I have had alot of fun tonight trying to fix my PC. MY fiance was on thesuperficialdotcom website and was prompted to scan the pc by a scamprog, etc. and closed it, well something managed to download b/c it completely locked me down on my PC once I tried to get on. I couldn't open taskman, regedit, msconfig, I cant even open a folder options window to reenable view of hidden files/folders (which normally I can always see) I can't run hijackthis, it says I dont have access as I am not the administrator, which I am, and I cant run spybot either... I fixed 2 of the issues. To get Taskmanager to work I did both of these: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
and
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

I then closed out some weird programs (something with antivirus system pro) and sysguard... I was then able to delete the folders from ProgFiles and a few from sys32. I then fixed the registry issue by doing this so I could access it:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

I went to HKLM\Soft\Micro\Win\CurVer\Run and deleted some of the weird startup processes that I had just killed via Taskman. I did the same under HKCU.

I still get redirected to weird sites though when browsing and I am still getting popups, but at least it isnt naked people like it was earlier... I think it has something to do with the HOST stuff but I cant get Hijackthis to work to be sure. I tried renaming it, downloading the exe (3 times) each time it opens, runs, and disappears, no log file to be seen anywhere. I was able to get to my temp to check there by typing in the location (I cant see my "hidden files/folders" currently) and there wasnt a log in there either. Once it shuts the prog down, I have no access to it "You may not have the appropriate permissions to access the item" it says upon trying to reopen it.

I need help guys. I need to be able to run these programs, I need to be able to see folder options, I need to submit my eCore assignment for school and I cant b/c I keep getting redirected to sites that arent the same links I am clicking on...

Please let me know what I should do.
Thanks in advance!
Ashley

I tried doing a bit of research myself. I can't get rsit.exe to do anything other than a quick flicker of the black dos screen. No EULA or anything. Also, no matter how many times I delete a few of the malicious startup entrys in the registry, once I click off the folder and go back, they are there again. C:/Win/Sys32/zevububu.dll and C:/Win/ecigihaj.dll and C:/Win/Sys32/calc.dll I know these are contributing to the issues but I cant delete them under HKLM..Run or HKCU...run. Also, everytime I boot in safe mode I get the blue screen of death. Something is blocking me from running in safe mode and that is a first for me.

Any ideas are appreciated on what I can do...

Thanks again,
ashe

PS: I will update this is I get anything resolved.

Hello ashe

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

First thing I am going to ask you to do is not to make any more changes to your system.


Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

I downloaded RootRepeal, opened it, and all I got was the quick flash of the cmd prompt and then nothing. I tried to rename it as well and it did the same thing. Any other ideas?

Other things I tried before I got your post was to change the startup stuff in msconfig, wouldnt let me as it says I dont have access. I tried to delete them in registry, HKLM/.../Run but once I click off and then go back they are there again. So it must be some permissions thing as well.

I also tried booting in safe mode 3 times to see if I could kill it that way but each time I got the blue screen of death and had to do a hard boot... Odd.

Any other help y'all can provide is appreciated!
Thanks,
Ashley

Hi Ashley,

Lets try GMER if it works post the log. If it does not than run this program.


http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries







Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

This is ridiculous! So I tried the first program. Was able to save the zip to my desktop. However now my zip program is no where to be found?? So I try to download WinZip. (Which I had at one point in time) Can't run the install... That black cmd box pops up for a seconds and then go away. I tried it again... same thing. Which leads me to believe something is preventing me from installing any programs on my PC. How, I don't know... But it is. Is there anything in the registry that could have been modified? That I can go in and change? I already ran those 2 commands to give me access to regedit and taskman, and changed the Hiddenfiles value to 1 from 0 so I could view those as well... So I would be willing to manually change something in the registry if anyone knows where I should look to see what is preventing me from installing programs.

So then I tried the second suggestion. The first link let me download the program. I go to run it and I get a box that says:
C:\[FileLocation on desktop]
The NTVDM CPU has encountered an illegal instruction.
CS:0d0 IP:0111 OP:63 72 69 70 74 Choose 'Close' to terminate the application.
Then my choices are Close and Ignore... and ignores closes it as well.

