Hi

My computer is being affected by virus, with lots of pop ups. My AVG detects tracking cookie when I use the browser (IE 7 or Firefox). I have run AVG scan it does not bring up the vundo virus but bring up 10-15 warnings which i cant remove.

Also When I use windows update, it says there is problem. It shows as Automatic updates ON. I think this virus is disabling.

I have run spy bot check it clears most of it, but it leaves 2 entries virtumode.generic everytime. On that it says, ask for help in forums to remove this as it is stubborn virus. I have looked at this forum, then I have tried following things.

I have downloaded Vundofix - it did not find any.

I have downloaded Combofix and followed instructions as it says in the post.

Pasting the combofix log:

ComboFix 09-01-02.01 - Owner 2009-01-04 13:24:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.210 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\abeyugas.ini
c:\windows\system32\adiveyev.ini
c:\windows\system32\afevupug.ini
c:\windows\system32\aliboret.ini
c:\windows\system32\arigulih.ini
c:\windows\system32\arovofuh.ini
c:\windows\system32\avuwoguz.ini
c:\windows\system32\ayepemon.ini
c:\windows\system32\ayufusel.ini
c:\windows\system32\bimatabe.dll
c:\windows\system32\dasofupu.dll
c:\windows\system32\davotudo.dll
c:\windows\system32\defohesi.dll
c:\windows\system32\disuhayu.dll
c:\windows\system32\dozilibe.dll
c:\windows\system32\duweweba.dll
c:\windows\system32\ebatamib.ini
c:\windows\system32\egaholok.ini
c:\windows\system32\ejekusey.ini
c:\windows\system32\ejususig.ini
c:\windows\system32\ekolajol.ini
c:\windows\system32\fabisike.dll
c:\windows\system32\femififi.dll
c:\windows\system32\fokazifi.dll
c:\windows\system32\fokitape.dll
c:\windows\system32\fuwobozu.dll
c:\windows\system32\gakikedo.dll
c:\windows\system32\gawajaso.dll
c:\windows\system32\gulidowu.dll
c:\windows\system32\gupuvefa.dll
c:\windows\system32\hilemebu.exe
c:\windows\system32\hisozega.dll
c:\windows\system32\hivunote.dll
c:\windows\system32\hopawiki.dll
c:\windows\system32\hozegupo.dll
c:\windows\system32\hukovefo.dll
c:\windows\system32\idofofev.ini
c:\windows\system32\ifadedoy.ini
c:\windows\system32\ifoyikun.ini
c:\windows\system32\igidobum.ini
c:\windows\system32\imubimey.ini
c:\windows\system32\itavebel.ini
c:\windows\system32\iwozidip.ini
c:\windows\system32\jahiyaso.dll
c:\windows\system32\jezemimu.dll
c:\windows\system32\jimaneno.dll
c:\windows\system32\jogopamo.dll
c:\windows\system32\ketoyibo.dll
c:\windows\system32\kiwasuge.dll
c:\windows\system32\kolokilu.dll
c:\windows\system32\kolubagu.dll
c:\windows\system32\laviweta.exe
c:\windows\system32\lawariko.dll
c:\windows\system32\lebapide.dll
c:\windows\system32\lefikazi.dll
c:\windows\system32\lekefoji.dll
c:\windows\system32\ligijowe.dll
c:\windows\system32\livulene.dll
c:\windows\system32\lobiwaja.dll
c:\windows\system32\lohulatu.dll
c:\windows\system32\lojaloke.dll
c:\windows\system32\lopedeza.dll
c:\windows\system32\lunabiyo.dll
c:\windows\system32\luyusowa.dll
c:\windows\system32\mekijoru.dll
c:\windows\system32\metitalu.dll
c:\windows\system32\miperuwo.dll
c:\windows\system32\misahavu.dll
c:\windows\system32\mojeluru.dll
c:\windows\system32\mubodigi.dll
c:\windows\system32\mutupapo.dll
c:\windows\system32\muwatibi.dll
c:\windows\system32\muyasera.dll
c:\windows\system32\nezezaju.dll
c:\windows\system32\nijufagi.dll
c:\windows\system32\nimiwoga.dll
c:\windows\system32\ninegozu.dll
c:\windows\system32\nukiyofi.dll
c:\windows\system32\obalamew.ini
c:\windows\system32\odekikag.ini
