Solve : I had a lot of similar symptoms here.?

1.	Solve : I had a lot of similar symptoms here.?
Answer» Thanks to everyone for the posts and help with these symptoms. I had ALL of the following on my machine: 1) Weird sounds playing from ads, without me even on the internet 2) Internet browser windows linking to inexplicable pages, unprompted by anything 3) Extreme Slowness 4) On reboot Windows would often freeze up on the Windows XP or Welcome screen. 5) "Antivirus 2009" garbage 6) All helpful antispyware software blocked from downloading, updating, INSTALLING, etc. 7) Websites such as microsoft.com and avg.com won't load. System Restore capabilities were impacted and lost. With extreme patience, a different internet connection, a zip drive, and lots of luck I was able to walk through the "Malware Removal Guide". Step "A" was the hardest - I needed to manually UPDATE my existing AVG, scan & remove, then uninstall. I then had luck with the Avast! but only after the AVG quarantined some things and was uninstalled - I could tell it was not working properly. Then after the Avast! software scanned and did its thing, CCleaner and SAS worked. Then MBAM would work after the SAS scan. After COMPLETING the steps (IN ORDER ONLY) my machine seems to be running normally, but I wanted to post my logs for the experts to be sure to catch anything that is still hanging. I'd guess with these viruses I'm not out of the woods yet even with no visible symptoms right now. Thanks to the pros for your help, and thanks in advance for reviewing my logs. Everyone hang in there, and I hope I can help someone. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 12/07/2008 at 11:29 PM Application Version : 4.22.1014 Core Rules Database Version : 3665 Trace Rules Database Version: 1645 Scan type : Complete Scan Total Scan Time : 01:29:36 Memory items scanned : 355 Memory threats detected : 1 Registry items scanned : 13055 Registry threats detected : 172 File items scanned : 83040 File threats detected : 52 Adware.Vundo/Variant C:\WINDOWS\SYSTEM32\RROZXE.DLL C:\WINDOWS\SYSTEM32\RROZXE.DLL HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2322F83-BFE6-481A-8423-8FE206FF26BC} Adware.Mirar/NetNucleus HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32 HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Affiliate HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Show3X HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#ShowType HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#PopupCount HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BlockEnable HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#WalkThrough HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49} HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0 HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0 HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32 HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR C:\WINDOWS\SYSTEM32\WINNB55.DLL HKLM\Software\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32 HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKLM\Software\Microsoft\Internet Explorer\Toolbar#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D} HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32 HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D} HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32 HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F} HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32 HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#UninstallString Trojan.Vundo-Variant/NextGen-Six HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2322f83-bfe6-481a-8423-8fe206ff26bc} HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC} HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32 HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32#ThreadingModel Adware.MyWebSearch/FunWebProducts HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\FunWebProducts Trojan.DNSChanger-Codec HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\GetModule Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\FCOVM HKLM\SOFTWARE\Microsoft\RemoveRP HKLM\SOFTWARE\Microsoft\MS Juan HKLM\SOFTWARE\Microsoft\MS Juan#RID HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT HKLM\SOFTWARE\Microsoft\MS Juan\JKWL HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LU HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#CT HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LT HKLM\SOFTWARE\Microsoft\MS Juan\metajuan HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT HKLM\SOFTWARE\Microsoft\MS Juan\profiling4 HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS HKLM\SOFTWARE\Microsoft\MS Juan\superjuan HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT HKLM\SOFTWARE\Microsoft\contim HKLM\SOFTWARE\Microsoft\contim#SysShell HKLM\SOFTWARE\Microsoft\MS Track System HKLM\SOFTWARE\Microsoft\MS Track System#Uid HKLM\SOFTWARE\Microsoft\MS Track System#Shows HKLM\SOFTWARE\Microsoft\MS Track System#Uqs HKLM\SOFTWARE\Microsoft\MS Track System#Click1 HKLM\SOFTWARE\Microsoft\rdfa HKLM\SOFTWARE\Microsoft\rdfa#F HKLM\SOFTWARE\Microsoft\rdfa#N C:\WINDOWS\SYSTEM32\NQTWA.INI2 Rogue.XP AntiSpyware 2009 HKU\S-1-5-21-1220945662-746137067-839522115-1007\Control