Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:54:00 PM, on 2/20/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [EPSON WorkForce 600(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE /FU "C:\Windows\TEMP\E_S38AD.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON WorkForce 600(Network)1] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE /FU "C:\Windows\TEMP\E_S4C1E.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3814918314-2133906571-1246418362-1002\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO (User 'Helen')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6816 bytes

--
My parents usually stream international tv shows through bada.net websites and such... they got this virus (antivirus soft) and was able to disable it (i think) but when i ran malwarebytes.org, there are still 3 files that are infected including backdoor.bot + trojan + spyware....

i've read backdoor is dangerous :( please help!
:thanks:

hi,

Your log is a few days old. If you still need help simply reply to my post.

Yes I still need help! when I try to use the internet, there are pop-ups and it is very slow!

ok we can start with Malwarebytes to see what it can dig up. link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

When I click "restart" it says that Malware has to shut down and doesn't remove the items properly on reboot.

Also, I'm getting a Pop up now from Windows Defender Warning saying a Trojan:Win32/Vundo.gen!G is detected.

Also, I've run Malaware a few times and the first time I succesfully deleted many 'viruses' but the 3 continue to remain b/c when I press restart after Malware finishes it's scan, it doesn't properly close.

here is log below... thanks so much!!! :thanks:

Malwarebytes' Anti-Malware 1.44
Database version: 3759
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/27/2010 12:35:40 AM
mbam-log-2010-02-27 (00-35-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 212520
Time elapsed: 43 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Helen\AppData\Roaming\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

hi,

ok you might try running Malwarebytes in safe mode. To reach safe mode you would tap the f8 key during a computer restart. at the options screen chose the first option: safe mode. Once at the safe mode desktop run malwarebytes.

Next:
Its those 3 items in the malwarebytes log that are remaining?

While you are in safe mode you can try this also: you might want to copy/paste it in notepad and save it so you can find and read it in safe mode:

to show all files;

# Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

# Click on the Control Panel menu option.

# When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

1. Double-click on the Folder Options icon.

2. Click on the View tab.

3. Go to step 5.


If you are in the Control Panel Home view do the following:

1. Click on the Appearance and Personalization link.

2. Click on Show Hidden Files or Folders.

3. Go to step 5.

#5- Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

# Remove the checkmark from the checkbox labeled: Hide extensions for known file types.

# Remove the checkmark from the checkbox labeled: Hide protected operating system files.

Press the Apply button and then the OK button.

Now Windows Vista is configured to show all hidden files.

Now navigate to;
C:\Users\Helen\AppData\Roaming
In the folder look for and delete;
sdra64.exe

after the above reboot normally and try a scan with Malwarebytes.

hello, the malwarebytes ran clean! it's a miracle! Thank you.

However, I still get the Windows Defender Warning that Trojan:Win32/Vundo.gen!G has been detected and the pop up keeps coming up...

what does it mean? Should I remove it? Is windows defender also a virus?

Also, I'm still getting pop up ads :(

Ok thanks for the info. We will get another download to use. Its called combofix. there is a guide you need to read first. Read through the guide, download combofix to your desktop, disable your antivirus as explained in the guide. double click the Combofix icon on your desktop and follow the prompts. post the log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

ComboFix 10-03-01.01 - Mary 03/01/2010 22:41:04.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1953 [GMT -5:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-3814918314-2133906571-1246418362-1001
c:\$recycle.bin\S-1-5-21-3814918314-2133906571-1246418362-500
c:\windows\Tasks\avvbxpxk.job

