Trying to Fully Remove Virtumonde

Z

Zalethon

New member
This computer, running Windows XP, (not sure what other information I can give that would be useful) was found recently to be infected by Virtumonde. (Among other things)

System restore was turned off a long time ago, so it's a bit late for that. I'm in safe mode (with networking) now, and I haven't backed up the registry yet. (Though I did download the software)

We were infected on or before Friday. We discovered it on Friday, but at the same time our modem quit, for probably unrelated reasons. I don't know why it quit, but the new one didn't quit, and I haven't heard anything about any virus disabling the hardware of a modem, so I assume it wasn't Virtumonde.

Since we didn't have internet access, our hands were pretty well tied. We couldn't update our existing software, or download new software until Tuesday. I've been trying to remove the virus since Friday, (with more luck since Tuesday) and it would be a very long thing to go into the whole process, but here's a short list of programs run so far:

AVG 8--which has since been uninstalled--was completely useless; Spybot found the virus initially, but then it locked up before the end and never found it again until I updated it yesterday; (Often it hung on Virtumonde, in fact) Ad-Aware found multiple viruses including different versions of Virtumonde, (IIRC -- I'm going entirely off memory) and removed them successfully, but Virtumonde (obviously) came back and Ad-Aware never found it again.

I downloaded MalwareBytes, SUPERAntiSpyware, RootkitBuster, Stinger and--although it's probably useless in this case--CWShredder, Avast, and a newer version of Ad-Aware--I had previously only updated the definitions and such--and ran all of those, and again in safe mode. (With networking, but having physically disconnected the computer from the network) Some of them found a few new things--MalwareBytes and SAS found quite a lot, RootkitBuster, Stinger and (thankfully) CWShredder each found nothing--or at least things that weren't found before, and removed them.

I updated Spybot, then disconnected again and ran it three times--it found Virtumonde the first two, and not the third, but it always hung on the very last item, firefox default bookmarks, for quite a while (I stopped it at least twice and removed what it had found)--and then ran the others once more. After that nothing else was found.

As it stands, I've reconnected to the network, and run HijackThis. I'm still in Safe Mode, the registry is not backed up, and restore points are off.

Any help is appreciated...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:09 PM, on 1/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Zalethon\Desktop\SecurityTango\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\ c:\windows\system32\fasijilu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: fudetutum - {e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll (file missing)
O21 - SSODL: kemavudej - {2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5509 bytes
 
Last edited by a moderator:
Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
The computer has, since I posted originally, been in and out of safe mode, more scans have been run, and had system restore turned back on. (If anything goes wrong, an infected restore point is (probably) better than none at all...) I'd have left it alone honestly except that the computer apparently lost power one night and it was found out of safe mode in the morning, and someone assumed it was fixed.

Here are those logs though:

dds.txt:

DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by Zalethon at 1:06:41.07 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.86 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\b4ffc66b-ebe0-4273-98cd-0bb04a54e720.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Desktop\putty.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\My Documents\Program Files\MUSHclient\MUSHclient.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\zalethon\local settings\application

data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400"

/O5 "LPT1:" /M "Stylus CX5400"
mRun: [EPSON Stylus CX5400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P28 "EPSON Stylus

CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe"

/runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\zalethon\startm~1\programs\startup\erunta~1.lnk - c:\program

files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\ c:\windows\system32\fasijilu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: fudetutum - {e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll
SSODL: kemavudej - {2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll
STS: kupuhivus: {e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll
STS: mujuzedij: {2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli nadejafi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zalethon\applic~1\mozilla\firefox\profiles\wyzs9ykz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\zalethon\application

data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\fro

zen.dll
FF - component: c:\documents and settings\zalethon\application

data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt

\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\zalethon\application

data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\p

lugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\zalethon\local settings\application

data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe

[2009-7-3 1028432]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-27 163280]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-27 19024]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27

