Virtumonde and others

Cypher · Feb 17, 2010

Hi DeciAz.
Your logs are looking clean so far but i want to check one thing out.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:dir
C:\Documents and Settings\All Users\Application Data\NOS
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

DeciAz · Feb 17, 2010

Here is the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:52 on 17/02/2010 by Sharon (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\All Users\Application Data\NOS - Parameters: "(none)"

---Files---
getUninst_E2883E8F-472F-4fb0-9522-AC9BF37916A7.dat --a--- 1530 bytes [23:39 13/02/2010] [00:34 14/02/2010]

---Folders---
Adobe_Downloads d----- [00:34 14/02/2010]
GP_GUI_Adobe d----- [23:39 13/02/2010]

-=End Of File=-

Cypher · Feb 17, 2010

Ok lets try this.

Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
Click on OK within the pop-up menu.
In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
- System registry.
- Current user registry.
Next click on "OK"... at the prompt... reply "Yes".
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on "OK". A registry backup has now been created.

Next.

Please run ATF Cleaner. it should still be on your Desktop

Next.

Disable Avira anti-virus

Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this:

)
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this:

)
Note: Don't forget to re-enable it after the fix.

Next.

Download and Run ComboFix

Please download ComboFix from one of the following links.

Link 1.

Link 2.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**
Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Logs/Information to Post in your Next Reply

ComboFix log.
Please give me an update on your computers performance.

DeciAz · Feb 17, 2010

ComboFix

I ran the ComboFix, it installed a Windows Recovery Console and then ran.

It deleted a short list of files, including, it appear from my brief glimpse, the pop-up file I am getting.

But when it came to preparing a log, I got the BSOD, with an error code referencing mbr.sys address ( I copied the error code down if you would like to see it).

When I rebooted, the pop-ups appeared and my ZoneAlarm and Avira were running, even tho I had disabled them before running the program....so a restore point, maybe?

Should I run again?

Cypher · Feb 17, 2010

Ok see if there is a ComboFix log It can be found at C:\ComboFix.txt .
Also post the error code in your next reply.

Next.

MBR Rootkit Detector:

Please download MBR Rootkit Detector by GMER and save it to your desktop.

Double click on the MBR.exe file to run it.
A window will open briefly then close.
A log will be produced & saved to the desktop, called MBR.log.
Please post the contents of that log in your next reply.

Logs/Information to Post in your Next Reply

ComboFix.txt if found
MBR.log
Error code.

DeciAz · Feb 17, 2010

I already searched for the log, but could not find it.

The error code was:
Stop: 0x000000D1 (0X353900,0X0000001C,0X00000001,0XF775B41D)

mbr.sys-address F775B41D base at F775AWQ (or 000 can't read my own handwriting) date stamp 4add63e5

This is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Cypher · Feb 17, 2010

Hi DeciAz.
Don't do anything else for now.
I will have a think about this and get back to you as soon as possible.

Cypher · Feb 17, 2010

Hi DeciAz.
ComboFix includes the MBR scan i just had you run.
It looks like the mbr.sys driver crashed before the scan was completed.

Ok run ComboFix again.
Please be sure that your Antivirus is disabled before running ComboFix.
Post the log in your next reply.