c:\windows\system32\ofamamaj.ini
c:\windows\system32\ofememeh.ini
c:\windows\system32\oguribot.ini
c:\windows\system32\onasudor.ini
c:\windows\system32\onorayuj.ini
c:\windows\system32\oteraget.ini
c:\windows\system32\ovumivid.ini
c:\windows\system32\owemavod.ini
c:\windows\system32\pakiguwu.dll
c:\windows\system32\patafudi.dll
c:\windows\system32\pigopimu.dll
c:\windows\system32\ravoruna.dll
c:\windows\system32\ritujute.dll
c:\windows\system32\rumerubo.dll
c:\windows\system32\runasate.dll
c:\windows\system32\rurirovi.dll
c:\windows\system32\saguyeba.dll
c:\windows\system32\sedehobi.dll
c:\windows\system32\susonuno.dll
c:\windows\system32\tafivefi.dll
c:\windows\system32\telemize.dll
c:\windows\system32\terobila.dll
c:\windows\system32\tizomahu.dll
c:\windows\system32\tobirugo.dll
c:\windows\system32\tohazite.dll
c:\windows\system32\tuwejipe.dll
c:\windows\system32\ugabulok.ini
c:\windows\system32\ujazezen.ini
c:\windows\system32\ulatitem.ini
c:\windows\system32\umimezej.ini
c:\windows\system32\uyelasij.ini
c:\windows\system32\vefofodi.dll
c:\windows\system32\vevinaho.dll
c:\windows\system32\veyevida.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\voginuhu.dll
c:\windows\system32\vorosuka.dll
c:\windows\system32\wasubezu.dll
c:\windows\system32\wihuzomi.dll
c:\windows\system32\wiyatuto.dll
c:\windows\system32\wojukoro.dll
c:\windows\system32\yemibumi.dll
c:\windows\system32\yobuwiji.dll
c:\windows\system32\yokamuye.dll
c:\windows\system32\yubiwojo.dll
c:\windows\system32\yuworowe.dll
c:\windows\system32\zareheli.dll
c:\windows\system32\zazuporo.dll
c:\windows\system32\zigehuze.dll
c:\windows\system32\zimuroha.dll
c:\windows\system32\zugowuva.dll
c:\windows\system32\zumidiba.dll
c:\windows\system32\zuyahoba.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 13:25 . 2009-01-04 13:25 0 --ahs---- c:\windows\system32\yonevena.dll
2009-01-04 13:25 . 2009-01-04 13:25 0 --ahs---- c:\windows\system32\hayeluze.dll
2009-01-04 13:20 . 2009-01-04 13:21 <DIR> d-------- C:\32788R22FWJFW
2009-01-04 12:05 . 2009-01-04 12:05 <DIR> d-------- C:\VundoFix Backups
2009-01-03 19:39 . 2009-01-03 19:39 149 --a------ c:\windows\wininit.ini
2009-01-03 18:54 . 2009-01-03 18:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-03 18:54 . 2009-01-03 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 18:17 . 2009-01-03 19:38 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-03 17:11 . 2009-01-03 17:11 <DIR> d-------- c:\program files\Lavasoft
2009-01-03 17:11 . 2009-01-03 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:26 . 2009-01-02 13:26 1,355 --a------ c:\windows\imsins.BAK
2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1\Application Data\Yahoo!
2009-01-02 10:21 . 2009-01-02 12:38 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1
2008-12-31 10:58 . 2009-01-04 11:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-31 10:54 . 2009-01-03 16:57 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-31 10:54 . 2009-01-04 12:33 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-12-31 10:54 . 2008-12-31 10:54 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-31 10:54 . 2008-12-31 10:54 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-31 10:54 . 2008-12-31 10:54 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-31 09:17 . 2008-12-31 09:17 2,713 ---hs---- c:\windows\system32\zitotela.exe
2008-12-31 08:43 . 2009-01-03 17:40 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 21:58 . 2008-12-30 21:58 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 21:58 . 2008-12-31 10:39 <DIR> d-------- c:\program files\McAfee