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 03:44 . 2010-03-02 03:44 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-02-27 05:24 . 2010-02-27 05:24 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-24 00:38 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 00:37 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 00:37 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 00:37 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 00:37 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 00:37 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 00:37 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 00:37 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 00:37 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 00:37 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 00:37 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 00:37 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 00:37 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-20 17:53 . 2010-02-20 17:53 388096 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 17:53 . 2010-02-20 17:53 -------- d-----w- c:\program files\TrendMicro
2010-02-20 06:03 . 2010-02-25 00:08 -------- d-----w- c:\programdata\winusime
2010-02-20 06:03 . 2010-02-23 00:08 -------- d-----w- c:\programdata\yelosuso
2010-02-20 06:03 . 2010-02-20 06:03 -------- d-----w- c:\programdata\tugokubu
2010-02-20 06:03 . 2010-02-20 06:03 -------- d-----w- c:\programdata\nayazezi
2010-02-19 15:13 . 2010-02-19 15:13 -------- d-----w- c:\programdata\nuyimuto
2010-02-19 15:13 . 2010-02-23 00:07 -------- d-----w- c:\programdata\diheweru
2010-02-19 15:13 . 2010-02-20 16:21 -------- d-----w- c:\programdata\wuganabu
2010-02-19 15:13 . 2010-02-19 15:13 -------- d-----w- c:\programdata\pahibiyi
2010-02-19 15:13 . 2010-02-19 15:13 -------- d-----w- c:\programdata\kayufegi
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\rosotuse
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\ranatepo
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\mahalemo
2010-02-19 15:12 . 2010-02-27 05:41 -------- d-sh--w- c:\users\Helen\AppData\Roaming\lowsec
2010-02-19 03:02 . 2010-02-19 03:02 -------- d-----w- c:\users\Helen\AppData\Roaming\Malwarebytes
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes
2010-02-19 02:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\programdata\Malwarebytes
2010-02-19 02:24 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 18:22 . 2010-02-18 18:22 680 ----a-w- c:\users\Helen\AppData\Local\d3d9caps.dat
2010-02-18 18:22 . 2010-02-18 18:22 552 ----a-w- c:\users\Helen\AppData\Local\d3d8caps.dat
2010-02-18 18:15 . 2010-02-19 03:01 -------- d-----w- c:\users\Helen\AppData\Local\cubtsd
2010-02-18 17:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\pubinibu
2010-02-18 17:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\duzurosa
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\hahohetu
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\wanajiru
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\sufokiyu
2010-02-18 12:06 . 2010-02-18 18:22 -------- d-----w- c:\users\Helen\AppData\Roaming\Paladin Antivirus
2010-02-18 12:04 . 2010-02-19 03:01 -------- d-----w- c:\programdata\yodedafi
2010-02-18 12:04 . 2010-02-19 03:01 -------- d-----w- c:\programdata\jepewosi
2010-02-18 12:04 . 2010-02-18 18:20 -------- d-----w- c:\programdata\kuwovogi
2010-02-02 13:19 . 2010-02-02 13:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-02-02 05:33 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-02-02 05:33 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-02-02 05:33 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-02-02 04:03 . 2010-02-02 04:05 -------- d-----w- c:\windows\system32\ca-ES
2010-02-02 04:03 . 2010-02-02 04:04 -------- d-----w- c:\windows\system32\eu-ES
2010-02-02 04:03 . 2010-02-02 04:04 -------- d-----w- c:\windows\system32\vi-VN
2010-02-02 03:49 . 2010-02-02 03:49 -------- d-----w- c:\windows\system32\EventProviders
2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\users\Mary\AppData\Roaming\Epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 15:33 . 2009-02-26 00:49 49168 ----a-w- c:\users\Mary\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 23:42 . 2009-02-26 01:43 49168 ----a-w- c:\users\Helen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 08:03 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 08:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-02 13:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-02 13:11 . 2010-02-02 13:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-02-02 13:11 . 2010-02-02 13:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-06 15:38 . 2010-02-24 00:37 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 00:37 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 00:37 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 00:37 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-02 06:38 . 2010-01-22 10:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 10:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 10:53 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 07:56 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 07:56 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 07:56 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 07:56 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 07:56 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 07:56 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 07:56 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 07:56 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 07:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 07:56 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 07:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 07:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 07:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 07:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 07:56 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 07:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 07:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-02-19 12:27 . 2009-02-19 12:23 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-01-20 1451248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-2-26 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):70,99,ea,c0,bd,a3,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1001]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1002]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [5/12/2009 8:09 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [5/12/2009 8:09 PM 108552]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/12/2009 8:08 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/12/2009 8:08 PM 297752]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 6:36 AM 501248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{49F25EE6-527E-4ADD-AD54-66A49F7A3E35}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-03-01 22:45:51
ComboFix-quarantined-files.txt 2010-03-02 03:45

Pre-Run: 228,775,219,200 bytes free
Post-Run: 227,982,024,704 bytes free

- - End Of File - - 39C2B813B391B9417E4B8784A34A2A93

====

thank you for your help thus far!!:red:

ok thanks for the info.