DeciAz · Feb 17, 2010

ComboFix 10-02-16.03 - Sharon 02/17/2010 13:58:38.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.686 [GMT -7:00]
Running from: c:\documents and settings\Sharon\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\rundll32 .exe
c:\windows\system32\twain.dll
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-16 20:20 . 2010-02-16 20:20 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 20:20 . 2010-02-16 20:20 503808 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcp71.dll
2010-02-16 20:20 . 2010-02-16 20:20 499712 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\jmc.dll
2010-02-16 20:20 . 2010-02-16 20:20 348160 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcr71.dll
2010-02-16 20:20 . 2010-02-16 20:20 61440 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-sse.dll
2010-02-16 20:20 . 2010-02-16 20:20 12800 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-d3d.dll
2010-02-16 13:54 . 2010-02-16 13:54 -------- d-----w- C:\_OTM
2010-02-16 03:21 . 2010-02-16 03:21 -------- d-----w- C:\rsit
2010-02-14 00:38 . 2010-02-14 00:38 38784 ----a-w- c:\documents and settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 00:38 . 2010-02-14 00:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-14 00:34 . 2010-02-14 00:35 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 23:39 . 2010-02-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-13 23:39 . 2010-02-13 23:39 -------- d-----w- c:\program files\NOS
2010-02-13 23:39 . 2010-01-25 17:02 31936 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-02-13 23:39 . 2010-01-25 17:02 29344 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-02-13 06:32 . 2010-02-13 06:32 -------- d-sh--w- c:\documents and settings\Sharon\IECompatCache
2010-02-12 21:56 . 2010-02-13 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 16:40 . 2010-02-12 16:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-10 19:59 . 2010-02-10 19:59 -------- d-----w- c:\program files\Trend Micro
2010-02-10 19:29 . 2010-02-10 20:01 -------- d-----w- c:\program files\ERUNT
2010-02-10 00:23 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:23 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-01-28 22:53 . 2010-01-28 22:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-28 22:53 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-28 22:53 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-28 22:53 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\program files\Zone Labs
2010-01-28 22:50 . 2010-02-17 18:59 -------- d-----w- c:\windows\Internet Logs
2010-01-26 05:46 . 2010-02-13 02:27 -------- d-----w- c:\program files\AOL 9.5a
2010-01-25 23:28 . 2010-01-26 05:17 -------- d-----w- c:\program files\AOL 9.5
2010-01-25 23:17 . 2010-01-25 23:26 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-25 23:17 . 2010-01-25 23:17 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 17:51 . 2010-01-29 13:18 5261146 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-16 20:19 . 2008-12-09 05:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 17:27 . 2005-07-16 16:52 -------- d-----w- c:\program files\Java
2010-02-16 04:56 . 2009-05-23 16:55 -------- d-----w- c:\program files\Fishdom
2010-02-15 03:35 . 2009-12-02 18:22 -------- d-----w- c:\documents and settings\Sharon\Application Data\Dofus 2
2010-02-14 00:42 . 2005-07-23 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-13 06:54 . 2005-07-27 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 05:38 . 2005-07-27 19:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-13 03:36 . 2009-12-19 16:57 -------- d-----w- c:\program files\QuickTime
2010-02-13 01:48 . 2009-12-19 17:00 -------- d-----w- c:\program files\iTunes
2010-02-12 21:36 . 2005-07-23 19:50 -------- d-----w- c:\program files\Maxis
2010-02-12 18:10 . 2005-12-05 18:44 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-12 16:37 . 2007-04-08 08:37 -------- d-----w- c:\program files\Google
2010-02-09 22:16 . 2005-11-03 23:19 -------- d-----w- c:\program files\EA GAMES
2010-02-09 21:57 . 2008-11-17 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-02-09 21:57 . 2007-01-08 23:08 -------- d-----w- c:\program files\AOL Games
2010-01-26 05:48 . 2005-07-24 16:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\AOL
2010-01-26 05:47 . 2005-07-23 19:24 -------- d-----w- c:\program files\Common Files\AOL
2010-01-26 05:46 . 2005-12-31 20:25 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-26 05:46 . 2005-07-24 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-25 23:17 . 2005-07-24 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-22 23:06 . 2002-01-23 14:37 70768 -c--a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:14 . 2010-01-14 17:13 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\program files\Avira
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-04 18:41 . 2007-12-19 03:48 -------- d-----w- c:\program files\Dofus
2009-12-31 16:50 . 2005-07-16 16:37 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 16:48 . 2009-12-19 16:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 18:43 . 2008-09-04 17:24 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 17:51 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-07-16 16:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-15 18:25 . 2006-04-08 19:36 480624 -c--a-w- c:\program files\2005 Porter R Tax Return.tax
.