2008-12-30 21:58 . 2008-12-30 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 19:01 . 2008-12-30 19:01 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-30 19:01 . 2008-12-30 19:01 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-25 14:50 . 2008-12-25 14:50 81,887 --a------ c:\windows\Run32A60.mch
2008-12-25 14:04 . 2008-12-25 14:23 41 --a------ c:\windows\ae2ks2mad.ini
2008-12-25 14:03 . 2008-12-25 14:03 <DIR> d-------- c:\windows\A6W_DATA
2008-12-25 14:03 . 2008-12-25 14:03 35 --a------ c:\windows\A6W.INI
2008-12-25 14:02 . 2008-12-30 18:39 <DIR> d-------- c:\program files\Action SATS Learning
2008-12-25 13:46 . 2008-12-30 18:41 <DIR> d-------- c:\program files\Full Marks
2008-12-06 18:08 . 2008-12-06 18:08 <DIR> d-------- C:\fsaua.data
2008-12-06 08:55 . 2008-12-06 08:55 0 --a------ c:\windows\nsreg.dat
2008-12-05 11:15 . 2008-12-05 11:15 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-05 09:34 . 2008-12-05 09:33 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-05 09:32 . 2009-01-03 13:20 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 11:49 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-04 08:45 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-02 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-31 10:54 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-30 21:49 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 18:54 --------- d-----w c:\program files\Nokia
2008-11-29 09:06 --------- d-----w c:\program files\Belkin
2008-11-29 09:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 22:50 --------- d-----w c:\documents and settings\Owner\Application Data\Nokia
2008-11-28 22:47 --------- d-----w c:\documents and settings\All Users\Application Data\Nokia
2008-11-28 20:41 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-11-28 20:39 --------- d-----w c:\documents and settings\Owner\Application Data\Nseries
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-11-28 20:28 --------- d-----w c:\program files\MSXML 6.0
2008-11-28 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-11-28 20:26 --------- d-----w c:\documents and settings\Owner\Application Data\PC Suite
2008-11-28 20:24 --------- d-----w c:\program files\DIFX
2008-11-28 20:00 --------- d-----w c:\program files\MSBuild
2008-11-28 19:49 --------- d-----w c:\program files\Reference Assemblies
2008-11-28 10:15 --------- d-----w c:\program files\Java
2008-11-21 13:28 --------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2008-11-20 11:45 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2004-10-01 14:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-01 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 15:44 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 15:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\agrsmsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\Program Files\\Belkin\\USB F5D7050\\Wireless Utility\\Belkinwcui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-31 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-31 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-31 76040]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c236d052-992a-11dd-9698-00110948dc18}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\nptohafs.job
- c:\windows\system32\rundll32.exe [2008-04-14 04:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0ff776f1-079c-4291-9390-ab8a10519104} - c:\windows\system32\nividoko.dll
HKLM-Run-menojivifi - c:\windows\system32\babupata.dll