The other 2 links didn't work either. They pulled up a bunch of binary? data on a web page.

Any other suggestions? I am beyond lost, and I have never been one to format a PC for a virus as I have always gotten it fixed until now... Format is not really an option either. I use to use Radmin and PCAnywhere at my last job and would not have an issue with someone dialing in to my PC if anyone is willing... I don't know if I still have Radmin on my box though and I don't think I would be able to install it at this point. But in any case, if anyone knows of a way I would be willing.

Thanks in advance for any suggestions!
Ashley

You can try running those programs in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


You have done so much fiddling with the registry , not sure what you have done. I think at this point doing a system repair would be an option and then we can check for viruses when your done.

OK, so why I did this I don't know but I'm glad I did. (Typically I hate anti-virus progs like AVG or Norton as they are resource hogs) but... as a last ditch effort I created a new user, test with admin rights. Upon first logon, I went to my install folder and found an old install file for avg from like 2 years ago. I installed it and obviously it forced me to update. Upon update it auto downloaded the new versions install file and ran that. After installation I ran the update... and rebooted. After logging in again it was popping up virus warnings left and right. SHeur2.BMZG and Win32/Cryptor were the repeat offenders.

It found and fixed all the .dll issues thank god so I am now able to run some fix programs. I was able to run rootrepeal and Win32Diag although the later didn't provide much info in the txt file on the desktop. Below are the logs... I redownloaded gmer and Winzip, Winzip is working and associating properly but gmer is giving an invalid archive error.

So, I still can't run Hijackthis, nor can I delete the old icons off the desktop (Access denied). I would love to be able to run this as I use HJ all the time. Another biggy is that I still can't boot in safe mode. After all this I tried and I am still getting the blue screen so something has messed with safe mode settings as well. Something is still screwy with my permissions as well. A small issue--no folder options under tools... not super important, but I think it has something to do with not being able to run some programs. When AVG was running after reboot I got several popup stating things couldnt be loaded.

A few that might have caused the permissions issues:
rundll32.exe Bad Image
The app or DLL C:\Doc*\Networ*\ntuser.dll is not a valid win image.

The rest of these are error loading...access denied.
C:\Win*\kbcstwz1.dll
C:\Win*\Doc\Network*\ntuser.dll %1 not a valid Win32 app.
C:\Win*\Sys32\calc.dll
C:\Win*\ecigihaj.dll
C:\Win*\Sys32\jeberuhe.dll

Any other ideas? I remember a long time ago, (the last time Rod broke the PC) I had to get some help and did something with ComboFix and/or DDS? I think? Anyhow, I won't do anything else until I hear from someone on here. I promise. :) Logs below, sorry for the delay.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 03:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9EB1B000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9DF14000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86651da

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86657ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86671ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668b7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86655ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8669084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86650a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86669f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664ab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86653b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668ba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86652fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664c5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86645d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8667a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668f56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86643d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866708c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86656ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866871a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668bd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668cb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668de0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866854c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866547e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86654f0

==EOF==


Running from: C:\Documents and Settings\ashe\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


This is all the log had on the Win32 prog... I waited until it said Finished hit any key so do I do it again for good measure? I dunno. Again, I will just wait to see what you say. Thanks for your help so far!! ~ ashe

I just saw your previous post. I didn't see it while I was typing mine obviously. I will say that I cannot boot in safe mode. I get the blue screen of death everytime. I have not done anything with the registry that I haven't done before and the few things I have done I have told you about. But as far as a restore goes, I also cant do that. I tried that before contacting y'all and that is something else this virus disabled. It says it has been turned off for group policy and to contact my administrator. The only group on my PC is administrator and I haven't dealt with any user groups in a long time, plus that was on NT servers (LOOOOONG time ago) :) Also I am running XP Home and I may be wrong in saying this, but I don't have group policies on here as far as I know...

Thanks again!
ashe

Good Morning Ashley,

RootRepeal ran just fine and gave us all the info we needed, your infected with the Max++ rootkit thats preventing you from running any security scans.

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -


Make sure Win32kdiag.exe is still on your desktop

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Win32kDiag.exe is clearly visible on my desktop... But when I paste that into Start-Run I get an error:

Windows cannot find '*"C:\Documents and Settings\ashe\desktop\win32kdiag.exe"'. Make sure you typed the name correctly, and then try again.