Panel\don't load#wscui.cpl [ No ] Trojan.Downloader-Gen HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ] Trojan.Fake-Alert C:\Documents and Settings\Melissa\Application Data\gadcom Rogue.Component/Trace HKLM\Software\Microsoft\40ADE431 HKLM\Software\Microsoft\40ADE431#40ade431 HKLM\Software\Microsoft\40ADE431#40ad49b1 HKLM\Software\Microsoft\40ADE431#40ad2054 HKLM\Software\Microsoft\40ADE431#Version Rogue.AntiVirusPro2009 HKLM\Software\AntivirusPro2009 HKLM\Software\AntivirusPro2009#info Trojan.Fake-Alert/Trace HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\Microsoft\fias4013 C:\WINDOWS\system32\TDSSfpmp.dll Rootkit.TDSServ HKLM\SOFTWARE\TDSS HKLM\SOFTWARE\TDSS#build HKLM\SOFTWARE\TDSS#type HKLM\SOFTWARE\TDSS#affid HKLM\SOFTWARE\TDSS#subid HKLM\SOFTWARE\TDSS#cmddelay HKLM\SOFTWARE\TDSS#serversdown HKLM\SOFTWARE\TDSS\connections HKLM\SOFTWARE\TDSS\connections#2a4fe91c HKLM\SOFTWARE\TDSS\connections#87214514 HKLM\SOFTWARE\TDSS\disallowed HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe HKLM\SOFTWARE\TDSS\disallowed#combofix.exe HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe HKLM\SOFTWARE\TDSS\disallowed#mbam.exe HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe HKLM\SOFTWARE\TDSS\disallowed#daft.exe HKLM\SOFTWARE\TDSS\disallowed#gmer.exe HKLM\SOFTWARE\TDSS\disallowed#catchme.exe HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe HKLM\SOFTWARE\TDSS\disallowed#techweb.exe HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe HKLM\SOFTWARE\TDSS\injector HKLM\SOFTWARE\TDSS\injector#* HKLM\SOFTWARE\TDSS\versions HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged Adware.Tracking Cookie www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ] www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ] C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt Trojan.Fake-Drop/Gen C:\WINDOWS\SYSTEM32\MSVBVM31.DLL Trojan.Unknown Origin C:\WINDOWS\SYSTEM32\TDSSOSVN.DAT C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE Rootkit.TDSServ-Trace C:\WINDOWS\SYSTEM32\TDSSTHYM.LOG C:\WINDOWS\SYSTEM32\TDSSTKDV.LOG ============================ Malwarebytes' Anti-Malware 1.31 Database version: 1475 Windows 5.1.2600 Service Pack 2 12/8/2008 9:46:42 PM mbam-log-2008-12-08 (21-46-42).txt Scan type: Quick Scan Objects scanned: 74673 Time elapsed: 10 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40adf6bf (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\Melissa\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\Melissa\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Melissa\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Melissa\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully. Please find the attached files for other logs. Thanks Again for your help. [Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available. Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html When using this tool, you must use the Administrator's account or an account with Administrative rights Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. .Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply. Pasted Below is the SDFix Report.txt. FYI: I had an error message with the heading- 16 Bit MS-DOS Subsystem: C:\Progra~1\Symantec\S32EVNT1.DLL. An installable Virtual Devise Driver failed Dll initialization. Choose close to terminate the application. Close Ignore After choosing "close" every time this thing popped up in the SDFix process, it seemed to run fine. Please let me know if I need to do anything different with this. I REALLY appreciate your help and time with this. Here is the log: ============================ SDFix: Version 1.231 Run by Melissa on Sat 12/13/2008 at 09:49 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Resetting SecurityProviders Value Rebooting Checking Files : No Trojan Files Found Folder C:\Program Files\kernel - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-13 21:59:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys" "TDSSl"="\systemroot\system32\TDSSoeqh.dll" "tdssservers"="\systemroot\system32\TDSSosvn.dat" "tdssmain"="\systemroot\system32\TDSSnrsr.dll" "tdsslog"="\systemroot\system32\TDSSriqp.dll" "tdssadw"="\systemroot\system32\TDSScfub.dll" "tdssinit"="\systemroot\system32\TDSSfpmp.dll" "tdssurls"="\systemroot\system32\TDSSnmxh.log" "tdsspanels"="\systemroot\system32\TDSSsbhc.dll" "tdsserrors"="\systemroot\system32\TDSSthym.log" "TDSSproc"="\systemroot\system32\TDSStkdv.log" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys" "TDSSl"="\systemroot\system32\TDSSoeqh.dll" "tdssservers"="\systemroot\system32\TDSSosvn.dat" "tdssmain"="\systemroot\system32\TDSSnrsr.dll" "tdsslog"="\systemroot\system32\TDSSriqp.dll" "tdssadw"="\systemroot\system32\TDSScfub.dll" "tdssinit"="\systemroot\system32\TDSSfpmp.dll" "tdssurls"="\systemroot\system32\TDSSnmxh.log" "tdsspanels"="\systemroot\system32\TDSSsbhc.dll" "tdsserrors"="\systemroot\system32\TDSSthym.log" "TDSSproc"="\systemroot\system32\TDSStkdv.log" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys" "group"="file system" scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\lpyjidcp.exe"="C:\\WINDOWS\\system32\\lpy" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.0" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Disabled:America