.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9wli98tk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 13:27:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-04 13:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 13:30:42

Pre-Run: 60,934,889,472 bytes free
Post-Run: 60,857,458,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

321 --- E O F --- 2008-11-12 06:08:54


My HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:32:51, on 04/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\ABOTHiJack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/41.22/uploader2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - (no CLSID) - (no file)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4869 bytes

Soory if I have done anything incorrectly. Please correct me.

Thanks in Advance.

I'd appreiciate if you could have a look at it and then guide me further to remove this virus completely from my computer.

Thanks

Subhelp

Hi and welcome


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.




Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

File::
c:\windows\system32\yonevena.dll
c:\windows\system32\hayeluze.dll
c:\windows\system32\zitotela.exe
c:\windows\ae2ks2mad.in
c:\windows\Tasks\nptohafs.job

Folder::
C:\VundoFix Backups
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.





Please download ATF Cleaner by Atribune From Here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

Hi Juliet,

Thanks for your reply. I have followed your instructions.

Disabled my antivirus, firewall, Spybot and then copied the code that you have provided in the Combofix.

Here is my Combo fix log:

ComboFix 09-01-08.05 - Owner 2009-01-09 20:42:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.239 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekankvxepph.sys
c:\windows\system32\hayeluze.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamlwowbow.dll
c:\windows\system32\senekaqpfulqev.dll
c:\windows\system32\senekaxuxnridw.dll
c:\windows\system32\test.ttt
c:\windows\system32\win32hlp.cnf
c:\windows\system32\yonevena.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 16:59 . 2009-01-07 16:59 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-07 08:49 . 2009-01-07 08:49 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-06 17:11 . 2009-01-06 17:15 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-06 16:43 . 2009-01-08 13:20 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 15:49 . 2009-01-09 15:47 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 15:49 . 2009-01-06 15:49 <DIR> d-------- c:\program files\AVG
2009-01-06 15:49 . 2009-01-06 15:49 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 15:49 . 2009-01-06 15:49 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-06 15:49 . 2009-01-06 15:49 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 15:52 . 2009-01-05 15:52 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM3Nzc0NjV8_
2009-01-04 17:27 . 2009-01-04 17:27 7,680 --ahs---- c:\windows\Thumbs.db
2009-01-03 19:39 . 2009-01-05 19:39 207 --a------ c:\windows\wininit.ini
2009-01-03 18:54 . 2009-01-03 18:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-03 18:54 . 2009-01-03 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 17:11 . 2009-01-06 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:26 . 2009-01-04 19:52 1,355 --a------ c:\windows\imsins.BAK
2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1\Application Data\Yahoo!
2009-01-02 10:21 . 2009-01-06 15:50 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1
2008-12-31 09:17 . 2008-12-31 09:17 2,713 --ahs---- c:\windows\system32\zitotela.exe
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 21:58 . 2008-12-30 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 19:01 . 2008-12-30 19:01 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-30 19:01 . 2008-12-30 19:01 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-25 14:50 . 2008-12-25 14:50 81,887 --a------ c:\windows\Run32A60.mch
2008-12-25 14:04 . 2008-12-25 14:23 41 --a------ c:\windows\ae2ks2mad.ini
2008-12-25 14:03 . 2008-12-25 14:03 <DIR> d-------- c:\windows\A6W_DATA
2008-12-25 14:03 . 2008-12-25 14:03 35 --a------ c:\windows\A6W.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 15:43 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-09 11:07 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-07 08:49 --------- d-----w c:\program files\Java
2009-01-06 15:49 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-02 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-30 21:49 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-05 11:15 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 09:33 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-11-29 09:06 --------- d-----w c:\program files\Belkin
2008-11-29 09:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 22:50 --------- d-----w c:\documents and settings\Owner\Application Data\Nokia
2008-11-28 22:47 --------- d-----w c:\documents and settings\All Users\Application Data\Nokia
2008-11-28 20:41 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-11-28 20:39 --------- d-----w c:\documents and settings\Owner\Application Data\Nseries
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-11-28 20:28 --------- d-----w c:\program files\MSXML 6.0
2008-11-28 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-11-28 20:26 --------- d-----w c:\documents and settings\Owner\Application Data\PC Suite
2008-11-28 20:24 --------- d-----w c:\program files\DIFX
2008-11-28 20:00 --------- d-----w c:\program files\MSBuild
2008-11-28 19:49 --------- d-----w c:\program files\Reference Assemblies
2008-11-21 13:28 --------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2008-11-20 11:45 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2004-10-01 14:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 15:44 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 15:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\agrsmsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\Program Files\\Belkin\\USB F5D7050\\Wireless Utility\\Belkinwcui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-06 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-06 76040]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c236d052-992a-11dd-9698-00110948dc18}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\nptohafs.job
- c:\windows\system32\rundll32.exe [2008-04-14 04:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0ff776f1-079c-4291-9390-ab8a10519104} - (no file)


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9wli98tk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 20:45:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 20:48:54 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-09 20:48:36

Pre-Run: 60,895,264,768 bytes free
Post-Run: 61,112,836,096 bytes free

182 --- E O F --- 2009-01-04 19:52:54

I will copy my Kaspersky scan report and HJT log in the next post.