It is definitely there so I don't know what the deal with this is...

Thanks again!
I'm glad you know what I am infected with!
ashe

I was copying/pasting from the email notification I was sent. Once I copied it from the actual post it started to run it. Here is the log:

Running from: C:\Documents and Settings\ashe\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

Win32kdiag.exe <--Drag it to the trash and download and run it again.

Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Thanks again for all your help with this! Below is the log... Alot smaller than the first...


Running from: C:\Documents and Settings\ashe\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)





Finished!

I think we are crossing with our posts. Now we have to do this.


Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).





Open notepad and copy/paste the text in the quotebox below into it:



@SC CONFIG EVENTLOG START= DISABLED


Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:http://img.photobucket.com/albums/v706/ried7/bat_icon.gif

Double click on fix.bat & allow it to run.




If the above two programs run successfully then you should be able to run Combofix that will remove this infection




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

I was not able to get past the first part of your instructions, so I won't run combofix until you tell me to. I downloaded exehelper.com to my desktop, once I ran it, the black box popped up and then disappeared very quickly. Didn't ask me to hit a button or anything... SO I ran it again and nothing. It didn't do anything as there is no log.txt on my desktop. Please advise as to what I should do next... Continue with your instructions or do something else...

Thanks!
Ashley

Go ahead and run the Eventlog script and then try running Combofix. Eventlog is a windows application but the one you have is infected and will prevent CF from running. Combofix will restore a clean copy of it.

Open so ran the event fix.bat, then Combofix. CF immediately found rootkit activity and rebooted my machine. It started back up and was running the program. I then logged back in and it keep doing stuff, then I got the blue screen of death. mbr.sys was the only file name I saw aside from all the numbers and letters. Once I rebooted and logged in I went to C:\ComboFix and got the log. Then I downloaded HijackThis and installed it and FINALLY was able to run it. Both logs are below.