Should I remove it? Is windows defender also a virus?
there are many 'fake' antivirus scanners out there. some can have similiar names and looks like legit software. There is also a Microsoft product thats installed by default in Vista called Windows Defender. One way to tell the difference is that the fake AV will not remove anything and in fact prompt you to register it which costs money. You will also be bombarded with reminders, scans and popups.
I have some info on my website about scareware here. (http://virusvault.us/ScareWare.html) its short with lots of pictures.

Windows Defender (http://windows.microsoft.com/en-US/windows-vista/Using-Windows-Defender)

We will use combofix to remove some folders. Before using it disable your AV etc as explained in the guide.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:




File::
c:\programdata\winusime
c:\programdata\yelosuso
c:\programdata\tugokubu
c:\programdata\nayazezi
c:\programdata\nuyimuto
c:\programdata\diheweru
c:\programdata\wuganabu
c:\programdata\pahibiyi
c:\programdata\kayufegi
c:\programdata\rosotuse
c:\programdata\ranatepo
c:\programdata\mahalemo
c:\programdata\pubinibu
c:\programdata\duzurosa
c:\programdata\hahohetu
c:\programdata\wanajiru
c:\programdata\sufokiyu
c:\programdata\yodedafi
c:\programdata\jepewosi
c:\programdata\kuwovogi
c:\users\Helen\AppData\Roaming\lowsec



Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix.

You can also check malwarebytes for updates and do a scan with it and post its log.

After reading your post about how to discern the windows defender from the fake, when the windows defender popped up again, i clicked repair (the trojan) and it did something then told me i had to restart my comp... so I'm guessing it was legit?

I ran the combofix... log below.

Thank you! :rockon:

ComboFix 10-03-01.01 - Mary 03/02/2010 23:54:28.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.2010 [GMT -5:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
Command switches used :: c:\users\Mary\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\diheweru"
"c:\programdata\duzurosa"
"c:\programdata\hahohetu"
"c:\programdata\jepewosi"
"c:\programdata\kayufegi"
"c:\programdata\kuwovogi"
"c:\programdata\mahalemo"
"c:\programdata\nayazezi"
"c:\programdata\nuyimuto"
"c:\programdata\pahibiyi"
"c:\programdata\pubinibu"
"c:\programdata\ranatepo"
"c:\programdata\rosotuse"
"c:\programdata\sufokiyu"
"c:\programdata\tugokubu"
"c:\programdata\wanajiru"
"c:\programdata\winusime"
"c:\programdata\wuganabu"
"c:\programdata\yelosuso"
"c:\programdata\yodedafi"
"c:\users\Helen\AppData\Roaming\lowsec"
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 04:57 . 2010-03-03 04:57 -------- d-----w- c:\users\Mary\AppData\Local\temp
2010-03-03 04:57 . 2010-03-03 04:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 04:57 . 2010-03-03 04:57 -------- d-----w- c:\users\Helen\AppData\Local\temp
2010-03-03 04:57 . 2010-03-03 04:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-27 05:24 . 2010-02-27 05:24 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-24 00:38 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 00:37 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 00:37 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 00:37 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 00:37 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 00:37 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 00:37 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 00:37 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 00:37 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 00:37 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 00:37 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 00:37 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 00:37 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-20 17:53 . 2010-02-20 17:53 388096 ----a-r- c:\users\Mary\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 17:53 . 2010-02-20 17:53 -------- d-----w- c:\program files\TrendMicro
2010-02-20 06:03 . 2010-02-25 00:08 -------- d-----w- c:\programdata\winusime
2010-02-20 06:03 . 2010-02-23 00:08 -------- d-----w- c:\programdata\yelosuso
2010-02-20 06:03 . 2010-02-20 06:03 -------- d-----w- c:\programdata\tugokubu
2010-02-20 06:03 . 2010-02-20 06:03 -------- d-----w- c:\programdata\nayazezi
2010-02-19 15:13 . 2010-02-19 15:13 -------- d-----w- c:\programdata\nuyimuto
2010-02-19 15:13 . 2010-03-03 04:49 -------- d-----w- c:\programdata\pahibiyi
2010-02-19 15:13 . 2010-02-23 00:07 -------- d-----w- c:\programdata\diheweru
2010-02-19 15:13 . 2010-02-20 16:21 -------- d-----w- c:\programdata\wuganabu
2010-02-19 15:13 . 2010-02-19 15:13 -------- d-----w- c:\programdata\kayufegi
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\rosotuse
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\ranatepo
2010-02-19 15:12 . 2010-02-20 16:21 -------- d-----w- c:\programdata\mahalemo
2010-02-19 15:12 . 2010-02-27 05:41 -------- d-sh--w- c:\users\Helen\AppData\Roaming\lowsec
2010-02-19 03:02 . 2010-02-19 03:02 -------- d-----w- c:\users\Helen\AppData\Roaming\Malwarebytes
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes
2010-02-19 02:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 02:24 . 2010-02-19 02:24 -------- d-----w- c:\programdata\Malwarebytes
2010-02-19 02:24 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 18:22 . 2010-02-18 18:22 680 ----a-w- c:\users\Helen\AppData\Local\d3d9caps.dat
2010-02-18 18:22 . 2010-02-18 18:22 552 ----a-w- c:\users\Helen\AppData\Local\d3d8caps.dat
2010-02-18 18:15 . 2010-02-19 03:01 -------- d-----w- c:\users\Helen\AppData\Local\cubtsd
2010-02-18 17:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\pubinibu
2010-02-18 17:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\duzurosa
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\hahohetu
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\wanajiru
2010-02-18 16:38 . 2010-02-19 03:01 -------- d-----w- c:\programdata\sufokiyu
2010-02-18 12:06 . 2010-02-18 18:22 -------- d-----w- c:\users\Helen\AppData\Roaming\Paladin Antivirus
2010-02-18 12:04 . 2010-02-19 03:01 -------- d-----w- c:\programdata\yodedafi
2010-02-18 12:04 . 2010-02-19 03:01 -------- d-----w- c:\programdata\jepewosi
2010-02-18 12:04 . 2010-02-18 18:20 -------- d-----w- c:\programdata\kuwovogi
2010-02-02 13:19 . 2010-02-02 13:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-02-02 05:33 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-02-02 05:33 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-02-02 05:33 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-02-02 04:03 . 2010-02-02 04:05 -------- d-----w- c:\windows\system32\ca-ES
2010-02-02 04:03 . 2010-02-02 04:04 -------- d-----w- c:\windows\system32\eu-ES
2010-02-02 04:03 . 2010-02-02 04:04 -------- d-----w- c:\windows\system32\vi-VN
2010-02-02 03:49 . 2010-02-02 03:49 -------- d-----w- c:\windows\system32\EventProviders
2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\users\Mary\AppData\Roaming\Epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 15:33 . 2009-02-26 00:49 49168 ----a-w- c:\users\Mary\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 23:42 . 2009-02-26 01:43 49168 ----a-w- c:\users\Helen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 08:03 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 08:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-02 13:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-02 13:11 . 2010-02-02 13:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-02-02 13:11 . 2010-02-02 13:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-02-02 04:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-06 15:38 . 2010-02-24 00:37 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 00:37 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 00:37 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 00:37 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-02 06:38 . 2010-01-22 10:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 10:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 10:53 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-11 11:43 . 2010-02-10 07:56 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-10 07:56 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-10 07:56 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 07:56 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 07:56 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 07:56 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-04 18:30 . 2010-02-10 07:56 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-10 07:56 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-10 07:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-10 07:56 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-10 07:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-10 07:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-10 07:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-10 07:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-10 07:56 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-10 07:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-10 07:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-02-19 12:27 . 2009-02-19 12:23 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-02_03.44.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-26 20:02 . 2010-03-03 04:16 8928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3814918314-2133906571-1246418362-1002_UserData.bin
+ 2010-03-03 04:49 . 2010-03-03 04:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-02 03:31 . 2010-03-02 03:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-03 04:49 . 2010-03-03 04:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-03-02 03:31 . 2010-03-02 03:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-01-20 1451248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-2-26 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):70,99,ea,c0,bd,a3,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1001]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3814918314-2133906571-1246418362-1002]
"EnableNotificationsRef"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [5/12/2009 8:09 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [5/12/2009 8:09 PM 108552]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/12/2009 8:08 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/12/2009 8:08 PM 297752]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 6:36 AM 501248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\User_Feed_Synchronization-{49F25EE6-527E-4ADD-AD54-66A49F7A3E35}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 23:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-02 23:59:02
ComboFix-quarantined-files.txt 2010-03-03 04:59
ComboFix2.txt 2010-03-02 03:45