Code:

<pre>
c:\program files\AOL 9.5a\aol .exe
c:\program files\Common Files\AOL\1105975379\EE\aolsoftware .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MouseWare\system\em_exec .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\system32\dla\tfswctrl .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-12 39408]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]
"AOL Fast Start"="c:\program files\AOL 9.5a\AOL.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [N/A]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"Pure Networks Port Magic"="c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HostManager"="c:\program files\Common Files\AOL\1105975379\ee\AOLSoftware.exe" [N/A]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\program files\Common Files\InstallShield\UpdateService\issch.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 18:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1105975379\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Maxis\\The Sims\\support\\The Sims Makin' Magic_eReg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe"=
"c:\\psfonts\\ATMFM.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Monopoly Tycoon\\mc.exe"=
"c:\\Documents and Settings\\Sharon\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\DofusUpdater\\DofusUpdater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.5a\\waol.exe"=

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [5/23/2009 9:51 AM 319488]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/14/2010 10:13 AM 108289]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 9:38 AM 135664]
S2 mrtRate;mrtRate; [x]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Sharon\Desktop\SysProt\SysProtDrv.sys [2/16/2010 12:26 PM 44288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - plugin: c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Port Magic - c:\program files\Pure Networks\Port Magic\PortAOL.exe
AddRemove-Quicken Financial Suite - c:\quickenw\DeIsL1.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-17 14:12:07
ComboFix-quarantined-files.txt 2010-02-17 21:12

Pre-Run: 38,173,761,536 bytes free
Post-Run: 38,051,131,392 bytes free

- - End Of File - - 280B830112916B60A1304638307462FC

Cypher · Feb 18, 2010

Hi DeciAz.
Looks like you have a Vundo file infector.

Please continue with the instructions below.

Disable Avira anti-virus

Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this:

)
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this:

)
Note: Don't forget to re-enable it after the fix.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Code:

RenV::
c:\program files\AOL 9.5a\aol .exe
c:\program files\Common Files\AOL\1105975379\EE\aolsoftware .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MouseWare\system\em_exec .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\system32\dla\tfswctrl .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07 .exe

Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
*Only* when the 2 items above (Step 3) have been taken care of...
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished ComboFix will create a log file... you can save this file to a convenient place.

Please copy/paste the ComboFix log file in your next reply.

Logs/Information to Post in your Next Reply

ComboFix log.
Please give me an update on your computers performance.

DeciAz · Feb 18, 2010

ComboFix 10-02-16.03 - Sharon 02/18/2010 7:25.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.667 [GMT -7:00]
Running from: c:\documents and settings\Sharon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sharon\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\WMIsvc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINMGMT
-------\Service_winmgmt