ComboFix 09-10-26.01 - ashe 2009-10-26 19:07:08.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.619 [GMT -5:00]
Running from: C:\Documents and Settings\ashe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\93747030
C:\Documents and Settings\All Users\Application Data\93747030\93747030.exe
C:\Documents and Settings\All Users\Application Data\98892496.ini
C:\Documents and Settings\All Users\Documents\behole.bat
C:\Documents and Settings\All Users\Documents\nywawipisy.reg
C:\Documents and Settings\ashe\Application Data\imesedu.inf
C:\Documents and Settings\ashe\Application Data\qogizyv.inf
C:\Documents and Settings\ashe\Local Settings\Application Data\bolagodov.vbs
C:\Documents and Settings\NetworkService\ntuser.dll
C:\WINDOWS\system32\bodonope.exe
C:\WINDOWS\system32\config\systemprofile\ntuser.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
C:\WINDOWS\system32\habowumu.dll.tmp
C:\WINDOWS\system32\jaditibi.exe
C:\WINDOWS\system32\jahotuwi.dll.tmp
C:\WINDOWS\system32\pisutine.exe
c:\windows\system32\rakoyopo.dll
C:\WINDOWS\system32\rasipiyu.dll.tmp
C:\WINDOWS\system32\ropenoya.exe
C:\WINDOWS\system32\rulufutu.dll
C:\WINDOWS\system32\sedimuna.dll
C:\WINDOWS\system32\tinomodu.exe
C:\WINDOWS\system32\tufemivu.exe
C:\WINDOWS\system32\verabamu.dll
C:\WINDOWS\system32\wafatoto.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
Infected copy of C:\WINDOWS\system32\eventlog.dll was found and disinfected
Restored copy from - C:\I386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-26 15:03:20 . 2009-10-26 15:03:20 0 d-----w- C:\Program Files\Trend Micro1
2009-10-26 09:04:00 . 2009-10-26 09:04:30 0 d-----w- C:\Documents and Settings\All Users\Application Data\WinZip
2009-10-26 08:46:37 . 2009-10-26 08:46:37 0 d-----w- C:\Documents and Settings\ashe\Local Settings\Application Data\AVG Security Toolbar
2009-10-26 07:00:08 . 2009-10-26 07:00:08 335240 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2009-10-26 07:00:08 . 2009-10-26 07:00:08 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2009-10-26 07:00:08 . 2009-10-26 07:00:08 108552 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2009-10-26 07:00:01 . 2009-10-26 07:08:14 0 d-----w- C:\WINDOWS\system32\drivers\Avg
2009-10-26 07:00:00 . 2009-10-26 07:00:00 0 d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-10-26 06:59:50 . 2009-10-26 06:59:50 0 d-----w- C:\Program Files\AVG
2009-10-26 04:52:27 . 2009-10-26 07:00:07 27784 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2009-10-26 04:47:43 . 2009-10-26 04:47:43 0 d-----w- C:\Documents and Settings\Big Rod\Local Settings\Application Data\{82B01A4F-E032-42F6-9821-9E948F677E85}
2009-10-22 16:16:39 . 2009-10-26 07:01:50 120 ----a-w- C:\WINDOWS\Obibuqoboxebodam.dat
2009-10-22 16:16:39 . 2009-10-25 21:36:58 0 ----a-w- C:\WINDOWS\Dbagalosupuk.bin
2009-10-22 16:16:38 . 2009-10-22 16:16:38 0 d-----w- C:\Documents and Settings\ashe\Local Settings\Application Data\{94610016-D53E-4AA1-909E-F11F1211B625}
2009-10-22 16:12:36 . 2009-10-26 14:13:11 0 ----a-r- C:\WINDOWS\win32k.sys
2009-10-21 17:17:11 . 2009-10-21 17:17:12 0 d-----w- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-10-21 17:17:11 . 2009-10-21 17:17:11 0 d-----w- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-10-21 17:17:11 . 2009-10-21 17:17:11 0 d-----w- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-21 17:17:10 . 2009-10-21 17:17:10 0 d-----w- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 17:15:12 . 2009-10-26 14:13:07 0 d-----w- C:\Program Files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 14:34:53 . 2009-05-28 05:39:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-10-26 08:45:15 . 2007-12-09 18:48:24 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 07:46:48 . 2009-05-27 16:28:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\avg8
2009-10-26 07:00:10 . 2008-01-05 21:17:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\Grisoft
2009-10-03 01:26:48 . 2009-06-18 20:36:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-09-07 03:39:03 . 2007-05-18 00:54:07 77280 ----a-w- C:\Documents and Settings\ashe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 04:18:17 . 2009-07-24 04:18:17 91648 --sha-w- C:\WINDOWS\system32\defekeme.dll
2009-07-23 04:17:52 . 2009-07-23 04:17:52 53760 --sha-w- C:\WINDOWS\system32\dezudesu.dll
2009-07-26 21:21:31 . 2009-07-26 21:21:31 53760 --sha-w- C:\WINDOWS\system32\gugasara.dll
2009-07-24 04:18:17 . 2009-07-24 04:18:17 39424 --sha-w- C:\WINDOWS\system32\hozegupo.dll
2009-07-26 04:20:24 . 2009-07-26 04:20:24 1051682 --sha-w- C:\WINDOWS\system32\hunayeko.exe
2009-07-23 04:17:51 . 2009-07-23 04:17:51 91648 --sha-w- C:\WINDOWS\system32\jiyayuda.dll
2009-07-22 16:17:50 . 2009-07-22 16:17:50 39424 --sha-w- C:\WINDOWS\system32\rikajobe.dll
2009-07-22 16:17:50 . 2009-07-22 16:17:50 91648 --sha-w- C:\WINDOWS\system32\velurike.dll
2009-07-23 16:18:09 . 2009-07-23 16:18:09 39424 --sha-w- C:\WINDOWS\system32\wefakupa.dll
2009-07-26 21:21:30 . 2009-07-26 21:21:30 39424 --sha-w- C:\WINDOWS\system32\ziluyuda.dll
2009-07-26 04:20:24 . 2009-07-26 04:20:24 39424 --sha-w- C:\WINDOWS\system32\zinubiji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 21:47:00 81920]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 14:34:55 291504]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 00:15:00 101136]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 21:48:02 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 21:50:10 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2006-10-27 05:47:42 31016]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 10:20:00 122940]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-10-26 06:59:50 2025752]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-05-28 05:47:50 206088]
"SigmatelSysTrayApp"="stsystra.exe" - C:\WINDOWS\stsystra.exe [2006-07-24 15:20:00 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - C:\WINDOWS\KHALMNPR.Exe [2007-01-12 00:15:00 101136]

---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:40, on 2009-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

Let me know what I need to do next....
Thanks again!
Ashley

Ashley,

You still have a bunch of nasty files that need to be deleted. Before we proceed I need you to post the entire Combofix log.