40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-28 02:54 <DIR> -cd-----

c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 22:17 161,296 a------- c:\windows\system32\drivers\tmcomm.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\zalethon\applic~1\Malwarebytes
2010-01-27 19:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 19:08 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-27 19:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 17:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-01-27 17:07 <DIR> --d----- c:\docume~1\zalethon\applic~1\SUPERAntiSpyware.com
2010-01-27 17:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-01-27 05:13 <DIR> --d----- C:\TEMP
2010-01-27 05:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-26 17:56 16,384 a------- C:\kkalf.exe
2010-01-16 00:12 <DIR> --d-----

c:\docume~1\zalethon\applic~1\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap
2010-01-15 20:43 <DIR> --d-----

c:\docume~1\zalethon\applic~1\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-15 20:41 <DIR> --d----- c:\program files\iPod
2010-01-11 18:46 471,552 -c------ c:\windows\system32\dllcache\aclayers.dll
2010-01-09 01:04 <DIR> --d----- C:\Python25
2010-01-07 21:31 <DIR> --d----- c:\program files\Arcade Tonk Tanks
2010-01-04 14:56 <DIR> --d----- C:\Python26

==================== Find3M ====================

2010-01-14 11:12 181,120 -------- c:\windows\system32\MpSigStub.exe
2009-12-21 14:14 916,480 a------- c:\windows\system32\wininet.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-13 19:49 129,784 -------- c:\windows\system32\pxafs.dll
2009-11-13 19:49 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-11-13 19:49 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-11-13 19:47 90,112 a------- c:\windows\system32\dpl100.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-11-13 19:47 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-11-13 19:47 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-11-13 19:47 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-11-13 19:47 696,320 a------- c:\windows\system32\DivX.dll
2008-07-05 23:26 248 a------- c:\program files\Garden Plannerini.xml

============= FINISH: 1:08:35.98 ===============

attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/28/2008 1:08:30 PM
System Uptime: 2/1/2010 11:56:49 PM (26 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2083/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 78.601 GiB free.
D: is CDROM (UDF)
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/29/2010 4:41:10 PM - System Checkpoint
RP2: 1/29/2010 4:42:52 PM - 1/29/2010
RP3: 1/29/2010 5:35:04 PM - Removed QuickTime
RP4: 1/29/2010 5:39:07 PM - Installed QuickTime
RP5: 1/30/2010 6:44:48 PM - System Checkpoint
RP6: 1/31/2010 8:43:43 PM - System Checkpoint

==== Installed Programs ======================

AAC Decoder
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Apple Application Support
Apple Software Update
Armagetron Advanced 0.3_alpha8870
Atari: The 80 Classic Games
Audacity 1.2.6
AutoUpdate
avast! Free Antivirus
Bonjour
Bontago
Caesar 3
CamStudio
Cheat Engine 5.5
Continuum
Continuum 0.38
Creeper World
Creeper World DEMO
Creeper World Map Editor
Critical Update for Windows Media Player 11 (KB959772)
DeepBurner v1.8.0.224
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
EPSON Printer Software
EPSON Scan
ERUNT 1.1j
FileZilla Client 3.2.4.1
FoxyTunes for Firefox
Freeciv 2.1.8 (GTK+ client)
Garden Planner 1.4
GIMP 2.6.6
Google Chrome
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
MapleStory
Math911
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
MobileMe Control Panel
Mozilla Firefox (3.0.17)
Mozilla Thunderbird (2.0.0.23)
Notepad++
OpenOffice.org 3.0
OpenRPG
OverDrive Media Console
Pando Media Booster
Phun beta 4.22
PolarClock3 Screen Saver
Python 2.5 PIL-1.1.6
Python 2.5 pygame-1.9.1release
Python 2.5.4
Python 2.6 PIL-1.1.6
Python 2.6 pygame-1.9.1
Python 2.6.4
QuickTime
Realtek AC'97 Audio
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3GSetup
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Snood 4
Snood Towers for Windows version 1.02
Sock Wizard
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
The Weather Channel Desktop 6
The Weather Channel Toolbar
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.2
WebFldrs XP
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.1.1
WinRAR archiver
Wireshark 1.2.5
wxPython 2.8.7.1 (unicode) for Python 2.5
YS FLIGHT SIMULATOR

==== Event Viewer Messages From Past Week ========

1/31/2010 6:20:08 AM, error: Print [19] - Sharing printer failed + 1722, Printer EPSON Stylus

CX5400 (Copy 1) share name Printer2.
1/31/2010 11:47:05 AM, error: Dhcp [1002] - The IP address lease 192.168.254.2 for the Network

Card with network address 00112F1E209F has been denied by the DHCP server 192.168.254.254 (The

DHCP Server sent a DHCPNACK message).
1/31/2010 11:44:20 AM, error: Dhcp [1002] - The IP address lease 192.168.254.5 for the Network

