AVG detected 3 instances of the Sheur3 Trojan on my PC. AVG managed to move one to the vault, but apparently could not access the others which were present in System Volume Information. I ran AdAware SE and Spybot S&D back to back and found nothing of concern. At some point I had downloaded Webroot as well and ran this just for kicks. I detected a keylogger called Inside Web Logger with a registry signature Hkey local machine-software-classes-interface. Only the scan utility is free with webroot and since I'd have to pay for the removal utility, I didn't use it. Neither AVG, Spybot, or AdAware found this and subsequent scans with all three come up clean for both the trojan adn the keylogger. I've also run IObit functions including spyware sweep and registry fix (which I gather is not a great idea from elsewhere on this forum).

My question is A)is my system now completely free of the Sheur3 trojan, and
B) do I have some keylogger present on my machine and if so, how do I get rid of it. Your help is much appreciated.

Here's the output from ERUNT as requested. Attach.txt is attached as well

DDS (Ver_10-03-17.01) - NTFSx86
Run by brandon stewart at 23:49:44.07 on Sun 09/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.315 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\IObitBar\toolbar\1.bin\i0brmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\brandon stewart\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://results.myway.com/default.jhtml?kl=y&ptb=8E371A88-565F-48C0-8829-1597CAED8FD4
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uURLSearchHooks: N/A: {7757cbcc-0975-4b79-a519-90b142ca3a23} - c:\program files\iobitbar\toolbar\1.bin\i0SrcAs.dll
mURLSearchHooks: N/A: {7757cbcc-0975-4b79-a519-90b142ca3a23} - c:\program files\iobitbar\toolbar\1.bin\i0SrcAs.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Toolbar BHO: {efa17361-cdc0-4927-9afc-baad1f96b2ae} - c:\program files\iobitbar\toolbar\1.bin\i0bar.dll
TB: IObit Toolbar: {efa17369-cdc0-4927-9afc-baad1f96b2ae} - c:\program files\iobitbar\toolbar\1.bin\i0bar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe"
mRun: [CTDVDDet] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [AVG9_TRAY] "c:\progra~1\avg\avg9\avgtray.exe"
mRun: [IObitBar Browser Plugin Loader] "c:\progra~1\iobitbar\toolbar\1.bin\i0brmon.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
StartupFolder: c:\docume~1\brando~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search - http://edits.myway.com/menusearch.jhtml?s=100000379&p=YH&si=&a=8E371A88-565F-48C0-8829-1597CAED8FD4&n=2010071817
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brando~1\applic~1\mozilla\firefox\profiles\21epwizn.default\
FF - prefs.js: browser.search.selectedEngine - My Way
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://results.myway.com/GGmain.jhtml?id=YH&ptb=8E371A88-565F-48C0-8829-1597CAED8FD4&psa=&ind=2010071817&ptnrS=YH&si=&st=kwd&n=&searchfor=
FF - component: c:\documents and settings\brandon stewart\application data\mozilla\firefox\profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\iobitbar\toolbar\1.bin\NPi0Stub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 AFAmgt;AFAmgt;c:\windows\system32\drivers\afamgt.sys [2004-4-21 92411]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-14 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-13 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-1 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-13 243024]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2004-2-8 118784]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [2002-12-18 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 ssfmonm;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2010-9-4 45072]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-9-4 3867096]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2010-8-26 3050048]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-25 133104]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\iobitbar\toolbar\1.bin\i0barsvc.exe [2010-7-14 28766]
S2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\dell\raid storage manager\StorServ.exe [2004-6-16 49152]
S3 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-8-28 4202864]
S3 P1060BLK;Creative PC-CAM 350 (Still Image);c:\windows\system32\drivers\P1060Blk.sys [2010-6-23 27908]
S3 P1060VID;Creative PC-CAM 350 (Video);c:\windows\system32\drivers\P1060Vid.sys [2010-6-23 433760]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2004-10-18 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2004-10-18 69680]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================


==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-17 02:40:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 02:40:07 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 02:39:54 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-03 03:29:39 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:06:51 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 15:12:57 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-06-17 15:11:25 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2005-08-23 18:48:19 56 -csh--r- c:\windows\system32\F4AC35CB52.sys
2008-05-10 00:07:11 6686 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-06-03 23:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060320080604\index.dat

============= FINISH: 23:50:52.42 ===============

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Log doesn't look bad, but lets check a bit deeper.