Thanks

Subhelp

Here is my Kaspersky scan report log


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 09, 2009 20:17:21
Records in database: 1595168
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 40141
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:56:08


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekamlwowbow.dll.vir Infected: Trojan.Win32.Small.brl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan.Win32.Agent.bfsd 1
C:\WINDOWS\system32\ffkuz.dll Infected: Trojan-Downloader.Win32.Murlo.vn 1

The selected area was scanned.


In the next post, I will post my HJT log.

Thanks

Subhelp.

Here is my HJT log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:49, on 09/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\subhelp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/41.22/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231319247830&h=0e2d8a3d44908ef3d5423da85f5cfa19/&filename=jinstall-6u11-windows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - (no CLSID) - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5141 bytes


I hope I have done everything you have asked for. Please guide me if I have done anything wrong.

Thanks again for all your help.

Subhelp

Welcome back


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)




Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::
c:\windows\system32\ffkuz.dll
c:\windows\system32\zitotela.exe
c:\windows\Run32A60.mch
c:\windows\ae2ks2mad.ini
c:\windows\Tasks\nptohafs.job
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HJT log



I need an update from you on how the computer is at the moment.

Hi Juliet,

Thanks for your quick reply. sorry about the delay.

After the first combofix, my security centre started working. Previously it was not showing as "computer might be at risk" if I disable antivirus or firewall.

I think it might have cleared some virus.

Now I have followed the instructions as in the previous post.
I have included my new ComboFix log and New HJT log with this.

About my computer, it looks like, it is working. But there are lot of processes when I check my TaskManager. I do not know whether it is normal or not.


ComboFix log:

ComboFix 09-01-08.05 - Owner 2009-01-10 19:34:57.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.255 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\ae2ks2mad.ini
c:\windows\Run32A60.mch
c:\windows\system32\ffkuz.dll
c:\windows\system32\zitotela.exe
c:\windows\Tasks\nptohafs.job
.

((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-07 08:49 . 2009-01-07 08:49 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-06 17:11 . 2009-01-06 17:15 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-06 16:43 . 2009-01-08 13:20 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 15:49 . 2009-01-10 15:38 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 15:49 . 2009-01-06 15:49 <DIR> d-------- c:\program files\AVG
2009-01-06 15:49 . 2009-01-06 15:49 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 15:49 . 2009-01-06 15:49 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-06 15:49 . 2009-01-06 15:49 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 15:52 . 2009-01-05 15:52 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM3Nzc0NjV8_
2009-01-04 17:27 . 2009-01-04 17:27 7,680 --ahs---- c:\windows\Thumbs.db
2009-01-03 19:39 . 2009-01-05 19:39 207 --a------ c:\windows\wininit.ini
2009-01-03 18:54 . 2009-01-03 18:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-03 18:54 . 2009-01-03 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 17:11 . 2009-01-06 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 13:26 . 2009-01-04 19:52 1,355 --a------ c:\windows\imsins.BAK
2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1\Application Data\Yahoo!
2009-01-02 10:21 . 2009-01-06 15:50 <DIR> d-------- c:\documents and settings\Administrator.HOME-PC1
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-30 22:22 . 2008-12-30 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 21:58 . 2008-12-30 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 19:01 . 2008-12-30 19:01 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-30 19:01 . 2008-12-30 19:01 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-25 14:03 . 2008-12-25 14:03 <DIR> d-------- c:\windows\A6W_DATA
2008-12-25 14:03 . 2008-12-25 14:03 35 --a------ c:\windows\A6W.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 18:06 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2009-01-10 17:06 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2009-01-07 08:49 --------- d-----w c:\program files\Java
2009-01-06 15:49 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-02 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-30 21:49 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-05 11:15 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 09:33 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-11-29 09:06 --------- d-----w c:\program files\Belkin
2008-11-29 09:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 22:50 --------- d-----w c:\documents and settings\Owner\Application Data\Nokia
2008-11-28 22:47 --------- d-----w c:\documents and settings\All Users\Application Data\Nokia
2008-11-28 20:41 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-11-28 20:39 --------- d-----w c:\documents and settings\Owner\Application Data\Nseries
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-28 20:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-11-28 20:28 --------- d-----w c:\program files\MSXML 6.0
2008-11-28 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-11-28 20:26 --------- d-----w c:\documents and settings\Owner\Application Data\PC Suite
2008-11-28 20:24 --------- d-----w c:\program files\DIFX
2008-11-28 20:00 --------- d-----w c:\program files\MSBuild
2008-11-28 19:49 --------- d-----w c:\program files\Reference Assemblies
2008-11-21 13:28 --------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2008-11-20 11:45 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2004-10-01 14:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_20.47.40.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 19:25:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1261336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-21 15:44 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-21 15:48 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 14:28 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\agrsmsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"=
"c:\\Program Files\\Belkin\\USB F5D7050\\Wireless Utility\\Belkinwcui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-06 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-06 76040]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c236d052-992a-11dd-9698-00110948dc18}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9wli98tk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 19:36:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(548)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-10 19:38:15
ComboFix-quarantined-files.txt 2009-01-10 19:38:01
ComboFix2.txt 2009-01-10 19:21:33
ComboFix3.txt 2009-01-09 20:48:55