C:\ComboFix.txt <--Can be found here.



Your also using a very outdated version of HJT
C:\Program Files\HijackThis <--Delete this folder



Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.

Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.



Before we start deleting files, lets see what Malwarebytes finds and removes.


Please download Malwarebytes' Anti-Malware from Here ( http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please



This is what I need to see. Do it this way. Post the entire CF log, run Malwarebytes and post the log, then run the new version of HJT and post the log.

1. Entire Combofix log
2. Malwarebytes Log
3. Hijackthis log

That was the entire ComboFix log. It errored out (blue screen while running) maybe that is why it isn't complete? I can run it again if need be. Also note that there is no CFlog in my root drive. It's in C:\ComboFix\Combofix.txt (That is the only place I could find it on my whole PC and that is what I gave you)

I can't install Malwarebytes. It gave me2 errors: a runtime error '0' and runtime error '440' automation error when it was almost complete with its installation. When I hit OK and tried to used the program, I got the same 2 popup errors.

Here is the HJlog.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02, on 2009-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 8835 bytes

Let me know what else I need to do.
Thanks again!
Ashley

Good Morning Ashley,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


O2 - BHO: (no name) - {7d3b641d-290a-4dae-a65b-f428e54e400a} - verabamu.dll (file missing)

O4 - HKLM\..\Run: [93747030] C:\DOCUME~1\ALLUSE~1\APPLIC~1\93747030\93747030.exe
O4 - HKLM\..\Run: [vanekonap] Rundll32.exe "c:\windows\system32\rakoyopo.dll",a
O4 - HKLM\..\Run: [samovekiyo] Rundll32.exe "sedimuna.dll",s

O21 - SSODL: demonogej - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O21 - SSODL: tudiyagok - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {ebf29d31-a0dd-4eb6-8c15-a46027e18120} - c:\windows\system32\jeberuhe.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4d182e4c-92cc-4033-a4b9-f4de690dedd3} - c:\windows\system32\rakoyopo.dll (file missing)






Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)



You can download this program to your desktop and if DDS or Malwarebytes wont run you can drop the exe file into it. For Malwarebytes , go to C: Program Files\Malwarebytes and look for MBAM.exe, minimize the window and drag and drop it into Inherit. You can also try running Malwarebytes in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


Download Inherit (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"

OK, so I fixed the HJ entries, Ran DDS (I didn't include the logs as you didn't specify if you needed them or not) I dropped MBAM.exe into Inherit and got the OK, but once I tried to run Malware it gave the same runtime errors. I think it may be a problem with the install as that is where I initially got them.

Everything appears to be back to normal though aside from a few small issues.

I still cannot boot in safe mode. I completely understand HOW to do it, my PC just won't let me. Once I select Safe Mode from the boot menu, before it gets to the Windows screen I get the blue screen error message. Everytime. Is it possible that this infection I had disabled Safe Mode abilities somehow? Maybe removed or corrupted something the PC uses to boot in Safe mode? I have never had a probelm in the past booting in Safe Mode until now and it kind of worries me as sometimes I have to boot this way to fix issues. Other than that, I have a few permissions issues (with a few of the executables I first put on my desktop to fix my PC. A few HJ icons (that would never run) and now when I try to delete them I get an Access denied error. Makes me think I might still have something that I'm not seeing on the logs as it is the same access denied error you get if you try to delete a file that is in use.

I really REALLY REALLY appreciate all your time and efforts in helping me get my PC back to full working order. I know it took a lot of your time and I am thankful that there are people out there like you that can help people like me. :) If I need to go elsewhere to fix the safemode issue just let me know and I can do that. You have fixed the major issues and I thank you for it!