Myway Toolbar, not reading a whole lot good about this, I would recommend uninstalling it via Add Remove Programs in the Control Panel.


Norton AV Still have markers in your log for this, we need to remove this completely after we done.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Thanks for your help Ken545. This is of particular concern because I've had some recent fraudulent credit card charges which, due to the types of charges made, I believe were made by some scumbag who got my keystrokes from my machine before I noticed the infection. I really need to make sure my PC is clean.

I ran ATF. MB seems to have found some pretty bad sounding stuff and removed it successfully. Since neither Spybot, AVG, nor AdAware picked these up, do you recommend running MB on a regular basis in addition to these other programs? Here is the log from MB.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4602

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/12/2010 10:45:14 PM
mbam-log-2010-09-12 (22-45-14).txt

Scan type: Quick scan
Objects scanned: 172062
Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rasqervy.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sdfinacs.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sdfixwcs.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.

Forgot to mention, no trace of MyWay toolbar or associated programs in Add/Remove Programs.

Thanks again for your help.

Good Morning,

We will look into MyWay a bit later , not a matter of importance right now.

The files that Malwarebytes removed where nasty, especially this one, its a backdoor trojan that could have let attackers access to your computer, but its been removed.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.

With the seriousness of what Malwarebytes found, lets run this other program to make sure we got it all.


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Here is the combofix log.



ComboFix 10-09-13.02 - brandon stewart 09/13/2010 21:37:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.521 [GMT -7:00]
Running from: c:\documents and settings\brandon stewart\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\brandon stewart\g2mdlhlpx.exe
c:\windows\_000004_.tmp.dll
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\_000000_.tmp.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\jpqnl.sys
c:\windows\system32\tmp.reg
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dhfkd


((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.