((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-16 20:20 . 2010-02-16 20:20 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 13:54 . 2010-02-16 13:54 -------- d-----w- C:\_OTM
2010-02-16 03:21 . 2010-02-16 03:21 -------- d-----w- C:\rsit
2010-02-14 00:38 . 2010-02-14 00:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-13 23:39 . 2010-02-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-13 23:39 . 2010-02-13 23:39 -------- d-----w- c:\program files\NOS
2010-02-13 06:32 . 2010-02-13 06:32 -------- d-sh--w- c:\documents and settings\Sharon\IECompatCache
2010-02-12 21:56 . 2010-02-18 14:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 16:40 . 2010-02-12 16:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-10 19:59 . 2010-02-10 19:59 -------- d-----w- c:\program files\Trend Micro
2010-02-10 19:29 . 2010-02-10 20:01 -------- d-----w- c:\program files\ERUNT
2010-02-10 00:23 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:23 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-09 02:02 . 2010-02-09 02:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-01-28 22:53 . 2010-01-28 22:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-28 22:53 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-28 22:53 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-28 22:53 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-28 22:53 . 2010-01-28 22:53 -------- d-----w- c:\program files\Zone Labs
2010-01-28 22:50 . 2010-02-18 14:35 -------- d-----w- c:\windows\Internet Logs
2010-01-26 05:46 . 2010-02-18 14:24 -------- d-----w- c:\program files\AOL 9.5a
2010-01-25 23:28 . 2010-01-26 05:17 -------- d-----w- c:\program files\AOL 9.5
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\Sharon\Application Data\Malwarebytes
2010-01-22 17:47 . 2010-01-22 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 14:25 . 2009-12-19 16:57 -------- d-----w- c:\program files\QuickTime
2010-02-18 14:24 . 2009-12-19 17:00 -------- d-----w- c:\program files\iTunes
2010-02-18 13:49 . 2010-02-18 14:10 1739264 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-02-18 05:46 . 2010-02-18 14:10 1719808 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-17 21:17 . 2010-01-29 13:18 6945016 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-16 20:20 . 2010-02-16 20:20 503808 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcp71.dll
2010-02-16 20:20 . 2010-02-16 20:20 499712 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\jmc.dll
2010-02-16 20:20 . 2010-02-16 20:20 348160 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-157a94d2-n\msvcr71.dll
2010-02-16 20:20 . 2010-02-16 20:20 61440 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-sse.dll
2010-02-16 20:20 . 2010-02-16 20:20 12800 ----a-w- c:\documents and settings\Sharon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-793db118-n\decora-d3d.dll
2010-02-16 20:19 . 2008-12-09 05:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-16 17:27 . 2005-07-16 16:52 -------- d-----w- c:\program files\Java
2010-02-16 04:56 . 2009-05-23 16:55 -------- d-----w- c:\program files\Fishdom
2010-02-15 03:35 . 2009-12-02 18:22 -------- d-----w- c:\documents and settings\Sharon\Application Data\Dofus 2
2010-02-14 00:42 . 2005-07-23 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-14 00:38 . 2010-02-14 00:38 38784 ----a-w- c:\documents and settings\Sharon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 00:35 . 2010-02-14 00:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-13 06:54 . 2005-07-27 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 05:38 . 2005-07-27 19:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 21:36 . 2005-07-23 19:50 -------- d-----w- c:\program files\Maxis
2010-02-12 18:10 . 2005-12-05 18:44 -------- d-----w- c:\documents and settings\Sharon\Application Data\Apple Computer
2010-02-12 16:37 . 2007-04-08 08:37 -------- d-----w- c:\program files\Google
2010-02-09 22:16 . 2005-11-03 23:19 -------- d-----w- c:\program files\EA GAMES
2010-02-09 21:57 . 2008-11-17 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-02-09 21:57 . 2007-01-08 23:08 -------- d-----w- c:\program files\AOL Games
2010-01-26 05:48 . 2005-07-24 16:33 -------- d-----w- c:\documents and settings\Sharon\Application Data\AOL
2010-01-26 05:47 . 2005-07-23 19:24 -------- d-----w- c:\program files\Common Files\AOL
2010-01-26 05:46 . 2005-12-31 20:25 -------- d-----w- c:\program files\Common Files\aolshare
2010-01-26 05:46 . 2005-07-24 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-25 23:26 . 2010-01-25 23:17 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2010-01-25 23:17 . 2010-01-25 23:17 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2010-01-25 23:17 . 2005-07-24 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-25 17:02 . 2010-02-13 23:39 31936 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-25 17:02 . 2010-02-13 23:39 29344 ----a-w- c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-22 23:06 . 2002-01-23 14:37 70768 -c--a-w- c:\documents and settings\Sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:14 . 2010-01-14 17:13 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\program files\Avira
2010-01-14 17:13 . 2010-01-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-04 18:41 . 2007-12-19 03:48 -------- d-----w- c:\program files\Dofus
2009-12-31 16:50 . 2005-07-16 16:37 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 16:48 . 2009-12-19 16:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 18:43 . 2008-09-04 17:24 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 17:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-07-16 16:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-15 18:25 . 2006-04-08 19:36 480624 -c--a-w- c:\program files\2005 Porter R Tax Return.tax
.