Card with network address 00112F1E209F has been denied by the DHCP server 192.168.254.254 (The

DHCP Server sent a DHCPNACK message).
1/31/2010 11:19:40 AM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS

Document Writer share name Printer.
1/31/2010 11:19:13 AM, error: Dhcp [1002] - The IP address lease 192.168.254.3 for the Network

Card with network address 00112F1E209F has been denied by the DHCP server 192.168.254.254 (The

DHCP Server sent a DHCPNACK message).
1/29/2010 11:57:55 PM, error: MRxSmb [8003] - The master browser has received a server

announcement from the computer ACER-TLK that believes that it is the master browser for the

domain on transport NetBT_Tcpip_{4A562C2F-8B86-40B6-. The master browser is stopping or an

election is being forced.
1/29/2010 11:07:08 AM, error: Service Control Manager [7034] - The Terminal Services service

terminated unexpectedly. It has done this 1 time(s).
1/29/2010 11:07:08 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher

service terminated unexpectedly. It has done this 1 time(s). The following corrective action

will be taken in 60000 milliseconds: Reboot the machine.
1/28/2010 2:54:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service MSIServer with arguments "" in order to run the server:

{000C101C-0000-0000-C000-000000000046}
1/28/2010 2:12:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service StiSvc with arguments "" in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/28/2010 2:06:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service wuauserv with arguments "" in order to run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/28/2010 12:26:27 AM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: Aavmker4 AmdK7 aswSP aswTdi Fips SASDIFSV SASKUTIL
1/27/2010 6:18:35 PM, error: Service Control Manager [7000] - The npkcrypt service failed to

start due to the following error: The system cannot find the file specified.
1/27/2010 6:18:20 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make

sure there is a page file on the boot partition and that is large enough to contain all physical

memory.
1/27/2010 6:18:20 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump

driver.
1/27/2010 10:29:09 PM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: Aavmker4 AFD AmdK7 aswSP aswTdi AvgLdx86 AvgMfx86 AvgTdiX

Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
1/27/2010 10:29:09 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service

depends on the AFD service which failed to start because of the following error: A device

attached to the system is not functioning.
1/27/2010 10:29:09 PM, error: Service Control Manager [7001] - The IPSEC Services service

depends on the IPSEC driver service which failed to start because of the following error: A

device attached to the system is not functioning.
1/27/2010 10:29:09 PM, error: Service Control Manager [7001] - The DNS Client service depends on

the TCP/IP Protocol Driver service which failed to start because of the following error: A

device attached to the system is not functioning.
1/27/2010 10:29:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends

on the NetBios over Tcpip service which failed to start because of the following error: A device

attached to the system is not functioning.
1/27/2010 10:28:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service EventSystem with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}
1/27/2010 10:28:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the

service netman with arguments "" in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/27/2010 10:14:51 PM, error: Service Control Manager [7023] - The Application Management

service terminated with the following error: The specified module could not be found.
1/27/2010 10:10:54 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the

service wuauserv with arguments "" in order to run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================
 
Hi,

Seems that you have word wrap enabled in notepad. Please disable it before taking the steps below.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
I wasn't sure if you also needed attach.txt, so I attached it as an archive...