2010-09-13 05:33 . 2010-09-13 05:33 -------- d-----w- c:\documents and settings\brandon stewart\Application Data\Malwarebytes
2010-09-13 05:33 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 05:33 . 2010-09-13 05:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 05:33 . 2010-09-13 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-13 05:33 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 05:28 . 2010-09-13 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-09-06 06:48 . 2010-09-06 06:48 -------- d-----w- c:\program files\ERUNT
2010-09-06 06:40 . 2010-09-06 06:40 -------- d-----w- c:\program files\trend micro
2010-09-06 06:40 . 2010-09-06 06:40 -------- d-----w- C:\rsit
2010-09-06 06:01 . 2010-08-30 21:33 43008 ----a-w- c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-06 06:01 . 2010-08-30 21:33 338944 ----a-w- c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-06 06:00 . 2010-09-06 06:00 346112 ----a-w- c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-06 06:00 . 2010-09-06 06:00 1496064 ----a-w- c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-05 05:59 . 2010-09-05 05:59 -------- d-----w- c:\documents and settings\brandon stewart\Local Settings\Application Data\PackageAware
2010-09-05 05:48 . 2010-09-05 05:48 -------- d-----w- c:\program files\Uniblue
2010-09-04 00:56 . 2010-09-04 00:56 -------- d-----w- c:\program files\Common Files\ffdshowEx
2010-09-03 03:24 . 2010-04-29 20:40 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys
2010-09-03 03:23 . 2010-09-04 00:55 -------- d-----w- c:\program files\MediaMall
2010-09-03 03:22 . 2010-09-04 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 04:49 . 2004-10-14 20:20 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000006-00000000-0000000D-00001102-00000004-10031102}.dat
2010-09-14 04:49 . 2004-10-14 20:20 288 ----a-w- c:\windows\system32\DVCState-{00000006-00000000-0000000D-00001102-00000004-10031102}.dat
2010-09-13 05:37 . 2010-02-14 17:08 0 ----a-w- c:\documents and settings\brandon stewart\Local Settings\Application Data\prvlcl.dat
2010-09-13 05:12 . 2008-06-02 15:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-13 05:12 . 2006-07-18 22:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-05 07:07 . 2004-10-14 20:13 -------- d-----w- c:\program files\Java
2010-09-05 07:07 . 2004-10-14 20:12 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 06:57 . 2004-10-14 20:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-04 19:21 . 2010-05-16 04:11 -------- d-----w- c:\program files\BitTorrent
2010-09-04 19:21 . 2008-04-15 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\CommAssistant
2010-09-04 19:21 . 2007-11-11 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-04 19:21 . 2006-12-05 22:14 -------- d-----w- c:\documents and settings\brandon stewart\Application Data\webex
2010-09-04 19:21 . 2006-07-05 20:15 -------- d-----w- c:\program files\Easy Icon Maker
2010-09-04 19:21 . 2004-10-18 18:48 -------- d-----w- c:\program files\OfficeUpdate11
2010-09-04 19:21 . 2010-05-16 04:11 -------- d-----w- c:\documents and settings\brandon stewart\Application Data\BitTorrent
2010-09-04 19:21 . 2004-11-22 23:13 -------- d-----w- c:\program files\Timeslips Demo
2010-08-08 04:32 . 2010-08-08 04:32 503808 ----a-w- c:\documents and settings\brandon stewart\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-48399198-n\msvcp71.dll
2010-08-08 04:32 . 2010-08-08 04:32 61440 ----a-w- c:\documents and settings\brandon stewart\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3d0c13b4-n\decora-sse.dll
2010-08-08 04:32 . 2010-08-08 04:32 499712 ----a-w- c:\documents and settings\brandon stewart\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-48399198-n\jmc.dll
2010-08-08 04:32 . 2010-08-08 04:32 348160 ----a-w- c:\documents and settings\brandon stewart\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-48399198-n\msvcr71.dll
2010-08-08 04:32 . 2010-08-08 04:32 12800 ----a-w- c:\documents and settings\brandon stewart\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3d0c13b4-n\decora-d3d.dll
2010-07-22 02:30 . 2010-07-22 02:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-17 02:40 . 2009-05-13 20:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 02:40 . 2010-07-17 02:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 02:39 . 2009-05-13 20:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-05 00:06 . 2010-07-05 00:06 503808 ----a-w- c:\documents and settings\Alia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54d44d60-n\msvcp71.dll
2010-07-05 00:06 . 2010-07-05 00:06 499712 ----a-w- c:\documents and settings\Alia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54d44d60-n\jmc.dll
2010-07-05 00:06 . 2010-07-05 00:06 348160 ----a-w- c:\documents and settings\Alia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54d44d60-n\msvcr71.dll
2010-07-05 00:06 . 2010-07-05 00:06 61440 ----a-w- c:\documents and settings\Alia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48a85969-n\decora-sse.dll
2010-07-05 00:06 . 2010-07-05 00:06 12800 ----a-w- c:\documents and settings\Alia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48a85969-n\decora-d3d.dll
2010-07-05 00:05 . 2010-07-05 00:05 664 ----a-w- c:\documents and settings\Alia\Local Settings\Application Data\d3d9caps.dat
2010-07-03 03:29 . 2010-07-03 03:29 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-07-03 03:23 . 2010-07-03 03:23 1216 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2006-12-10 23:50 . 2006-12-05 22:14 38912 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-12-10 23:50 . 2006-12-05 22:14 96330 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2005-08-23 18:48 . 2005-08-23 18:48 56 -csh--r- c:\windows\SYSTEM32\F4AC35CB52.sys
2008-05-10 00:07 . 2005-08-23 18:15 6686 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7757CBCC-0975-4b79-A519-90B142CA3A23}"= "c:\program files\IObitBar\toolbar\1.bin\i0SrcAs.dll" [2010-07-15 49152]

[HKEY_CLASSES_ROOT\clsid\{7757cbcc-0975-4b79-a519-90b142ca3a23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE}]
2010-07-15 01:42 638976 ----a-w- c:\program files\IObitBar\toolbar\1.bin\i0bar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE}"= "c:\program files\IObitBar\toolbar\1.bin\i0bar.dll" [2010-07-15 638976]

[HKEY_CLASSES_ROOT\clsid\{efa17369-cdc0-4927-9afc-baad1f96b2ae}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-15 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-07-15 20480]

c:\documents and settings\brandon stewart\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-9-21 811008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 02:40 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^brandon stewart^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\brandon stewart\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"hpdj"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 5.0\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