Pre-Run: 227,463,483,392 bytes free
Post-Run: 227,474,837,504 bytes free

- - End Of File - - 5ACEE55449341E2A9231ADDCAAA57261

ok, thanks for the info. that script dosnt look like it worked. You can delete those files manually.
Right click on start and select explore. On the left hand side find:
Local Disk (C) and below that you should find a folder called: ProgramData
clicking on the folder on the left hand side will show whats inside on the right hand pane.
all these below should be folders showing on the right side named as
winusime
yelosuso
tugokubu
etc. etc.

you can delete the folders. right click>delete

c:\programdata\winusime
c:\programdata\yelosuso
c:\programdata\tugokubu
c:\programdata\nayazezi
c:\programdata\nuyimuto
c:\programdata\diheweru
c:\programdata\wuganabu
c:\programdata\pahibiyi
c:\programdata\kayufegi
c:\programdata\rosotuse
c:\programdata\ranatepo
c:\programdata\mahalemo
c:\programdata\pubinibu
c:\programdata\duzurosa
c:\programdata\hahohetu
c:\programdata\wanajiru
c:\programdata\sufokiyu
c:\programdata\yodedafi
c:\programdata\jepewosi
c:\programdata\kuwovogi

this one is in a different location: delete the lowsec folder in the Roaming folder.

c:\users\Helen\AppData\Roaming\lowsec

If you dont see the ProgramData folder do this then look again:

Open Folder Options by clicking the Start button. clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options
Click the View tab.
Under Advanced settings, click Show hidden files and folders, and then click OK.

attached is a screenshot of the legit Windows Defender in the system tray and after opening it

Sigh. Thanks for the screenshot. That was definitely not what my windows defender looked like.

I deleted all the program data files per your instructions. However i could not find lowsec file even though I 'showed all hidden files.'

Also, I noticed in the User -> Helen -> AppData -> Roaming folder there is a Paladin Antivirus folder. I did a quick google search and it says it's spyware. Should I just delete the file?

Should we try Combofix again?

Please let me know your thoughts... :sad:

no need to run combofix again. those folders you deleted were just folders, there wasnt anything in them like malware files. Yes i missed the Paladin folder, you can delete it. dont worry about the lowsec folder.
Like I said there are many many fake antivirus scanners that are really malware. the key is they will find all kinds of trojans/virus etc on your computer in hopes that you activate/register and purchase the worthless software. The whole idea is to make money, the software is totally useless.
You can do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

It says there was an unexpected error 2002. :(

Also, there are 2 main users on this computer. The virus occurred while using Helen (User) but the main admin is Mary. I am running all the cleaning you are recommending under Mary User.... or should I be using the Helen User?

When I go to Helen User, there are definitely more pop-up ads....

:eek::clown:

ok so your still getting pop ups? You can log in as the 'other' user and run malwarebytes after checking for updates first.
We will also get another download to use.
go to the website below and read/follow items number 6 and 8. post the Gmer log in your reply.

http://www.bleepingcomputer.com/forums/topic34773.html

i'm sorry i'm such a pain!

the defogger couldn't complete the function. there was an error.:confused:
----

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 00:29 on 07/03/2010 (Helen)

Checking for autostart values...
HKCU\~\Run values retrieved.
Unable to open HKLM\~\Run key (5)
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

also vista guardian pop-ups come up as well...