ComboFix 10-02-03.03 - Zalethon 02/03/2010 14:48:43.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.218 [GMT -5:00]
Running from: c:\documents and settings\Zalethon\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kkalf.exe
c:\windows\system32\lijaduhi.dll
c:\windows\system32\lomds04.dll
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-01-29 22:38 . 2010-01-29 22:38 -------- d-----w- c:\program files\Apple Software Update
2010-01-29 21:43 . 2010-01-29 21:44 -------- d-----w- c:\program files\ERUNT
2010-01-29 18:09 . 2010-01-29 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-28 09:00 . 2010-01-28 09:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-28 07:54 . 2010-01-28 07:54 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-28 03:28 . 2010-01-28 03:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 03:17 . 2010-01-28 03:17 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-28 00:08 . 2010-01-28 00:08 -------- d-----w- c:\documents and settings\Zalethon\Application Data\Malwarebytes
2010-01-28 00:08 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 00:08 . 2010-01-28 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-28 00:08 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-28 00:08 . 2010-01-28 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 22:08 . 2010-01-27 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-27 22:07 . 2010-02-02 05:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 22:07 . 2010-01-27 22:07 -------- d-----w- c:\documents and settings\Zalethon\Application Data\SUPERAntiSpyware.com
2010-01-27 22:06 . 2010-01-27 22:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-27 10:13 . 2010-01-27 18:19 -------- d-----w- C:\TEMP
2010-01-27 10:13 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-27 10:13 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-27 10:13 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-27 10:13 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-27 10:13 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-27 10:13 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-27 10:13 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-27 10:12 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-27 10:12 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-27 10:12 . 2010-01-27 10:12 -------- d-----w- c:\program files\Alwil Software
2010-01-27 10:12 . 2010-01-27 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-24 21:01 . 2010-01-27 09:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-01-23 20:55 . 2010-01-23 20:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-01-23 07:20 . 2010-01-23 07:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-01-23 00:10 . 2010-01-23 00:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-22 22:13 . 2010-01-22 22:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-22 18:16 . 2010-01-22 18:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-22 17:05 . 2010-01-22 17:05 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-01-16 05:12 . 2010-01-16 05:12 -------- d-----w- c:\documents and settings\Zalethon\Application Data\CreeperMap
2010-01-16 05:12 . 2010-01-16 05:12 -------- d-----w- c:\documents and settings\Zalethon\Application Data\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 01:43 . 2010-01-16 01:43 -------- d-----w- c:\documents and settings\Zalethon\Application Data\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 01:41 . 2010-01-16 01:41 -------- d-----w- c:\program files\iPod
2010-01-14 21:26 . 2010-01-29 22:39 -------- d-----w- c:\program files\QuickTime
2010-01-11 23:46 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 06:04 . 2010-01-16 22:45 -------- d-----w- C:\Python25
2010-01-08 02:31 . 2010-01-09 05:23 -------- d-----w- c:\program files\Arcade Tonk Tanks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 22:47 . 2010-01-27 22:08 117760 ----a-w- c:\documents and settings\Zalethon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-29 22:38 . 2008-08-25 03:16 -------- d-----w- c:\program files\Common Files\Apple
2010-01-29 18:17 . 2008-05-29 02:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-28 09:02 . 2010-01-28 09:00 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-28 09:00 . 2010-01-28 09:00 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-28 07:21 . 2009-07-17 00:23 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 22:09 . 2010-01-27 22:09 52224 ----a-w- c:\documents and settings\Zalethon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-27 08:41 . 2009-03-19 17:38 -------- d-----w- c:\documents and settings\Zalethon\Application Data\Move Networks
2010-01-27 08:41 . 2008-12-08 07:56 -------- d-----w- c:\documents and settings\Guest\Application Data\U3
2010-01-26 23:23 . 2008-05-29 04:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-24 21:14 . 2009-02-05 04:07 -------- d-----w- c:\program files\Yahoo!
2010-01-24 02:05 . 2009-10-08 05:09 -------- d-----w- c:\documents and settings\Zalethon\Application Data\vlc
2010-01-23 21:10 . 2009-05-11 01:46 -------- d-----w- c:\documents and settings\Zalethon\Application Data\dvdcss
2010-01-23 20:56 . 2009-10-09 18:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-16 06:10 . 2009-12-24 19:36 -------- d-----w- c:\program files\KnuckleCracker
2010-01-16 05:17 . 2009-12-24 19:37 -------- d-----w- c:\documents and settings\Zalethon\Application Data\CreeperWorld
2010-01-16 01:42 . 2009-12-24 19:36 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-16 01:41 . 2009-03-17 23:55 -------- d-----w- c:\program files\iTunes
2010-01-15 22:15 . 2009-04-01 03:20 -------- d-----w- c:\documents and settings\Zalethon\Application Data\FileZilla
2010-01-14 16:12 . 2009-10-02 20:56 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-01 08:38 . 2010-01-01 08:35 -------- d-----w- c:\program files\DivX
2010-01-01 08:36 . 2010-01-01 08:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-27 22:07 . 2009-05-30 23:26 -------- d-----w- c:\program files\CamStudio
2009-12-25 22:05 . 2009-08-09 00:12 -------- d-----w- c:\documents and settings\Zalethon\Application Data\gtk-2.0
2009-12-24 21:23 . 2009-12-24 21:23 -------- d-----w- c:\documents and settings\Zalethon\Application Data\Wireshark
2009-12-24 20:56 . 2009-12-24 20:55 -------- d-----w- c:\program files\Wireshark
2009-12-24 20:56 . 2009-12-24 20:56 -------- d-----w- c:\program files\WinPcap
2009-12-24 19:37 . 2009-12-24 19:37 -------- d-----w- c:\documents and settings\Zalethon\Application Data\CreeperWorldDEMO.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 19:42 . 2009-12-25 08:33 872960 ----a-w- c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2009-12-25 08:33 43008 ----a-w- c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2009-12-25 08:33 340480 ----a-w- c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2009-12-25 08:33 346624 ----a-w- c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-08 01:20 . 2009-10-06 00:21 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 17:08 . 2009-12-24 19:37 38784 ----a-w- c:\documents and settings\Zalethon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 17:08 . 2009-12-24 19:37 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 00:49 . 2010-01-01 08:37 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-14 00:49 . 2010-01-01 08:37 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-14 00:49 . 2010-01-01 08:37 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-14 00:49 . 2010-01-01 08:37 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2010-01-01 08:37 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2010-01-01 08:37 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2008-07-06 04:26 . 2008-07-06 03:24 248 ----a-w- c:\program files\Garden Plannerini.xml
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Google Update"="c:\documents and settings\Zalethon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-08 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]
"EPSON Stylus CX5400 (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Zalethon\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 17:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 10:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 15:53 53248 ----a-w- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"npkcmsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Freeciv-2.1.8-gtk2\\civserver.exe"=
"c:\\Program Files\\Freeciv-2.1.8-gtk2\\civclient.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Zalethon\\My Documents\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Zalethon\\My Documents\\Program Files\\Armagetron Advanced Dev\\3 Alpha\\ArmagetronAd.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bontago\\Bontago.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Zalethon\\My Documents\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57043:TCP"= 57043:TCP:Pando Media Booster
"57043:UDP"= 57043:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/30/2009 7:19 PM 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/27/2010 5:13 AM 163280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/27/2010 5:13 AM 19024]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:21]