Side note: The issues with System Restore and not having access have been fixed and the issues with not having Folder Options have also been corrected. It is odd that the Safe Mode issue is still outstanding, but again, if I need to go else where that is fine.

Thanks again!
Ashley

Ashley,

I needed to see the DDS report. Maybe a error with the Malwarebytes install, got the same thing myself this morning on a computer I was fixing.

You can try this one, we really need to run another scan, I am sure there are leftover files and entries that have to be removed.

Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

OK so I will post 3 logs... The first is the DDS.txt from this morning, the 2nd is ANTISpyware log and the third is the lastest and greatest HJ log.

Let me know what else I should do.
Thanks,
ashe

DDS (Ver_09-10-26.01) - NTFSx86
Run by ashe at 9:29:11.98 on 2009-10-27
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.539 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ashe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi69df~1\office12\GRA8E1~1.DLL
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office 2007\office12\GrooveMonitor.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi69df~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/53.13/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi69df~1\office12\GR99D3~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi69df~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ashe\applic~1\mozilla\firefox\profiles\a2oy94ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {94610016-D53E-4AA1-909E-F11F1211B625} - c:\documents and settings\ashe\local settings\application data\{94610016-D53E-4AA1-909E-F11F1211B625}
FF - HiddenExtension: XULRunner: {82B01A4F-E032-42F6-9821-9E948F677E85} - c:\documents and settings\big rod\local settings\application data\{82b01a4f-e032-42f6-9821-9e948f677e85}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-26 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-26 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-26 908056]

=============== Created Last 30 ================

2009-10-27 01:57:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 01:57:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 01:57:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 01:57:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-27 01:54:02 0 d-----w- c:\program files\Trend Micro
2009-10-27 00:06:16 77312 ----a-w- c:\windows\MBR.exe
2009-10-27 00:03:46 0 d-----w- C:\ComboFix
2009-10-26 07:00:08 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 07:00:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 07:00:08 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 07:00:01 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-26 07:00:00 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-26 06:59:50 0 d-----w- c:\program files\AVG
2009-10-22 16:16:39 120 ----a-w- c:\windows\Obibuqoboxebodam.dat
2009-10-22 16:16:39 0 ----a-w- c:\windows\Dbagalosupuk.bin
2009-10-22 16:12:36 0 ----a-r- c:\windows\win32k.sys
2009-10-21 17:17:11 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-10-21 17:17:11 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-10-21 17:17:11 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-21 17:17:10 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 17:15:12 0 d-----w- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2009-10-11 13:10:09 236544 ----a-w- c:\windows\PEV.exe
2009-07-24 04:18:17 91648 --sha-w- c:\windows\system32\defekeme.dll
2009-07-23 04:17:52 53760 --sha-w- c:\windows\system32\dezudesu.dll
2009-07-26 21:21:31 53760 --sha-w- c:\windows\system32\gugasara.dll
2009-07-24 04:18:17 39424 --sha-w- c:\windows\system32\hozegupo.dll
2009-07-26 04:20:24 1051682 --sha-w- c:\windows\system32\hunayeko.exe
2009-07-23 04:17:51 91648 --sha-w- c:\windows\system32\jiyayuda.dll
2009-07-22 16:17:50 39424 --sha-w- c:\windows\system32\rikajobe.dll
2009-07-22 16:17:50 91648 --sha-w- c:\windows\system32\velurike.dll
2009-07-23 16:18:09 39424 --sha-w- c:\windows\system32\wefakupa.dll
2009-07-26 21:21:30 39424 --sha-w- c:\windows\system32\ziluyuda.dll
2009-07-26 04:20:24 39424 --sha-w- c:\windows\system32\zinubiji.dll

============= FINISH: 9:29:42.09 ===============


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/27/2009 at 01:43 PM

Application Version : 4.29.1004

Core Rules Database Version : 4198
Trace Rules Database Version: 2107

Scan type : Complete Scan
Total Scan Time : 00:21:31

Memory items scanned : 486
Memory threats detected : 0
Registry items scanned : 5924
Registry threats detected : 5
File items scanned : 19535
File threats detected : 131