Code:

<pre>
c:\program files\Spybot - Search & Destroy\teatimer .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 68856]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]
"AOL Fast Start"="c:\program files\AOL 9.5a\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-08-24 35328]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Pure Networks Port Magic"="c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HostManager"="c:\program files\Common Files\AOL\1105975379\ee\AOLSoftware.exe" [2009-07-20 41264]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Flablt"="c:\documents and settings\Sharon\Application Data\Adobe\Update\wndcor.dat" [2010-02-05 18732]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 18:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
R2 mrtRate;mrtRate; [x]
R3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Sharon\Desktop\SysProt\SysProtDrv.sys [2010-02-16 44288]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-04-06 319488]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
napagent
hkmsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://aolsvc.aol.com/onlinegames/free-trial-chocolatier-2-secret-ingredients/Chocolatier2Web.1.0.0.14.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - plugin: c:\documents and settings\Sharon\Application Data\Mozilla\Firefox\Profiles\aa101x97.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 07:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,d3,17,99,3b,08,83,47,8e,f6,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-18 07:43:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 14:42
ComboFix2.txt 2010-02-17 21:12

Pre-Run: 38,280,667,136 bytes free
Post-Run: 38,126,444,544 bytes free

- - End Of File - - A829669E746085F272D43957587F6134

State of the Computer:

The good news, is that the virus-installed icons on the Start Button menu are gone, and the proper ones are now showing.

AOL is back in the Task Tray....it was weird to see it gone, when nothing I have ever been able to do, would remove it past a reboot. =P

Everything seems to be running smoother and quicker, than it has recently.

The bad news, is that the Rundll pop-up messages are still popping up, on reboot.

I don't know if it matters to these issues, but Volume Control is not back in the Task tray, in spite of being 'always show'.

When ComboFix rebooted, Avira and ZoneAlarm reopened automatically....I shut them down as fast as I could, but they were slow to respond, while ComboFix was still working. =[

I appreciate all your efforts, tremendously! I would never have been able to pick this all apart, to find and kill the the little monsters. :heart:

Cypher · Feb 18, 2010

Hi DeciAz.

I appreciate all your efforts, tremendously!

You are most welcome.
Now we are starting to get somewhere.
You will need to uninstall Spybot - Search & Destroy but you can reinstall it once your PC is clean.
Please continue with the instructions below.

Add/Remove programs

Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the following.

Spybot - Search & Destroy

Note: "If asked whether you want to remove all settings, answer YES"
(This will remove the immunization and Teatimer settings.)

Now please reboot your system.

Next.

Disable Avira anti-virus

Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this:

)
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this:

)
Note: Don't forget to re-enable it after the below scan.

Next.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go to the Kaspersky website and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
Click on My Computer under Scan. * This will take a while. Please be patient *.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Logs/Information to Post in your Next Reply

kaspersky log.
Please give me an update on your computers performance.

DeciAz · Feb 18, 2010

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, February 18, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 18, 2010 18:43:35
Records in database: 3551741
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 238690
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:56:47

File name / Threat / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\ORL\VNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\Program Files\ORL\VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

Selected area has been scanned.

----------------------------------

The computer is the same as this morning, except that Quick Time is now in its usual place on the task tray.

The Rundll error messages still pop-up after reboot.

Cypher · Feb 19, 2010

Hi DeciAz.
Good to hear things are running much better

Re-run OTM

Double-click OTM.exe to run it.
Paste the following code under the

area. Do not include the word Code.

Code:

:Processes

:Files
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
C:\Program Files\ORL\VNC\VNCHooks.dll 
C:\Program Files\ORL\VNC\vncviewer.exe

:Commands
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large

button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Logs/Information to Post in your Next Reply

OTM log.
Please give me an update on your computers performance.

