vundo infection

[constans]

Hello SpyBot, good friend and neighbour in a dangerous hood.
My daughter's computer is infected with a trojan, vundo.gen.w. McAfee has removed it several times, but the tricky little thing is still there, and keeps coming up with popups asking us to "run a free scan" and buy their spyware removal product. Haven't fallen for that one yet, but can't get rid of the little devil either.
FYI - before I really realized what was going on, I ran a full McAfee virus scan, and also ran a full SpyBot scan, which removed a few things, but not the Vundo, apparently.
I have backed up the registry with ERUNT.
Here is the HJT log. Thank you in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:39 PM, on 3/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\fxstaller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\fxsteller.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {cb2858fe-a0e7-d979-c164-490d84f05261} - {16250f48-d094-461c-979d-7e0aef8582bc} - C:\WINDOWS\system32\evqagx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {d1c4db7b-393c-4712-9183-72ad13f4cd7a} - C:\WINDOWS\system32\wibovaha.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Microsoft Update] taskmgz.exe
O4 - HKLM\..\Run: [huzehiveri] Rundll32.exe "C:\WINDOWS\system32\degipeme.dll",s
O4 - HKLM\..\Run: [7402f9d3] rundll32.exe "C:\WINDOWS\system32\savogiju.dll",b
O4 - HKLM\..\Run: [CPM7731ca4f] Rundll32.exe "C:\WINDOWS\system32\dusayamo.dll",a
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9545] command.com /c del "C:\WINDOWS\system32\vuverisa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4293] cmd.exe /c del "C:\WINDOWS\system32\vuverisa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2680] command.com /c del "C:\WINDOWS\system32\dunuhobu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4082] cmd.exe /c del "C:\WINDOWS\system32\dunuhobu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7565] command.com /c del "C:\WINDOWS\system32\vuverisa.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1626] cmd.exe /c del "C:\WINDOWS\system32\vuverisa.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7083] command.com /c del "C:\WINDOWS\system32\dunuhobu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6400] cmd.exe /c del "C:\WINDOWS\system32\dunuhobu.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [huzehiveri] Rundll32.exe "C:\WINDOWS\system32\degipeme.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205851300394
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1205851434928
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...loader_v10.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tobirugo.dll evqagx.dll c:\windows\system32\dusayamo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dusayamo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dusayamo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 8302 bytes

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[constans]

Thanks for your reply Blade!
I will do this tonight as soon as I get home.
I appreciate your help.

[constans]

DDS (Ver_09-02-01.01) - NTFSx86
Run by Miriam Emma Lank at 19:16:28.33 on Thu 03/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.280 [GMT -8:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\fxsteller.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Miriam Emma Lank\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {94e51013-c1ce-62f9-daf4-c870e7ad7999}: {9997da7e-078c-4fad-9f26-ec1c31015e49} - c:\windows\system32\civffu.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: {d1c4db7b-393c-4712-9183-72ad13f4cd7a} - c:\windows\system32\wibovaha.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [Microsoft Update] taskmgz.exe
mRun: [huzehiveri] Rundll32.exe "c:\windows\system32\degipeme.dll",s
mRun: [7402f9d3] rundll32.exe "c:\windows\system32\liwuwuto.dll",b
mRun: [CPM7731ca4f] Rundll32.exe "c:\windows\system32\rujezare.dll",a
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205851300394
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205851434928
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
AppInit_DLLs: c:\windows\system32\tobirugo.dll civffu.dll c:\windows\system32\rujezare.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rujezare.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\rujezare.dll
LSA: Notification Packages = scecli c:\windows\system32\tobirugo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\miriam~1\applic~1\mozilla\firefox\profiles\wl2f0p18.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-3-13 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-17 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-17 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-17 168776]

=============== Created Last 30 ================

2009-03-03 21:31 123,392 a--sh--- c:\windows\system32\civffu.dll
2009-03-03 21:15 <DIR> --d----- c:\program files\Trend Micro
2009-03-03 15:14 5,449 a------- C:\mooo.exe
2009-03-03 09:31 123,904 a--sh--- c:\windows\system32\evqagx.dll
2009-03-03 09:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-03 09:09 151 a------- c:\windows\wininit.ini
2009-03-02 23:32 244 a---h--- C:\sqmnoopt19.sqm
2009-03-02 23:32 232 a---h--- C:\sqmdata19.sqm
2009-03-02 23:26 244 a---h--- C:\sqmnoopt18.sqm
2009-03-02 23:26 232 a---h--- C:\sqmdata18.sqm
2009-03-02 23:22 244 a---h--- C:\sqmnoopt17.sqm
2009-03-02 23:22 232 a---h--- C:\sqmdata17.sqm
2009-03-02 23:19 244 a---h--- C:\sqmnoopt16.sqm
2009-03-02 23:19 232 a---h--- C:\sqmdata16.sqm
2009-03-02 23:12 244 a---h--- C:\sqmnoopt15.sqm
2009-03-02 23:12 232 a---h--- C:\sqmdata15.sqm
2009-03-02 23:06 232 a---h--- C:\sqmdata14.sqm
2009-03-02 23:06 244 a---h--- C:\sqmnoopt14.sqm
2009-03-02 22:59 244 a---h--- C:\sqmnoopt13.sqm
2009-03-02 22:59 232 a---h--- C:\sqmdata13.sqm
2009-03-02 22:53 244 a---h--- C:\sqmnoopt12.sqm
2009-03-02 22:53 232 a---h--- C:\sqmdata12.sqm
2009-03-02 22:52 244 a---h--- C:\sqmnoopt11.sqm
2009-03-02 22:52 232 a---h--- C:\sqmdata11.sqm
2009-03-02 22:47 232 a---h--- C:\sqmdata10.sqm
2009-03-02 22:47 244 a---h--- C:\sqmnoopt10.sqm
2009-03-02 22:43 244 a---h--- C:\sqmnoopt09.sqm
2009-03-02 22:43 232 a---h--- C:\sqmdata09.sqm
2009-03-02 22:40 232 a---h--- C:\sqmdata08.sqm
2009-03-02 22:40 244 a---h--- C:\sqmnoopt08.sqm
2009-03-02 22:33 244 a---h--- C:\sqmnoopt07.sqm
2009-03-02 22:33 232 a---h--- C:\sqmdata07.sqm
2009-03-02 22:27 244 a---h--- C:\sqmnoopt06.sqm
2009-03-02 22:27 232 a---h--- C:\sqmdata06.sqm
2009-03-02 22:21 232 a---h--- C:\sqmdata05.sqm
2009-03-02 22:21 244 a---h--- C:\sqmnoopt05.sqm
2009-03-02 22:15 232 a---h--- C:\sqmdata04.sqm
2009-03-02 22:15 244 a---h--- C:\sqmnoopt04.sqm
2009-03-02 20:31 123,392 a--sh--- c:\windows\system32\kfgerz.dll
2009-03-02 20:26 48,640 a------- C:\2l.exe
2009-03-02 20:25 191,488 a------- C:\1l.exe
2009-03-02 20:10 <DIR> --d----- c:\windows\system32\kazaabackupfiles
2009-03-02 20:10 32,200 a------- C:\spal.exe
2009-03-02 19:44 1,025 a------- C:\istal.exe
2009-03-02 19:27 102,912 a------- C:\insstal.exe
2009-03-02 19:26 48,690 ---shr-- c:\windows\fxsteller.exe
2009-03-02 19:26 102,912 a------- C:\xx.exe
2009-03-02 18:52 48,690 ---shr-- c:\windows\fxstaller.exe

==================== Find3M ====================

2009-03-03 21:31 86,016 a--sh--- c:\windows\system32\rujezare.dll
2009-03-03 21:31 123,392 a--sh--- c:\windows\system32\lakotite.dll
2009-03-03 21:31 80,896 a--sh--- c:\windows\system32\liwuwuto.dll
2009-03-03 09:31 123,904 a--sh--- c:\windows\system32\ludiyofu.dll
2009-03-03 09:31 80,896 -------- c:\windows\system32\savogiju.dll
2009-03-03 09:31 86,016 a--sh--- c:\windows\system32\dusayamo.dll
2009-03-02 20:31 123,392 a--sh--- c:\windows\system32\rimomuzo.dll
2008-12-17 20:57 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-21 17:45 17,144 a------- c:\docume~1\miriam~1\applic~1\GDIPFONTCACHEV1.DAT
2006-02-22 06:36 21,952 ac--h--- c:\program files\folder.htt
2006-02-22 06:36 271 ---sh--- c:\program files\desktop.ini
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\degipeme.dll
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\tobirugo.dll
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\wibovaha.dll

============= FINISH: 19:19:58.82 ===============

[constans]

Sorry - I couldn't figure out how to post an attachment, so here is the attach file (not zipped)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/15/2008 11:32:23 PM
System Uptime: 3/5/2009 6:32:39 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | CUV4X
Processor: Intel Pentium III processor | PGA 370 | 930/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 38 GiB total, 14.466 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP315: 12/4/2008 8:03:03 PM - System Checkpoint
RP316: 12/7/2008 5:50:25 PM - System Checkpoint
RP317: 12/8/2008 6:19:35 PM - System Checkpoint
RP318: 12/9/2008 6:20:00 PM - System Checkpoint
RP319: 12/10/2008 7:09:03 PM - System Checkpoint
RP320: 12/12/2008 3:49:02 PM - Software Distribution Service 3.0
RP321: 12/13/2008 3:53:22 PM - System Checkpoint
RP322: 12/14/2008 4:45:30 PM - System Checkpoint
RP323: 12/16/2008 8:03:48 PM - System Checkpoint
RP324: 12/17/2008 8:48:20 PM - Removed Apple Mobile Device Support
RP325: 12/17/2008 8:52:12 PM - Removed Java(TM) 6 Update 4
RP326: 12/17/2008 8:53:17 PM - Removed Java(TM) 6 Update 5
RP327: 12/17/2008 8:57:16 PM - Installed Java(TM) 6 Update 11
RP328: 12/17/2008 8:59:40 PM - Removed Java(TM) 6 Update 7
RP329: 12/19/2008 2:40:38 AM - System Checkpoint
RP330: 12/19/2008 3:00:18 AM - Software Distribution Service 3.0
RP331: 1/6/2009 8:15:14 PM - System Checkpoint
RP332: 1/7/2009 11:51:04 PM - System Checkpoint
RP333: 1/9/2009 6:52:51 PM - System Checkpoint
RP334: 1/10/2009 7:15:35 PM - System Checkpoint
RP335: 1/11/2009 7:44:48 PM - System Checkpoint
RP336: 1/12/2009 10:03:24 PM - System Checkpoint
RP337: 1/14/2009 4:50:24 PM - Software Distribution Service 3.0
RP338: 1/15/2009 10:34:59 PM - System Checkpoint
RP339: 1/17/2009 9:49:24 AM - System Checkpoint
RP340: 1/18/2009 12:53:55 PM - System Checkpoint
RP341: 1/19/2009 10:28:32 PM - System Checkpoint
RP342: 1/20/2009 11:25:58 PM - System Checkpoint
RP343: 1/22/2009 12:36:08 AM - System Checkpoint
RP344: 1/23/2009 5:31:34 PM - System Checkpoint
RP345: 1/24/2009 8:54:26 PM - System Checkpoint
RP346: 1/26/2009 11:17:19 AM - System Checkpoint
RP347: 1/27/2009 7:43:10 PM - System Checkpoint
RP348: 1/27/2009 8:31:22 PM - Software Distribution Service 3.0
RP349: 1/29/2009 10:14:00 PM - System Checkpoint
RP350: 1/31/2009 10:40:05 AM - System Checkpoint
RP351: 2/1/2009 2:17:12 PM - System Checkpoint
RP352: 2/2/2009 7:06:39 PM - System Checkpoint
RP353: 2/5/2009 6:33:36 PM - System Checkpoint
RP354: 2/7/2009 1:58:54 PM - System Checkpoint
RP355: 2/8/2009 7:24:10 PM - System Checkpoint
RP356: 2/9/2009 9:30:28 PM - System Checkpoint
RP357: 2/11/2009 4:25:22 PM - Software Distribution Service 3.0
RP358: 2/12/2009 7:17:10 PM - System Checkpoint
RP359: 2/13/2009 8:01:09 PM - System Checkpoint
RP360: 2/14/2009 8:13:53 PM - System Checkpoint
RP361: 2/16/2009 3:04:32 PM - System Checkpoint
RP362: 2/17/2009 3:45:56 PM - System Checkpoint
RP363: 2/18/2009 6:46:30 PM - System Checkpoint
RP364: 2/19/2009 7:18:26 PM - System Checkpoint
RP365: 2/21/2009 8:48:30 AM - System Checkpoint
RP366: 2/22/2009 11:21:36 AM - System Checkpoint
RP367: 2/23/2009 6:36:11 PM - System Checkpoint
RP368: 2/24/2009 6:46:12 PM - System Checkpoint
RP369: 2/25/2009 7:46:03 AM - Software Distribution Service 3.0
RP370: 2/26/2009 8:30:29 AM - System Checkpoint
RP371: 2/27/2009 8:35:58 AM - System Checkpoint
RP372: 2/28/2009 10:56:43 AM - System Checkpoint
RP373: 3/1/2009 11:55:45 AM - System Checkpoint
RP374: 3/2/2009 12:43:18 PM - System Checkpoint
RP375: 3/2/2009 10:12:01 PM - Uniblue RegistryBooster
RP376: 3/2/2009 11:52:33 PM - Uniblue RegistryBooster
RP377: 3/3/2009 9:19:01 AM - Removed Ad-Aware 2007
RP378: 3/3/2009 9:21:33 AM - Installed Ad-Aware

==== Installed Programs ======================

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Apple Software Update
Bonjour
ERUNT 1.1j
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 11
LimeWire 4.16.6
Logitech® Camera Driver
McAfee VirusScan Enterprise
Microsoft Office XP Professional
Mozilla Firefox (3.0.6)
Picasa 2
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
SpywareBlaster 4.1
Uniblue RegistryBooster 2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/1/2009 9:51:49 AM, error: ACPI [4] - AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0xcfc), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
3/1/2009 9:51:49 AM, error: ACPI [5] - AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
3/2/2009 8:41:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
3/3/2009 9:19:39 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the aawservice service.
3/3/2009 9:20:09 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.

==== End Of File ===========================

[constans]

I keep getting multiple IE windows popping up, requesting me to purchase various things. (I do not even use IE.)
Also McAfee has deleted a trojan called "otuwuwil.ini" and "otuwuwil.tmp" several times.
Thank you so much for your help.

[Blade81]

Hi again,


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


LimeWire


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\LimeWire

Empty Recycle Bin.

After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[constans]

ComboFix 09-03-04.01 - Miriam Emma Lank 2009-03-06 15:11:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.294 [GMT -8:00]
Running from: c:\documents and settings\Miriam Emma Lank\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\fxstaller.exe
c:\windows\system32\bamonipo.dll
c:\windows\system32\bugagoku.dll
c:\windows\system32\civffu.dll
c:\windows\system32\degipeme.dll
c:\windows\system32\dotuluje.dll
c:\windows\system32\dusayamo.dll
c:\windows\system32\evqagx.dll
c:\windows\system32\fufoyevo.dll
c:\windows\system32\gefuvura.dll
c:\windows\system32\ikhyem.dll
c:\windows\system32\kazaabackupfiles
c:\windows\system32\kfgerz.dll
c:\windows\system32\lakotite.dll
c:\windows\system32\liwuwuto.dll
c:\windows\system32\ludiyofu.dll
c:\windows\system32\opinomab.ini
c:\windows\system32\pisuvedi.dll
c:\windows\system32\rfrvkv.dll
c:\windows\system32\rimomuzo.dll
c:\windows\system32\rujezare.dll
c:\windows\system32\savogiju.dll
c:\windows\system32\tobirugo.dll
c:\windows\system32\wibovaha.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 19:34 . 2009-03-05 19:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
2009-03-03 21:15 . 2009-03-03 21:15 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 21:09 . 2009-03-03 21:09 <DIR> d-------- c:\program files\ERUNT
2009-03-03 15:14 . 2009-03-03 15:14 5,449 --a------ C:\mooo.exe
2009-03-03 09:20 . 2009-03-03 09:20 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-03 09:09 . 2009-03-03 09:09 151 --a------ c:\windows\wininit.ini
2009-03-02 23:32 . 2009-03-05 22:21 244 --ah----- C:\sqmnoopt19.sqm
2009-03-02 23:32 . 2009-03-05 22:21 232 --ah----- C:\sqmdata19.sqm
2009-03-02 23:26 . 2009-03-05 22:16 244 --ah----- C:\sqmnoopt18.sqm
2009-03-02 23:26 . 2009-03-05 22:16 232 --ah----- C:\sqmdata18.sqm
2009-03-02 23:22 . 2009-03-05 23:21 244 --ah----- C:\sqmnoopt17.sqm
2009-03-02 23:22 . 2009-03-05 23:21 232 --ah----- C:\sqmdata17.sqm
2009-03-02 23:19 . 2009-03-05 23:16 244 --ah----- C:\sqmnoopt16.sqm
2009-03-02 23:19 . 2009-03-05 23:16 232 --ah----- C:\sqmdata16.sqm
2009-03-02 23:12 . 2009-03-05 23:13 244 --ah----- C:\sqmnoopt15.sqm
2009-03-02 23:12 . 2009-03-05 23:13 232 --ah----- C:\sqmdata15.sqm
2009-03-02 23:06 . 2009-03-05 23:11 244 --ah----- C:\sqmnoopt14.sqm
2009-03-02 23:06 . 2009-03-05 23:11 232 --ah----- C:\sqmdata14.sqm
2009-03-02 22:59 . 2009-03-05 23:06 244 --ah----- C:\sqmnoopt13.sqm
2009-03-02 22:59 . 2009-03-05 23:06 232 --ah----- C:\sqmdata13.sqm
2009-03-02 22:53 . 2009-03-05 23:04 244 --ah----- C:\sqmnoopt12.sqm
2009-03-02 22:53 . 2009-03-05 23:04 232 --ah----- C:\sqmdata12.sqm
2009-03-02 22:52 . 2009-03-05 23:01 244 --ah----- C:\sqmnoopt11.sqm
2009-03-02 22:52 . 2009-03-05 23:01 232 --ah----- C:\sqmdata11.sqm
2009-03-02 22:47 . 2009-03-05 22:56 244 --ah----- C:\sqmnoopt10.sqm
2009-03-02 22:47 . 2009-03-05 22:56 232 --ah----- C:\sqmdata10.sqm
2009-03-02 22:43 . 2009-03-05 22:51 244 --ah----- C:\sqmnoopt09.sqm
2009-03-02 22:43 . 2009-03-05 22:51 232 --ah----- C:\sqmdata09.sqm
2009-03-02 22:40 . 2009-03-05 22:48 244 --ah----- C:\sqmnoopt08.sqm
2009-03-02 22:40 . 2009-03-05 22:48 232 --ah----- C:\sqmdata08.sqm
2009-03-02 22:33 . 2009-03-05 22:46 244 --ah----- C:\sqmnoopt07.sqm
2009-03-02 22:33 . 2009-03-05 22:46 232 --ah----- C:\sqmdata07.sqm
2009-03-02 22:27 . 2009-03-05 22:41 244 --ah----- C:\sqmnoopt06.sqm
2009-03-02 22:27 . 2009-03-05 22:41 232 --ah----- C:\sqmdata06.sqm
2009-03-02 22:21 . 2009-03-05 22:39 244 --ah----- C:\sqmnoopt05.sqm
2009-03-02 22:21 . 2009-03-05 22:39 232 --ah----- C:\sqmdata05.sqm
2009-03-02 22:15 . 2009-03-05 22:36 244 --ah----- C:\sqmnoopt04.sqm
2009-03-02 22:15 . 2009-03-05 22:36 232 --ah----- C:\sqmdata04.sqm
2009-03-02 20:26 . 2009-03-02 20:46 48,640 --a------ C:\2l.exe
2009-03-02 20:25 . 2009-03-02 20:47 191,488 --a------ C:\1l.exe
2009-03-02 20:10 . 2009-03-02 20:10 32,200 --a------ C:\spal.exe
2009-03-02 19:44 . 2009-03-02 19:44 1,025 --a------ C:\istal.exe
2009-03-02 19:26 . 2009-03-02 19:27 102,912 --a------ C:\xx.exe
2009-03-02 19:26 . 2009-03-02 16:23 48,690 ---hs---- c:\windows\fxsteller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 17:21 --------- d-----w c:\program files\Lavasoft
2009-03-03 17:13 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-03-03 17:13 --------- d-----w c:\program files\SpywareBlaster
2009-03-02 06:53 --------- d-----w c:\documents and settings\Miriam Emma Lank\Application Data\LimeWire
2009-02-19 04:26 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-28 15:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-01-28 15:11 --------- d--h--w c:\program files\Common Files\Carlson
2009-01-28 06:29 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 04:57 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-22 01:45 17,144 ----a-w c:\documents and settings\Miriam Emma Lank\Application Data\GDIPFONTCACHEV1.DAT
2006-03-29 18:33 12,120 -c--a-w c:\documents and settings\CWE_Printserver\Application Data\GDIPFONTCACHEV1.DAT
2006-02-22 14:36 271 --sh--w c:\program files\desktop.ini
2006-02-22 14:36 21,952 -c-ha-w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\VirusScan Enterprise\\mcconsol.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\UdaterUI.exe"=

.
- - - - ORPHANS REMOVED - - - -

BHO-{c2110ac2-e35b-4e30-a445-0d882dadfada} - c:\windows\system32\ikhyem.dll
BHO-{d1c4db7b-393c-4712-9183-72ad13f4cd7a} - c:\windows\system32\wibovaha.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Miriam Emma Lank\Application Data\Mozilla\Firefox\Profiles\wl2f0p18.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 15:17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 15:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 23:22:41

Pre-Run: 15,511,539,712 bytes free
Post-Run: 17,129,594,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

178 --- E O F --- 2009-02-25 15:47:46

[constans]

Hello Blade,
Thanks again for your help. I have downloaded and run ComboFix and posted the log. However, I could not find a new dds.txt log. The only one I can find is the one I created last night. I searched the whole hard drive, but I did not find a newer DDS.txt log. Did I do something wrong?
Thanks again, and awaiting your reply.

[Blade81]

Hi

No, you didn't do anything wrong but you have to run DDS again to get a fresh log