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{6F2DDCC3-133E-4729-98C5-8EECA6E2DC68}
HKCR\CLSID\{6F2DDCC3-133E-4729-98C5-8EECA6E2DC68}
HKCR\CLSID\{6F2DDCC3-133E-4729-98C5-8EECA6E2DC68}\InprocServer32
HKCR\CLSID\{6F2DDCC3-133E-4729-98C5-8EECA6E2DC68}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJI.DLL

411Ferret Toolbar
HKU\S-1-5-21-796184358-3044607810-1197156250-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

(Took out tracking cookies as there were alot and not really important here IMO)

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\DEFEKEME.DLL
C:\WINDOWS\SYSTEM32\JIYAYUDA.DLL

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\DEZUDESU.DLL
C:\WINDOWS\SYSTEM32\RIKAJOBE.DLL
C:\WINDOWS\SYSTEM32\WEFAKUPA.DLL

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\GUGASARA.DLL
C:\WINDOWS\SYSTEM32\ZILUYUDA.DLL

Adware.Vundo/Variant-Bronx
C:\WINDOWS\SYSTEM32\VELURIKE.DLL
-----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:28, on 2009-10-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7025 bytes

Ashley,

You had a very heavily infected computer, it was almost at the point of formatting and reinstalling windows. We're almost done.



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::




File::
C:\WINDOWS\Obibuqoboxebodam.dat
C:\WINDOWS\Dbagalosupuk.bin
c:\windows\win32k.sys
c:\windows\system32\defekeme.dll
c:\windows\system32\dezudesu.dll
c:\windows\system32\gugasara.dll
c:\windows\system32\hozegupo.dll
c:\windows\system32\hunayeko.exe
c:\windows\system32\jiyayuda.dll
c:\windows\system32\rikajobe.dll
c:\windows\system32\velurike.dll
c:\windows\system32\wefakupa.dll
c:\windows\system32\ziluyuda.dll
c:\windows\system32\zinubiji.dll


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

OK so below are the CF log and HJ log.. AFter all this is said and done... which virus program should I keep?

AVG 8.5 Free
or SUPERAntispyware Free edition?