DeciAz · Feb 19, 2010

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz moved successfully.
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\ORL\VNC\VNCHooks.dll
C:\Program Files\ORL\VNC\VNCHooks.dll moved successfully.
C:\Program Files\ORL\VNC\vncviewer.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: default

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Sharon
->Temp folder emptied: 97296092 bytes
->Temporary Internet Files folder emptied: 23264462 bytes
->Java cache emptied: 128123 bytes
->FireFox cache emptied: 78037377 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 920 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 190.00 mb

OTM by OldTimer - Version 3.1.8.0 log created on 02192010_060537

Files moved on Reboot...
C:\Documents and Settings\Sharon\Local Settings\Temp\~DF4588.tmp moved successfully.
File C:\WINDOWS\temp\ZLT05d25.TMP not found!

Registry entries deleted on Reboot...
----------

State of the Computer

The Rundll messages popped up again on reboot; Volume Control is still not showing.

But as you may notice, I can use the tool bar/smilies on the reply page of this forum, again....:devil:

Cypher · Feb 19, 2010

Hi DeciAz.
About your volume and Rundll issues i can give you links to a tech support site, They should be able to help you fix those problems.

For one last look please post a new New HJT Log.

Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

DeciAz · Feb 19, 2010

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:11 AM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AOL 9.5a\waol.exe
C:\Program Files\AOL 9.5a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/f...cret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10657 bytes

Cypher · Feb 19, 2010

Lets try this.

Fix HijackThis entries

Run HijackThis

If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".

If you are on the Main Menu page... Click "Do a system scan only"
If you are on the "scan & fix stuff" page... Press the Scan...button.
When the scan finishes...Place a check mark next to the following entries (if they are still present)
Note: Only check those items listed below.

O4 - HKCU\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat""
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Flablt] rundll32.exe "C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat"" (User 'Default user')

Click to expand...
After checking these items... CLOSE ALL open windows except HijackThis.
Click the Fix Checked ...button...to remove the entries you checked.
Choose YES...when prompted to fix the selected items.[/b]

Next.

Re-run OTM

Double-click OTM.exe to run it.
Paste the following code under the

area. Do not include the word Code.

Code:

:Processes

:Files
C:\Documents and Settings\Sharon\Application Data\Adobe\Update\wndcor.dat

:Commands
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large

button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Post a New HJT Log

Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Logs/Information to Post in your Next Reply

OTM log.
hijackthis log.
Please give me an update on your computers performance.

DeciAz · Feb 19, 2010

Oops

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:29 AM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.5a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.5a\shellmon.exe
C:\Program Files\Common Files\AOL\1105975379\EE\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O1 - Hosts: ~127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PORTAO~1.EXE" -Run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105975379\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1891338530-402997292-3403417891-1006\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5a\AOL.EXE" -b (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199454514156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/f...cret-ingredients/Chocolatier2Web.1.0.0.14.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://aolsvc.aol.com/onlinegames/oberonmajongescape/PTGameLauncher.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10144 bytes

After the reboot, I accidentally hit cancel instead of allow on the log request for OTM .

However, as far as removing the code, it worked! :bigthumb:

The Rundll32.exe did not pop-up after the reboot. I rebooted again, just to make sure it was gone.

:

Cypher · Feb 19, 2010

Hi DeciAz.

The Rundll32.exe did not pop-up after the reboot.

Success good :bigthumb:

Here are a couple of links where you can get advice about any other problems that remain.

Tech support guy

Windows - problems with operating systems and windows problems.
All other software - problems with all other software.

And

What the tech

Windows - problems with operating systems and windows problems.
All other software - problems with all other software.

your latest set of logs appear to be clean!

This is my general post for when your logs show no more signs of malware.

Time for some housekeeping

Click on Start >> Run...
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next.

Clean up with OTM

Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
Close all other programs apart from OTMoveIt3 as this step will require a reboot
On the OTM main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete any tools we used that remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

Install Sitehound
SiteHound is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

Virtumonde and others

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow

New member

Visiting Fellow