R0 AFAmgt;AFAmgt;c:\windows\SYSTEM32\DRIVERS\afamgt.sys [4/21/2004 1:36 AM 92411]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/14/2009 10:49 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/13/2009 1:06 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/13/2009 1:06 PM 243024]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/8/2004 6:02 AM 118784]
R2 AsfAlrt;AsfAlrt;c:\windows\SYSTEM32\DRIVERS\Asfalrt.sys [12/18/2002 2:31 AM 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 7:40 PM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/25/2009 12:47 PM 133104]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [7/14/2010 6:42 PM 28766]
S2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\Dell\RAID Storage Manager\StorServ.exe [6/16/2004 12:10 PM 49152]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1181328]
S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [8/28/2010 12:15 PM 4202864]
S3 P1060BLK;Creative PC-CAM 350 (Still Image);c:\windows\SYSTEM32\DRIVERS\P1060Blk.sys [6/23/2010 11:03 PM 27908]
S3 P1060VID;Creative PC-CAM 350 (Video);c:\windows\SYSTEM32\DRIVERS\P1060Vid.sys [6/23/2010 11:03 PM 433760]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\SYSTEM32\DRIVERS\tj2knd5.sys [10/18/2004 11:27 AM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\SYSTEM32\DRIVERS\tj2kunic.sys [10/18/2004 11:27 AM 69680]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 3:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:50]

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:50]

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:50]

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:50]

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:50]

2010-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-25 19:47]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-25 19:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://results.myway.com/default.jhtml?kl=y&ptb=8E371A88-565F-48C0-8829-1597CAED8FD4
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\
FF - prefs.js: browser.search.selectedEngine - My Way
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://results.myway.com/GGmain.jhtml?id=YH&ptb=8E371A88-565F-48C0-8829-1597CAED8FD4&psa=&ind=2010071817&ptnrS=YH&si=&st=kwd&n=&searchfor=
FF - component: c:\documents and settings\brandon stewart\Application Data\Mozilla\Firefox\Profiles\21epwizn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\IObitBar\toolbar\1.bin\NPi0Stub.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 21:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-322082807-1342736797-2565381560-1006\Software\SecuROM\License information*]
"datasecu"=hex:5d,a3,d8,c6,4f,1f,2a,f9,7b,5e,4a,8e,4e,46,38,45,16,3e,aa,e5,13,
f7,67,2b,dd,2a,92,bd,d2,13,bf,52,66,e4,53,40,18,3c,49,c5,0b,5c,99,82,90,08,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{62B9DDBB-52F0-AEDA-13C9CB9FD8297A44}\{829B01D7-8AAE-A7FF-AA7986A64CC9B9E2}\{E296BA6F-1F6D-20AF-CDC0E27325509C67}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\PSIService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
.
**************************************************************************
.
Completion time: 2010-09-13 21:58:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-14 04:58

Pre-Run: 40,715,890,688 bytes free
Post-Run: 40,525,402,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6964EA84F83678A58D76B79F0B640198

Hi,

Looks like Combofix removed more junk.

c:\program files\BitTorrent <--Heads up on this and any file sharing programs like any of the torrents, Limewire and the rest. Your downloading that file from an unknown source, the bad guys are in tune to this and not the programs themselves but most of what you download could be infected. This may be how you infected your system. Doing what I do and seeing what I see I would no way no how ever allow any types of programs like this on any of my systems, you would be doing yourself a big favor by uninstalling it and staying away from any file sharing programs.



Lets run this free anti virus scanner to check for left overs

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, and also let me know how things are running now.

Point taken on BitTorrent. I suspected this was the likely point of infection. Lesson learned, program deleted.

ESET came back clean though. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9d2a173b3ed78f4285ace1bbd94fabf6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-15 06:00:42
# local_time=2010-09-14 11:00:42 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 99617730 99617730 0 0
# compatibility_mode=1024 16777175 100 0 26195759 26195759 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=219707
# found=0
# cleaned=0
# scan_time=6632

Looks good, how are things running now ?

Looks like things are running well. Seems to be a lot less random hard drive activity. I didn't actually notice anything wrong with how my system was running other than unexplained hard drive activity until AVG picked up the Sheu3 trojan. I'v pretty diligent about running AVG and AdAware every week, but it looks like they got me when I was making a bunch of online purchases preparing for a camping trip. Bastards. Disputing charges with my credit card company is definitely not worth a couple of free albums. Like I said, lesson learned with P2P. Are you confident that we got it all? Is there any specific behavior that I should be on the lookout for?

Should I add MalwareBytes to my regular scans, or is it more of a professional tool that one should only run when necessary?

I've tried to clean up some of the unnecessary processes that were running at startup during this as well, so hopefully that will speed things up a bit. What's next?

Again, thanks for all your help with this. You rock!

Malwarebytes is yours to keep, its the free version, the paid version has a feature that will block bad sites, your call on this. I have it on 3 of my systems.

ATF Cleaner is also a free tool, I run mine at least once a week to clean out all the clutter and junk.


Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken