Computer infected win 32 Trojan SPY (2) HJT w/o word wrap

I have run ERDNT.exe and restored registry but windows does not load as it used to I had to go to ctl-alt del and load explorer exe from the task manager

so I now have reinfected my computer and have an unstable system

Should we start over with root repeal etc?

or do we go to the other forum?

Gary
 
Run this program and lets see whats going on. If its malware causing this we can work on cleaning it, if not then a system repair may be needed..

This wont fix anything but I need to see the report

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
 
Try this one

Download Trendmicros Hijackthis to your desktop.
  • Double click it to install
  • Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
 
new hijack this log 10/21/2009

Thanks again Ken for working with me

Gary


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:55, on 10/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\sv3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchust.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

--
End of file - 10151 bytes
 
Good Morning,

You have a very heavily infected computer, thats the reason for the instability.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Combofix will not run it says go to Bleeping computer (WHICH I DID) and load the current version

also in the warning which says my version is compromised it says my version may be infected with the virus virut

Gary
 
Gary,

Virut, I was kind of afraid of that. Run this tool and post the report.

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit icon to start the program.
  • press start
  • Allow the program to run the initial express scan
  • This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
    Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  • Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  • Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  • During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

    • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  • Once the scan is complete, on the menu bar, click file and choose report list.
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Close Dr.Web Cureit.
  • Please post the Dr.Web.txt report in your next reply
 
Ken I rebooted and I am running the program again, it takes awhile as you know but I did not know what to do with the various things that were not eradicated cured or deleted. after you read this log get back to me and tell me if you want me to try to cure,delete or move the other items

thanks

Gary

Process in memory: C:\WINDOWS\System32\svchost.exe:3572;;Win32.Parite.2;Eradicated.;
svchust.exe;c:\windows;Win32.Parite.2;Cured.;
qja1c.tmp;c:\windows\temp;Win32.Parite.2;Deleted.;
RegUBP2b-Gary.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[2].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[4].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[3].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[8].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[2].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[10].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[11].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[3].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[4].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[8].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[9].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
A0005466.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP1;Tool.Prockill;;
A0010588.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP2;Win32.Parite.2;Cured.;
A0010651.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP2;Tool.Prockill;;
A0011002.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011009.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011398.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Tool.Prockill;;
A0011494.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011509.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0012525.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0012528.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013536.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013548.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013557.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013590.exe\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3\A0013590.exe;Probably BATCH.Virus;;
A0013590.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Archive contains infected objects;Moved.;
A0013592.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Adware.Cfd;;
A0015536.INS;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Probably DLOADER.Trojan;;
A0015547.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015548.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015549.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015553.reg;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP4;Trojan.StartPage.1505;Deleted.;
isvchost.exe;C:\WINDOWS;Win32.Parite.2;Cured.;
SC.INS;C:\WINDOWS;Probably DLOADER.Trojan;;
sv2.exe;C:\WINDOWS;Win32.Parite.2;Cured.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
acj8A.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
cha10.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
cra1.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
dca15.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
dzd7E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
fha16.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
fqd50.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gnj8E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gwa12.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gzd53.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
jca10.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
jja16.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
kxa13.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
lgd77.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
nha15.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ona17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ona1D.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
owd52.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
qsa1.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
sqj90.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
sxd7D.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
tqa1E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
tra3.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ujaA.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
vad4F.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
VRT2.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
VRT4.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
VRT6.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
xaa17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
xla17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
yza14.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
zxa14.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
 
Great, if you had Virut ( which is uncleanable ) Dr Web would have found it


Lets try running Combofix again, drag your current copy to the trash and run it this way renamed. If it still gives you issues than run it in Safemode.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode




If it gives you a warning about being infected, its not, run it anyway

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
combofix please be aware in order to get it to boot after reboot I did a ctl-alt delete and ran explorer exe through the task manager very quickly as soon as welcome screen came up because my usernit exe is defective

Thanks

Gary

here is the combo fix log

ComboFix 09-10-22.01 - Gary 10/23/2009 8:55.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.636 [GMT -4:00]
Running from: c:\documents and settings\Gary\desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\IEToolbar
c:\program files\Protection System
c:\program files\Protection System\uninst.exe
c:\windows\9129837.exe
c:\windows\Fonts\services.exe
c:\windows\Install.txt
c:\windows\isvchost.exe
c:\windows\svchost.exe
c:\windows\system32\1995463.exe
c:\windows\system32\2471582.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\6279718.exe
c:\windows\system32\6to4ex.dll
c:\windows\system32\8.tmp
c:\windows\system32\8377344.exe
c:\windows\system32\certstore.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\F.tmp
c:\windows\system32\FInstall.sys
c:\windows\system32\Iasv32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\Ipripv32.dll
c:\windows\system32\Irmonv32.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\TEMP\hba18.tmp
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\vna1.tmp

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 13:14 . 2009-10-23 13:14 600026 ----a-w- c:\windows\isvchost.exe
2009-10-23 05:09 . 2009-10-23 05:10 2268672 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\cooliris-win-iefull-release-1.11.5.29501.en-US.msi
2009-10-23 00:31 . 2009-10-23 03:16 -------- d-----w- c:\documents and settings\Gary\DoctorWeb
2009-10-22 00:58 . 2009-10-22 00:58 152 ----a-w- c:\windows\system32\api.reg
2009-10-22 00:58 . 2009-10-22 01:10 40960 ----a-w- c:\windows\sv3.exe
2009-10-22 00:58 . 2009-10-22 00:58 40960 ----a-w- c:\windows\system32\csrs32.exe
2009-10-22 00:58 . 2009-10-23 12:54 151552 ----a-w- c:\windows\sv2.exe
2009-10-22 00:21 . 2009-10-22 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-10-21 18:48 . 2009-10-21 18:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-10-21 18:48 . 2009-10-23 12:53 745436 ----a-w- c:\windows\svchust.exe
2009-10-21 18:07 . 2009-10-21 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 17:08 . 2009-10-23 13:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 17:08 . 2009-10-22 01:09 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Cooliris
2009-10-21 17:08 . 2009-10-21 18:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-21 04:11 . 2009-10-21 04:11 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2009-10-21 04:11 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 04:11 . 2009-10-22 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 04:11 . 2009-10-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 04:11 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 08:57 . 2009-10-20 08:57 47104 ----a-w- c:\windows\system32\kadg0.dll
2009-10-20 08:15 . 2009-10-20 09:38 47104 ----a-w- c:\windows\system32\kapg1.dll
2009-10-20 02:03 . 2009-10-21 18:06 -------- d-----w- c:\program files\ERUNT
2009-10-19 23:28 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-19 20:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-19 20:21 . 2009-10-19 20:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-17 11:30 . 2009-10-17 11:31 -------- d-----w- c:\program files\iTunes
2009-10-17 11:30 . 2009-10-17 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-17 11:28 . 2009-10-17 11:29 -------- d-----w- c:\program files\QuickTime
2009-10-14 00:06 . 2009-10-14 00:06 0 ----a-w- c:\windows\nsreg.dat
2009-10-14 00:06 . 2009-10-14 00:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 13:14 . 2009-10-23 13:14 501072 ----a-w- c:\windows\svchost.exe
2009-10-23 13:14 . 2009-10-23 13:14 88576 ----a-w- c:\windows\system32\8.tmp
2009-10-23 13:14 . 2009-10-23 13:14 52 ----a-w- c:\windows\system32\7.tmp
2009-10-23 12:52 . 2009-10-23 12:52 88576 ----a-w- c:\windows\system32\15.tmp
2009-10-23 12:52 . 2009-10-23 12:52 52 ----a-w- c:\windows\system32\14.tmp
2009-10-23 09:01 . 2009-10-23 09:01 88576 ----a-w- c:\windows\system32\193.tmp
2009-10-23 09:01 . 2009-10-23 09:01 52 ----a-w- c:\windows\system32\192.tmp
2009-10-23 08:04 . 2009-10-23 08:04 88576 ----a-w- c:\windows\system32\184.tmp
2009-10-23 08:04 . 2009-10-23 08:04 52 ----a-w- c:\windows\system32\183.tmp
2009-10-23 07:22 . 2009-10-23 07:22 88576 ----a-w- c:\windows\system32\17A.tmp
2009-10-23 07:22 . 2009-10-23 07:22 52 ----a-w- c:\windows\system32\179.tmp
2009-10-23 06:39 . 2009-10-23 06:39 88576 ----a-w- c:\windows\system32\16E.tmp
2009-10-23 06:39 . 2009-10-23 06:39 52 ----a-w- c:\windows\system32\16C.tmp
2009-10-23 05:58 . 2009-10-23 05:58 88576 ----a-w- c:\windows\system32\94.tmp
2009-10-23 05:58 . 2009-10-23 05:58 52 ----a-w- c:\windows\system32\93.tmp
2009-10-23 04:48 . 2009-10-23 04:48 88576 ----a-w- c:\windows\system32\13.tmp
2009-10-23 04:48 . 2009-10-23 04:48 52 ----a-w- c:\windows\system32\B.tmp
2009-10-23 00:44 . 2009-10-23 00:44 88576 ----a-w- c:\windows\system32\11.tmp
2009-10-23 00:44 . 2009-10-23 00:44 52 ----a-w- c:\windows\system32\A.tmp
2009-10-23 00:39 . 2005-11-09 16:46 90112 ----a-w- c:\windows\DUMP66d8.tmp
2009-10-22 02:49 . 2009-10-22 02:49 88576 ----a-w- c:\windows\system32\87.tmp
2009-10-22 02:49 . 2009-10-22 02:49 46080 ----a-w- c:\windows\system32\86.tmp
2009-10-22 02:49 . 2009-10-22 02:49 1 ----a-w- c:\windows\system32\85.tmp
2009-10-22 02:49 . 2009-10-22 02:49 152 ----a-w- c:\windows\system32\84.tmp
2009-10-22 02:15 . 2009-10-22 02:15 88576 ----a-w- c:\windows\system32\6C.tmp
2009-10-22 02:15 . 2009-10-22 02:15 46080 ----a-w- c:\windows\system32\6B.tmp
2009-10-22 02:15 . 2009-10-22 02:15 1 ----a-w- c:\windows\system32\6A.tmp
2009-10-22 02:15 . 2009-10-22 02:15 152 ----a-w- c:\windows\system32\69.tmp
2009-10-22 01:45 . 2009-10-22 01:45 88576 ----a-w- c:\windows\system32\4E.tmp
2009-10-22 01:45 . 2009-10-22 01:45 46080 ----a-w- c:\windows\system32\4D.tmp
2009-10-22 01:45 . 2009-10-22 01:45 1 ----a-w- c:\windows\system32\4C.tmp
2009-10-22 01:45 . 2009-10-22 01:45 152 ----a-w- c:\windows\system32\4B.tmp
2009-10-22 01:08 . 2009-10-22 01:08 1 ----a-w- c:\windows\system32\6.tmp
2009-10-22 01:08 . 2009-10-22 01:08 152 ----a-w- c:\windows\system32\5.tmp
2009-10-22 00:56 . 2009-10-22 00:56 88576 ----a-w- c:\windows\system32\12.tmp
2009-10-22 00:56 . 2009-10-22 00:56 1 ----a-w- c:\windows\system32\10.tmp
2009-10-22 00:56 . 2009-10-22 00:56 152 ----a-w- c:\windows\system32\E.tmp
2009-10-21 18:47 . 2009-10-21 18:47 88576 ----a-w- c:\windows\system32\76.tmp
2009-10-21 18:47 . 2009-10-21 18:47 1 ----a-w- c:\windows\system32\74.tmp
2009-10-21 18:47 . 2009-10-21 18:47 152 ----a-w- c:\windows\system32\73.tmp
2009-10-21 17:55 . 2009-10-21 17:55 88576 ----a-w- c:\windows\system32\4A.tmp
2009-10-21 17:55 . 2009-10-21 17:55 46080 ----a-w- c:\windows\system32\49.tmp
2009-10-21 17:55 . 2009-10-21 17:55 1 ----a-w- c:\windows\system32\48.tmp
2009-10-21 17:55 . 2009-10-21 17:54 152 ----a-w- c:\windows\system32\45.tmp
2009-10-21 17:07 . 2009-10-21 17:07 1 ----a-w- c:\windows\system32\D.tmp
2009-10-21 17:07 . 2009-10-21 17:07 152 ----a-w- c:\windows\system32\C.tmp
2009-10-21 05:59 . 2009-10-21 05:59 88576 ----a-w- c:\windows\system32\35.tmp
2009-10-21 05:59 . 2009-10-21 05:59 52 ----a-w- c:\windows\system32\34.tmp
2009-10-19 19:19 . 2005-11-19 06:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-19 05:17 . 2009-10-19 05:17 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-19 05:17 . 2004-08-04 12:00 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-10-19 04:26 . 2005-11-16 20:43 -------- d-----w- c:\documents and settings\Gary\Application Data\Apple Computer
2009-10-17 11:30 . 2005-11-16 20:41 -------- d-----w- c:\program files\iPod
2009-10-17 11:30 . 2007-10-17 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-10-15 11:00 . 2005-11-20 04:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-14 01:09 . 2005-08-18 16:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 01:08 . 2008-10-29 01:18 -------- d-----w- c:\program files\Sling Media
2009-10-14 00:36 . 2008-10-28 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 00:36 . 2008-12-25 05:39 -------- d-----w- c:\program files\Microsoft Silverlight
.

------- Sigcheck -------

[-] 2009-10-19 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-10-19 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-04-14 . FDEA57347422CEA11001017CDBFF5C54 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2005-06-11 . 072D265123BA0DE72164650865B597EF . 77824 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . ABE76286DB60CFE5118D8E4A6B1D181E . 77824 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . 3CCE02A058AA7B5BCBD59A735CB0CECD . 77824 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . 66FA6DED8ED160AADE9589B97E9CC5E1 . 77824 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2004-08-04 . C585F5D6532BBA2E7EF8CD519DA49B98 . 77824 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . EE19B8A150726417906AC7B5C277AE55 . 46080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 . E77ABA5E9DCB5017177AB85403C426F4 . 44544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2004-08-04 . 8D313B4492405C23D9DDA67CEC9B25A4 . 44544 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 00E7A8967E3A424D5A7203B796A51A45 . 44544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe

[-] 2008-04-14 . 9F43812F67EB91B4E48BEA2890F2BD8D . 1053696 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2007-06-13 . 4A80FBD97374B88F42AB1F90928DBEF3 . 1053184 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[-] 2007-06-13 . 94F72526C871E3C5F246DC46C1239B93 . 1053184 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[-] 2004-08-04 . AABA49DFBCB2B3C7BE79790A857C0C78 . 1052160 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[-] 2004-08-04 . F04ED01CE85FA2CFE95543512F1A8D7E . 1052160 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . 6A66AC311C7394F0C2B6BEA81CBC38EE . 1052160 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 . 6CAFAD84E7732B2EA2F06BB41B1A61A2 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\wscntfy.exe
[-] 2004-08-04 . 086228E32B7F28AFC8355DCF531EEFC1 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2004-08-04 . E5134C7AEABD3C0767A9655EB628F0E1 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 735BDC8AFF984D0FD8061492180B058F . 13824 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe

[-] 2008-04-14 . F1C5863B75EABF8897D46EC3B1EE303F . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 . 08EC683DB46326984FC5819BB6029D2E . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2004-08-04 . EB6A459C13A043C366043F53CFF6DA5C . 35328 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . DB3B978AFAE42CEA36D541C22BEA8DD0 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 135168]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 217088]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-09 7102464]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-01 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 438272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]

c:\documents and settings\Gary\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 60928]
MLB.TV NexDef Plug-in.lnk - c:\documents and settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111 Configuration Utility\wpn111.exe [2006-3-19 512000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PicasaNet"="c:\program files\Hello\Hello.exe" -b

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hello\\Hello.exe"=
"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/19/2009 04:23 PM 64288]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 08:00 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 08:00 AM 114688]
R2 Ias;Windows Protected Network;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 08:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 07:17 AM 1170768]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 06:09 PM 93960]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 Net_Login;Net_Login;c:\windows\svchust.exe [10/21/2009 02:48 PM 745436]
S2 NetLogin;Net Login;c:\windows\svchost.exe [10/23/2009 09:14 AM 1168384]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;c:\windows\system32\drivers\athwpn.sys [3/19/2006 09:12 PM 43392]
S3 daqdrv;daqdrv;c:\windows\system32\daqdrv.sys [8/4/2004 08:00 AM 2304]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [3/18/2006 05:43 PM 17149]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 08:00 AM 14336]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [3/19/2006 09:12 PM 286720]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 6TO4
*NewlyCreated* - BTWSRV
*NewlyCreated* - IAS
*NewlyCreated* - NETLOGIN
*NewlyCreated* - NET_LOGIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:22]

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} - hxxp://www.golfbuddyglobal.com/GBSync/GBSink.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\x3v93ogc.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
HKCU-Run-Security Center - c:\windows\sc.exe
HKLM-Run-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
HKU-Default-Run-ttool - c:\windows\9129837.exe
AddRemove-avast! - c:\program files\Alwil Software\Avast4\aswRunDll.exe
AddRemove-{01386D1F-ADE7-43B4-A4E9-312FC5BC726F}_is1 - c:\dj930\flash\Program Files\UnH Solutions\SWF Opener\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 09:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Install.txt 265 bytes
c:\windows\system32\BtwSrv.dllx 45568 bytes executable
c:\windows\system32\7.tmp 52 bytes
c:\windows\system32\8.tmp 88576 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combo-fix\CF3147.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\lsm32.sys
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 9:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 13:20
ComboFix2.txt 2008-11-11 22:19

Pre-Run: 88,781,328,384 bytes free
Post-Run: 88,978,399,232 bytes free

- - End Of File - - 8B26DD0E4BFD3E51088034C55E8D5755
----------------------------------------------------------------------

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:42, on 10/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

--
End of file - 9492 bytes
 
Hello Gary,

This is most likely one of the heavily infected computers that I have come across in a long time. My gut feeling here are that you would be better off doing a format and reinstall of windows. Not just a system repair but a complete format and a clean install. This is like playing wack a mole, we remove some and other stuff pops up. With the system files that are infected I am still leaning towards Virut

We can try a few more things before we go to a format. Your userinit file is infected so everytime you log on to windows your bringing the infection along with it.


This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
Click to expand...

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log




Post the log and then run this online virus scanner

Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Last edited:
Hello Gary,

Been going over your Combofix log and you do have a file or two that are Virut related so forgo the fixes in my previous post. This infection is uncleanable as it infects every exe , scr file on your entire system including backup folders and your programs.

Example
c:\windows\system32\userinit.exe If we where to replace this with the file in your i386 folder we would just be replacing an infected file with another infected one.

The only recourse is to do a complete format of your operating system and a clean install of windows. You even need to delete the partition on your hard drive that hosts the operating system and during the set up process you can create a new one. I am afraid also that most of your stuff is gone , if you backup and save documents and pictures, its possible that there infected as well and you can reinfect yourself by re installing them.

You can read about it here
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Sorry I don't have better news for you. If you need help with the reinstall please let me know and I can link you to a windows site that can help you.
 
Gary,

You dont need to go to safemode to format and reinstall, what needs to be done is to have your bios set so that you can boot from a CD, then you put the Windows CD in , restart and you can format and reinstall from there. You need to go to this site and post in there forum, tell them your infected with Virut and you need to do a format and reinstall. They can run you through setting the bios and doing the reinstall. This is our sister site and like here its free but you need to sign up for an account and then you can post.

http://forums.whatthetech.com/Microsoft_Windows_f119.html

Good Luck,

Ken
 
You must log in or register to reply here.
Back
Top