2010-02-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1993962763-725345543-1004Core.job
- c:\documents and settings\Zalethon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-08 14:02]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1993962763-725345543-1004UA.job
- c:\documents and settings\Zalethon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-08 14:02]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Zalethon\Application Data\Mozilla\Firefox\Profiles\wyzs9ykz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Zalethon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll
SharedTaskScheduler-{2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll
SSODL-fudetutum-{e91defb4-5008-41c3-980f-e669d9491bfc} - c:\windows\system32\lijaduhi.dll
SSODL-kemavudej-{2a2850c3-1bea-47bb-abae-e2d7685acb5d} - c:\windows\system32\lijaduhi.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\HijackThis.exe
AddRemove-wxPython2.8-unicode-py25_is1 - c:\python25\Lib\site-packages\wx-2.8-msw-unicode\unins000.exe
AddRemove-Audacity_is1 - c:\documents and settings\Zalethon\My Documents\Program FilesAudacity\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 15:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\Zalethon\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-02-03 15:13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 20:13

Pre-Run: 84,063,121,408 bytes free
Post-Run: 86,641,672,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A36C23FB1DE87C34E935BEBECF881776



dds.txt:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Zalethon at 15:14:50.31 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.149 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Zalethon\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Google Update] "c:\documents and settings\zalethon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
mRun: [EPSON Stylus CX5400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\zalethon\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zalethon\applic~1\mozilla\firefox\profiles\wyzs9ykz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\zalethon\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-27 163280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]

=============== Created Last 30 ================

2010-02-03 14:38 <DIR> a-dshr-- C:\cmdcons
2010-02-03 14:35 261,632 a------- c:\windows\PEV.exe
2010-02-03 14:35 161,792 a------- c:\windows\SWREG.exe
2010-02-03 14:35 98,816 a------- c:\windows\sed.exe
2010-02-03 14:35 77,312 a------- c:\windows\MBR.exe
2010-01-28 02:54 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 22:17 161,296 a------- c:\windows\system32\drivers\tmcomm.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\zalethon\applic~1\Malwarebytes
2010-01-27 19:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 19:08 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-27 19:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 17:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-01-27 17:07 <DIR> --d----- c:\docume~1\zalethon\applic~1\SUPERAntiSpyware.com
2010-01-27 17:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-01-27 05:13 <DIR> --d----- C:\TEMP
2010-01-27 05:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap
2010-01-15 20:43 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-15 20:41 <DIR> --d----- c:\program files\iPod
2010-01-11 18:46 471,552 -c------ c:\windows\system32\dllcache\aclayers.dll
2010-01-09 01:04 <DIR> --d----- C:\Python25
2010-01-07 21:31 <DIR> --d----- c:\program files\Arcade Tonk Tanks