I searched online to remove vista guardian on my own and i think i did more harm then good.

http://www.2-spyware.com/remove-vista-guardian-2010.html
this site told me to create this file (below) and I dl-ed spydoctor but realized it's one of those programs that make you pay so I uninstalled it.
But what is this exefix that I ran?

I'm so sorry!!
---
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

That reg file you ran was supposed to remove some registry items that are related to the malware according to the website you got it from.
Lets try running Malwarebytes again after you check for updates. Try it in normal mode first,
If you cant run it in normal mode, try it in safe mode like before and post its log.
Also did you try running Gmer to produce a log? See step 8 here (http://www.bleepingcomputer.com/forums/topic34773.html)

after gmer scanned it said there was some modification due to rootkit activity?

it is too long to post... can i send as an attachment?

MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 00:17:16
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Mary\AppData\Local\Temp\pxldypob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0A823FCE-A66C-45AF-A468-B62ED9C87656}\mpengine.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [928] 0x68AA0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\Connections@ClassManagers {B4C8DF59-D16F-4042-80B7-3557A254B7C5}?{BA126AD3-2166-11D1-B1D0-00805FC1270E}?{BA126AD5-2166-11D1-B1D0-00805FC1270E}?{BA126ADD-2166-11D1-B1D0-00805FC1270E}?{BA126AE0-2166-11D1-B1D0-00805FC1270E}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Server Applications?Software\Microsoft\Windows NT\CurrentVersion?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion\Print?Software\Microsoft\Windows NT\CurrentVersion\Windows?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?Software\Microsoft\Windows NT\CurrentVersion\Perflib?System\CurrentControlSet\Services\SysmonLog?
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@GUID {15BC788A-6A38-4D79-8773-B53FDFB84D79}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@MaxFileSize 5
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@LogFileMode 32770
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileName %SystemRoot%\System32\LogFiles\Audio\AudioSrv.Evm
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileMax 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@Enabled 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@MatchAnyKeyword 0xFF 0xFF 0xFF 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@EnableLevel 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@GUID {54dea73a-ed1f-42a4-af71-3e63d056f174}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@LogFileMode 1152
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MinimumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@EnableKernelFlags 0x0F 0x23 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@BufferSize 16
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@GUID {08b524eb-a2bf-47eb-aef1-dbd871741d7a}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@LogFileMode 384
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@MaximumBuffers 22
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MinimumBuffers 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Age 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@LogFileMode 16777600
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Guid {639eade2-9051-5ddc-d208-b51afd9e984b}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@OwningChannel Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Status

sorry, there is no way i can copy and paste. That above section is like 1/100 of what's in the log...

please let me know... :bigthumb::eek:

root kits wouldnt be detected by the standard anti-malware/AV. So based on the Gmer log I would use the machine as little as possible Yes you can send the log as a attachment or Email it to me, (echoreply(at)hotmaildot(com)
either way. In any case it will involve another download for the root kit activity. In fact i havent seen the log but you may as well download and run TDSSkiller.
Good advice for root kit activity is to reformat/reinstall Windows. The root kit was the cause of the re-directs but they can easily have other functions.

TDSSkiller:

Download TDSSkiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)to your desktop, extract the files to your desktop. after extraction It should appear as a folder called tdsskiller on your desktop. Inside the folder is the tdsskiller.exe and the EULA. Drag/move the tdsskiller file from the folder on the desktop to the Local Disk (C)

Run as an administrator with UAC disabled.

Go to start>run and copy/paste whats below.
To get run you might switch to the classical view. Right click on the task bar at bottom.properties>start menu tab>select classic menu> click apply, ok
Copy/paste in Run then click the ok button:

"c:\TDSSKiller.exe" -l tdsskiller.txt

A window will open press any key to continue, if prompted please reboot your computer. It will generate a tdsskiller txt file in your root C, Local Disk. Please post the txt file.


how to disable UAC in Vista:
Disable UAC (http://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/) in Vista

This thread has been closed due to inactivity.

As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.


Thank you shelf life.