Thanks again!!
ashe


ComboFix 09-10-26.01 - ashe 2009-10-28 11:46.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.642 [GMT -5:00]
Running from: c:\documents and settings\ashe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ashe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Dbagalosupuk.bin"
"c:\windows\Obibuqoboxebodam.dat"
"c:\windows\system32\defekeme.dll"
"c:\windows\system32\dezudesu.dll"
"c:\windows\system32\gugasara.dll"
"c:\windows\system32\hozegupo.dll"
"c:\windows\system32\hunayeko.exe"
"c:\windows\system32\jiyayuda.dll"
"c:\windows\system32\rikajobe.dll"
"c:\windows\system32\velurike.dll"
"c:\windows\system32\wefakupa.dll"
"c:\windows\system32\ziluyuda.dll"
"c:\windows\system32\zinubiji.dll"
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Dbagalosupuk.bin
c:\windows\Obibuqoboxebodam.dat
c:\windows\system32\hozegupo.dll
c:\windows\system32\hunayeko.exe
c:\windows\system32\zinubiji.dll
c:\windows\win32k.sys
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\93747030\93747030.exe
c:\documents and settings\All Users\Application Data\98892496.ini
c:\documents and settings\All Users\Documents\behole.bat
c:\documents and settings\All Users\Documents\nywawipisy.reg
c:\documents and settings\ashe\Application Data\imesedu.inf
c:\documents and settings\ashe\Application Data\qogizyv.inf
c:\documents and settings\ashe\Local Settings\Application Data\bolagodov.vbs
c:\documents and settings\NetworkService\ntuser.dll
c:\windows\system32\bodonope.exe
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\habowumu.dll.tmp
c:\windows\system32\jaditibi.exe
c:\windows\system32\jahotuwi.dll.tmp
c:\windows\system32\pisutine.exe
c:\windows\system32\rakoyopo.dll
c:\windows\system32\rasipiyu.dll.tmp
c:\windows\system32\ropenoya.exe
c:\windows\system32\rulufutu.dll
c:\windows\system32\sedimuna.dll
c:\windows\system32\tinomodu.exe
c:\windows\system32\tufemivu.exe
c:\windows\system32\verabamu.dll
c:\windows\system32\wafatoto.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 18:20 . 2009-10-27 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-27 18:20 . 2009-10-27 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 18:20 . 2009-10-27 18:20 -------- d-----w- c:\documents and settings\ashe\Application Data\SUPERAntiSpyware.com
2009-10-27 18:19 . 2009-10-27 18:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 01:57 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 01:57 . 2009-10-27 01:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 01:57 . 2009-10-27 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 01:57 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 01:54 . 2009-10-27 01:54 -------- d-----w- c:\program files\Trend Micro
2009-10-26 09:04 . 2009-10-26 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-26 08:46 . 2009-10-26 08:46 -------- d-----w- c:\documents and settings\ashe\Local Settings\Application Data\AVG Security Toolbar
2009-10-26 07:00 . 2009-10-26 07:00 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-26 07:00 . 2009-10-26 07:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-26 07:00 . 2009-10-26 07:00 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-26 07:00 . 2009-10-28 13:37 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-26 07:00 . 2009-10-26 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-26 06:59 . 2009-10-26 06:59 -------- d-----w- c:\program files\AVG
2009-10-26 04:52 . 2009-10-26 07:00 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-26 04:47 . 2009-10-26 04:47 -------- d-----w- c:\documents and settings\Big Rod\Local Settings\Application Data\{82B01A4F-E032-42F6-9821-9E948F677E85}
2009-10-22 16:16 . 2009-10-22 16:16 -------- d-----w- c:\documents and settings\ashe\Local Settings\Application Data\{94610016-D53E-4AA1-909E-F11F1211B625}
2009-10-21 17:17 . 2009-10-21 17:17 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-10-21 17:17 . 2009-10-21 17:17 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-10-21 17:17 . 2009-10-21 17:17 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-21 17:17 . 2009-10-21 17:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 17:15 . 2009-10-26 14:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 14:43 . 2007-05-18 00:54 77280 ----a-w- c:\documents and settings\ashe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 08:45 . 2007-12-09 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-26 07:46 . 2009-05-27 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-26 07:00 . 2008-01-05 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-03 01:26 . 2009-06-18 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-26 2025752]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
"Logitech BT Wizard"="LBTWiz.exe" [BU]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2009-8-27 679936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-02-20 18:57 65536 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-26 07:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ashe^Start Menu^Programs^Startup^..]
path=c:\documents and settings\ashe\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"Net Driver HPZ12"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"lxcy_device"=2 (0x2)
"LmHosts"=2 (0x2)
"LBTServ"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"IAANTMON"=2 (0x2)
"HTTPFilter"=3 (0x3)
"hpqcxs08"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"btwdins"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AVP"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-26 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-26 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-10-26 297752]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-10-12 7408]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-10-26 908056]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\ashe\Application Data\Mozilla\Firefox\Profiles\a2oy94ts.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {94610016-D53E-4AA1-909E-F11F1211B625} - c:\documents and settings\ashe\Local Settings\Application Data\{94610016-D53E-4AA1-909E-F11F1211B625}
FF - HiddenExtension: XULRunner: {82B01A4F-E032-42F6-9821-9E948F677E85} - c:\documents and settings\Big Rod\Local Settings\Application Data\{82B01A4F-E032-42F6-9821-9E948F677E85}\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 11:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-10-28 11:55
ComboFix-quarantined-files.txt 2009-10-28 16:55
ComboFix2.txt 2009-05-28 07:30

Pre-Run: 212,687,495,168 bytes free
Post-Run: 212,917,329,920 bytes free

- - End Of File - - BF231E92C4E9F484F3C3FBC5FAF4402A

-------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01, on 2009-10-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/53.13/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 7331 bytes

Ashe

AVG Free and SuperAntiSpyware are two different programs, AVG is Anti Virus and SAS is Anti Spyware, you can keep them both.


You can delete all the programs we used at the beginning, win32kdiag, exehelper, Peak Bat.



Lets update your Java to make your system more secure

Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 16 <--The wording is confusing but this is what you need


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)





Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.