Pre-Run: 61,073,022,976 bytes free
Post-Run: 61,064,761,344 bytes free

176 --- E O F --- 2009-01-04 19:52:54



My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:49, on 10/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\subhelp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/41.22/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231319247830&h=0e2d8a3d44908ef3d5423da85f5cfa19/&filename=jinstall-6u11-windows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - (no CLSID) - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4874 bytes


Thanks for all your help. It is much appreciated.

Thanks

Subhelp.

Welcome back


Don't miss or skip this next step, this will remove bad files from quarantine and set a clean restore point.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below
http://www.forospyware.com/images/adv/CF_Cleanup.png



It's not out of the ordinary to have alot of processes listed in task manager.
On one of my machines I have 30
On my Laptop I have 27 to 30 at a time.
All items found in the list can be researched on Google for legitimacy.


Logs are looking good.


We can try to reduce a few of these

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.



The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
(Related to Belkin_wireless_network card. It is a utility program that allows you to configure the settings of your wireless card. Note: Located in C:\Program Files\Belkin\PCI F5D7000\Wireless Utility)


Reboot the machine for the effects to take and set the registry.



Please post back and let me know what issues remain.

Hi,

My AVG brought couple of threat after I have replied with the last combofix log. That time I was not even connected to the internet. they are:
1. Trojan horse Generic12.ANRY - c:\System Volume information \_restore{357DD98E-6732-408D-B968-3D56EE363574}\RP10\A0001763.SYS.
2. Trojan horse Generic12.ALPP - c:\System Volume information \_restore{357DD98E-6732-408D-B968-3D56EE363574}\RP10\A0001764.DLL.


I do not know whether there is still some virus on the system or not.

But I have uninstalled combofix as per your instructions. those threats came before uninstalling combofix.

About the processes, I do use Belkin wireless for the connection to the internet. Will it change anything if we remove that process. I will do this step after your reply.

Also when I enabled Spybot Teatimer, it was asking so many things - asking permission to allow change. I am not sure what to select. One instance, process rundll32.exe c:\windows\system32... which had the value CPM0f78ba95. Yahoo messenger, Spybot TeaTimer etc.

Do I need to do anything regarding those threats I have received?
Do I need to run a scan again?

Awaiting for your reply.

Thanks

Subhelp

Welcome back


Those items that were found in system restore should had be cleared when Combofix was uninstalled.
If not, you'll receive another notice, if that should happen we can manually set a clean restore point.

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

But I really think your OK.

As for Belkin, it's up to you to disable it or leave it.
If your uncomfortable, leave it as it is.

It should be fine to allow those changes through Spybot.

If you like you can run another Kaspersky scan....
Then post the log.

Hi Juliet,

I have not found any threats after I have uninstalled combofix.

It is working fine.

Thanks for all your help and guidance for removal.

Much appreciated.

Thanks

Subhelp
:laugh:

Your good to go, good job!



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 2.0 (http://www.mozilla.com/en-US/firefox/all-older.html )
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place. (http://www.spywareinfoforum.com/index.php?showtopic=60955)

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)

Strong passwords: How to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx)

Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Glad we could help. :)

Since this issue appears resolved ... this Topic is closed.