2009-08-14 08:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 08:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 08:03 . 2009-08-14 08:17 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-12 08:00 . 2009-08-12 08:00 -------- d-----w- c:\program files\MSXML 4.0
2009-08-11 21:11 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-08-10 18:05 . 2009-08-10 18:05 -------- d-----w- c:\documents and settings\USER\Application Data\Roxio
2009-08-10 17:54 . 2008-04-14 05:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-10 17:54 . 2008-04-14 05:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-10 17:46 . 2009-08-10 19:37 256 ----a-w- c:\windows\system32\pool.bin
2009-08-10 17:46 . 2009-08-10 18:01 -------- d-----w- c:\documents and settings\USER\Application Data\Research In Motion
2009-08-10 17:41 . 2009-08-10 17:41 -------- d-----w- c:\documents and settings\USER\Application Data\InstallShield
2009-08-10 17:41 . 2009-08-10 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-10 17:41 . 2009-08-10 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-10 17:39 . 2009-08-10 17:39 -------- d-----w- c:\program files\Roxio
2009-08-10 17:39 . 2009-08-10 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-10 17:39 . 2009-08-10 17:39 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-08-10 17:37 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-08-10 17:37 . 2009-08-10 17:39 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-10 17:36 . 2009-08-10 17:37 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-10 17:36 . 2009-08-10 17:38 -------- d-----w- c:\program files\Research In Motion
2009-08-08 04:46 . 2009-08-08 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-07 05:21 . 2009-08-07 05:21 -------- d-----w- c:\documents and settings\USER\Freeze Tag
2009-08-07 05:18 . 2009-08-07 05:20 -------- d-----w- c:\program files\Mystery Masterpiece - The Moonstone
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 05:16 . 2009-03-28 06:38 80936 ----a-w- c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 13:30 . 2009-04-17 16:48 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-08-25 00:27 . 2009-06-16 03:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-10 17:39 . 2009-03-23 18:47 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-08 04:46 . 2009-07-18 04:45 -------- d-----w- c:\program files\Google
2009-08-07 14:58 . 2009-06-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-08-05 20:17 . 2009-04-02 23:56 -------- d-----w- c:\documents and settings\USER\Application Data\dvdcss
2009-08-05 09:01 . 2004-08-03 20:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 04:46 . 2009-07-18 04:45 -------- d-----w- c:\program files\Common Files\Real
2009-07-18 04:46 . 2009-07-18 04:46 -------- d-----w- c:\program files\Real
2009-07-17 19:01 . 2004-08-03 20:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 19:50 . 2009-07-08 16:56 -------- d-----w- c:\program files\Farm Frenzy 2
2009-07-14 04:43 . 2004-08-03 20:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 17:31 . 2009-07-08 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2009-07-08 06:29 . 2009-07-06 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-07-06 16:09 . 2009-04-17 16:48 -------- d-----w- c:\program files\AIM6
2009-07-06 16:09 . 2009-07-06 16:09 -------- d-----w- c:\program files\AIM Toolbar
2009-07-06 16:09 . 2009-04-17 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-06 16:09 . 2009-04-17 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-07-03 17:09 . 2004-08-03 20:56 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-03 20:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-03 20:56 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-03 20:56 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-03 20:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-03 20:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-03 20:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-03 18:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-03 20:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-03 20:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-03 20:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-03-23 18:33 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-03 20:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-03 20:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-03 20:56 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-29_05.10.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-30 04:33 . 2009-08-30 04:33 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
- 2009-08-29 04:54 . 2009-08-29 04:54 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-06 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-06 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2008-04-14 53248]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2007-03-27 217088]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-09-13 91432]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-18 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

c:\documents and settings\USER\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-05-17 04:50 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/23/2009 2:06 PM 114768]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2/1/2008 8:24 PM 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/23/2009 2:06 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/17/2009 11:48 AM 24652]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/23/2009 1:49 PM 812544]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-08-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-18 04:46]

2009-08-30 c:\windows\Tasks\User_Feed_Synchronization-{355B7B07-B470-4EFF-9466-FD543D9FD666}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {C19FB533-FDBA-4162-BDA8-6DD0D43D97DF} = 85.31.81.245,85.31.66.4
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-08-30 23:50
ComboFix-quarantined-files.txt 2009-08-30 04:50
ComboFix2.txt 2009-08-29 05:13

Pre-Run: 1,236,328,448 bytes free
Post-Run: 1,169,977,344 bytes free

232 --- E O F --- 2009-08-27 10:20


I am about to run MBAM. I will post the report as soon as it is done.

[Canuck78]

Here is the MBAM Report:

Malwarebytes' Anti-Malware 1.40
Database version: 2715
Windows 5.1.2600 Service Pack 3

8/30/2009 12:31:04 AM
mbam-log-2009-08-30 (00-31-04).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 162239
Time elapsed: 23 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\ekxfnpkm.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\DoctorWeb\Quarantine\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\DoctorWeb\Quarantine\msupd_2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\DoctorWeb\Quarantine\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082760.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082761.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082763.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082764.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082901.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2861689C-77A3-4720-AFC5-00C24082598C}\RP141\A0082912.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

[shelf life]

please run RootRepeal once more, like last time and post the log.

[Canuck78]

New RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 23:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9787F000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x97B7C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_960.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa33726b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3372574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3372a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa337214c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa337264e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa337208c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa33720f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa337276e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa337272e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa33728ae

==EOF==

[shelf life]

ok thanks for the info. One more thing to do:

Please download this utility to your desktop:

http://download.bleepingcomputer.com...Win32kDiag.exe

double click to run. When finished it will generate a .txt file on your desktop: Win32KDiag.txt. Post the contents of the .txt file.

[Canuck78]

Sorry about not responing earlier. I have been moving and things have been hectic. Here is the file that was generated:

Log file is located at: C:\Documents and Settings\USER\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

[shelf life]

Hi Canuck78,

ok thanks for all the info. You can remove combofix like this;
start>run and type in:
combofix /u
click ok or enter
Note: there is a space after the x and before the /
You can delete the RootRepeal icon from your desktop.

Always check MBAM for updates before scanning. The paid version offers auto-updating and a real time protection feature.

One last thing you can do is a make a new restore point. The why and how:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last some general tips:

10 Tips for Reducing Your Risk To Malware:
The Short Version

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. Malicious web sites can take advantage of vulnerabilities to possibly push and install malware to your computer.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem. Links could redirect you to malicious websites that host exploits. Attachments could contain malware. Do you trust the source?

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

[tashi]

Thank you shelf life.