==================== Find3M ====================

2010-01-14 11:12 181,120 -------- c:\windows\system32\MpSigStub.exe
2009-12-21 14:14 916,480 -------- c:\windows\system32\wininet.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-13 19:49 129,784 -------- c:\windows\system32\pxafs.dll
2009-11-13 19:49 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-11-13 19:49 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-11-13 19:47 90,112 a------- c:\windows\system32\dpl100.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-11-13 19:47 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-11-13 19:47 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-11-13 19:47 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-11-13 19:47 696,320 a------- c:\windows\system32\DivX.dll
2008-07-05 23:26 248 a------- c:\program files\Garden Plannerini.xml

============= FINISH: 15:15:27.60 ===============
 
Hi again,


Uninstall old Adobe Reader versions and get the latest one (9.3) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 18.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh dds.txt log. How's the system running?
 
I tried to run Kaspersky; it initially didn't run because I was trying it in Chrome, but upon running it in Firefox I got the following error message: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program." (I'm absolutely certain that the internet connection never ceased) I refreshed the page and the download started, then I got the same message in the middle of the Database update. The download continued regardless, even before I clicked 'ok'; I'm assuming for the moment that it was all successful.

I tried to run the scan twice, both times overnight. The first time stopped and locked up the browser at 24%, two hours and forty minutes in, but at that point it hadn't found anything. The second stopped at 72% in, at between four and five hours, but it didn't lock up. It had found two things, but I was unable to view the log or it wasn't there.

Other than that, the computer's running fine now; google search results aren't being replaced and random browser windows aren't being opened, so I'm happy. :P
 
DDS (Ver_09-09-29.01) - NTFSx86
Run by Zalethon at 14:22:15.78 on Sat 02/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.137 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Zalethon\Desktop\putty.exe
C:\Documents and Settings\Zalethon\My Documents\Program Files\MUSHclient\MUSHclient.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Google Update] "c:\documents and settings\zalethon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
mRun: [EPSON Stylus CX5400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\zalethon\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zalethon\applic~1\mozilla\firefox\profiles\wyzs9ykz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\zalethon\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-27 163280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]

=============== Created Last 30 ================

2010-02-04 19:33 73,728 a------- c:\windows\system32\javacpl.cpl
2010-02-03 14:38 <DIR> a-dshr-- C:\cmdcons
2010-02-03 14:35 261,632 a------- c:\windows\PEV.exe
2010-02-03 14:35 161,792 a------- c:\windows\SWREG.exe
2010-02-03 14:35 98,816 a------- c:\windows\sed.exe
2010-02-03 14:35 77,312 a------- c:\windows\MBR.exe
2010-01-28 02:54 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 22:17 161,296 a------- c:\windows\system32\drivers\tmcomm.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\zalethon\applic~1\Malwarebytes
2010-01-27 19:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 19:08 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-27 19:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 17:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-01-27 17:07 <DIR> --d----- c:\docume~1\zalethon\applic~1\SUPERAntiSpyware.com
2010-01-27 17:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-01-27 05:13 <DIR> --d----- C:\TEMP
2010-01-27 05:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap
2010-01-15 20:43 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-15 20:41 <DIR> --d----- c:\program files\iPod
2010-01-11 18:46 471,552 -c------ c:\windows\system32\dllcache\aclayers.dll
2010-01-09 01:04 <DIR> --d----- C:\Python25
2010-01-07 21:31 <DIR> --d----- c:\program files\Arcade Tonk Tanks

==================== Find3M ====================

2010-02-04 19:32 411,368 a------- c:\windows\system32\deploytk.dll
2010-01-14 11:12 181,120 -------- c:\windows\system32\MpSigStub.exe
2009-12-21 14:14 916,480 -------- c:\windows\system32\wininet.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-13 19:49 129,784 -------- c:\windows\system32\pxafs.dll
2009-11-13 19:49 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-11-13 19:49 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-11-13 19:47 90,112 a------- c:\windows\system32\dpl100.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-11-13 19:47 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-11-13 19:47 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-11-13 19:47 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-11-13 19:47 696,320 a------- c:\windows\system32\DivX.dll
2008-07-05 23:26 248 a------- c:\program files\Garden Plannerini.xml

============= FINISH: 14:23:00.20 ===============
 
Hi,

Let's see if ESET online scanner works better.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is not checked.
  • Click Scan
  • Wait for the scan to finish
  • Post back the report.
 
Here's the results; I unchecked 'remove found threats,' so I imagine they are all still there: (MapleStory is probably not actually a threat, but hey. <.<)

C:\Program Files\Nexon\MapleStory\MapleStory.exe probably a variant of Win32/PSW.Agent trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TGBEPA1\pdf[1].pdf PDF/Exploit.Gen trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TGBEPA1\pdf[2].pdf PDF/Exploit.Gen trojan
 
Hi,

(MapleStory is probably not actually a threat, but hey. <.<)
Click to expand...
Yes, probably false positive.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete these files (if found):
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TGBEPA1\pdf[1].pdf
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4TGBEPA1\pdf[2].pdf

Post a fresh dds log and let me know how's the system running.
 
The computer seems to be running fine now, to me. Thanks muchly. :) Anything else, based on the log here?


DDS (Ver_09-09-29.01) - NTFSx86
Run by Zalethon at 23:39:12.59 on Sun 02/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.111 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Zalethon\Desktop\putty.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zalethon\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Google Update] "c:\documents and settings\zalethon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
mRun: [EPSON Stylus CX5400 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\zalethon\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zalethon\applic~1\mozilla\firefox\profiles\wyzs9ykz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\zalethon\application data\mozilla\firefox\profiles\wyzs9ykz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\zalethon\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-27 163280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-27 40384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]

=============== Created Last 30 ================

2010-02-06 17:52 <DIR> --d----- c:\program files\ESET
2010-02-04 19:33 73,728 a------- c:\windows\system32\javacpl.cpl
2010-02-03 14:38 <DIR> a-dshr-- C:\cmdcons
2010-02-03 14:35 261,632 a------- c:\windows\PEV.exe
2010-02-03 14:35 161,792 a------- c:\windows\SWREG.exe
2010-02-03 14:35 98,816 a------- c:\windows\sed.exe
2010-02-03 14:35 77,312 a------- c:\windows\MBR.exe
2010-01-28 02:54 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 22:17 161,296 a------- c:\windows\system32\drivers\tmcomm.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\zalethon\applic~1\Malwarebytes
2010-01-27 19:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-27 19:08 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-27 19:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 17:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-01-27 17:07 <DIR> --d----- c:\docume~1\zalethon\applic~1\SUPERAntiSpyware.com
2010-01-27 17:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-01-27 05:13 <DIR> --d----- C:\TEMP
2010-01-27 05:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-16 00:12 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperMap
2010-01-15 20:43 <DIR> --d----- c:\docume~1\zalethon\applic~1\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2010-01-15 20:41 <DIR> --d----- c:\program files\iPod
2010-01-11 18:46 471,552 -c------ c:\windows\system32\dllcache\aclayers.dll
2010-01-09 01:04 <DIR> --d----- C:\Python25

==================== Find3M ====================

2010-02-04 19:32 411,368 a------- c:\windows\system32\deploytk.dll
2010-01-14 11:12 181,120 -------- c:\windows\system32\MpSigStub.exe
2009-12-21 14:14 916,480 -------- c:\windows\system32\wininet.dll
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-13 19:49 129,784 -------- c:\windows\system32\pxafs.dll
2009-11-13 19:49 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-11-13 19:49 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-11-13 19:47 90,112 a------- c:\windows\system32\dpl100.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-11-13 19:47 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-11-13 19:47 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-11-13 19:47 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-11-13 19:47 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-11-13 19:47 696,320 a------- c:\windows\system32\DivX.dll
2008-07-05 23:26 248 a------- c:\program files\Garden Plannerini.xml

============= FINISH: 23:40:07.25 ===============
 
The latest log looks ok :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
  1. Double-click My Computer.
  2. Click the Tools menu, and then click Folder Options.
  3. Click the View tab.
  4. Put a check by
    Hide file extensions for known file types.
  5. Under the
    Hidden files
    folder, select
    Show hidden files and folders.
  6. Check
    Hide protected operating system files.
  7. Click Apply, and then click OK.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Things are going fine now. It's actually faster than it's been in ages... So apparently there were problems even before we knew we had Virtumonde. :P

Thank you! :)
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top