Online 9.0" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Disabled:AOL" "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe::Enabled:Explorer" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:IEXPLORE" "C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe::Enabled:winlogon" "C:\\WINDOWS\\system32\\ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe::Enabled:ctfmon" "C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe::Enabled:services" "C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe::Disabled:svchost" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online 9.0" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.0" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Finished! This particular infection will occasionally corrupt certain files, so that could be the case for your Symantec. It may require a reinstall or repair. For the time being, download ComboFix from one of the links on this page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix If you can't access the page, you may need to use another computer and then transfer the file. Once it's on your computer, do the following... Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: C:\WINDOWS\system32\drivers\TDSSpaxt.sys C:\WINDOWS\system32\TDSSoeqh.dll C:\WINDOWS\system32\TDSSosvn.dat C:\WINDOWS\system32\TDSSnrsr.dll C:\WINDOWS\system32\TDSSriqp.dll C:\WINDOWS\system32\TDSScfub.dll C:\WINDOWS\system32\TDSSfpmp.dll C:\WINDOWS\system32\TDSSnmxh.log C:\WINDOWS\system32\TDSSsbhc.dll C:\WINDOWS\system32\TDSSthym.log C:\WINDOWS\system32\TDSStkdv.log Registry:: [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply along with a HijackThis log. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeThanks again for your help. ComboFix log is attached - too long to post. Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:45:57 PM, on 12/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\hkcmd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=&lang=en O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O20 - AppInit_DLLs: karna.dat,rrozxe.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- End of file - 4952 bytes [Saving space - attachment deleted by admin]Well, your HijackThis looks pretty good, but your ComboFix is another story. But no worries, I identified many bad files and we will now instruct ComboFix to remove them. Copy the text in the box below and create a new CFScript file... Code: [Select]KillAll:: Folder:: C:\Program Files\malwareremovalbot File:: C:\Program Files\malwareremovalbot\malwareremovalbot.exe C:\WINDOWS\system32\qomfeffe.dll C:\WINDOWS\system32\f0rb45pe.exe C:\WINDOWS\system32\oygl44yr.exe C:\WINDOWS\system32\r7q7v4nc.exe C:\WINDOWS\system32\sysvxd.exe C:\WINDOWS\system32\karna.dat C:\WINDOWS\system32\rrozxe.dll C:\WINDOWS\system32\geBuRKcB.dll c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- Then go ahead and follow the same instructions from my previous post. A new HijackThis log isn't necessary, but I would like to see the new ComboFix log.Thank You - Posted below is my new ComboFix log: ComboFix 08-12-14.04 - Melissa 2008-12-15 21:41:26.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.205 [GMT -7:00] Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt * Created a new restore point FILE :: c:\program files\malwareremovalbot\malwareremovalbot.exe c:\windows\system32\f0rb45pe.exe c:\windows\system32\geBuRKcB.dll c:\windows\system32\karna.dat c:\windows\system32\oygl44yr.exe c:\windows\system32\qomfeffe.dll c:\windows\system32\r7q7v4nc.exe c:\windows\system32\rrozxe.dll c:\windows\system32\sysvxd.exe c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job . ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-13 21:47 . 2008-12-13 21:47577,024--a--c---c:\windows\system32\dllcache\user32.dll 2008-12-13 21:42 . 2008-12-13 21:43d--------c:\windows\ERUNT 2008-12-13 21:29 . 2008-12-13 22:04d--------C:\SDFix 2008-12-08 22:25 . 2008-12-08 22:25d--------c:\program files\Trend Micro 2008-12-08 22:22 . 2008-12-08 22:22410,984--a------c:\windows\system32\deploytk.dll 2008-12-08 22:22 . 2008-12-08 22:2273,728--a------c:\windows\system32\javacpl.cpl 2008-12-08 19:04 . 2008-12-08 19:06d--------c:\program files\Malwarebytes' Anti-Malware 2008-12-08 19:04 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-08 19:04 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\program files\SUPERAntiSpyware 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-07 21:52 . 2008-12-07 21:52d--------c:\program files\Common Files\Wise Installation Wizard 2008-12-02 21:20 . 2008-12-02 21:20d--------c:\program files\Alwil Software 2008-12-01 01:01 . 2004-08-04 00:56380,416--a------c:\windows\system32\irprops.cpl 2008-12-01 01:01 . 2004-08-04 00:56162,304--a------c:\windows\system32\wuaucpl.cpl 2008-12-01 00:52 . 2004-07-17 11:4019,528--a------c:\windows\002405_.tmp 2008-11-30 23:54 . 2008-11-30 23:54d--------c:\program files\CCleaner 2008-11-30 19:37 . 2004-02-10 10:50155,648--a------c:\windows\system32\igfxres.dll 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winzm.ime 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winsp.ime 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winpy.ime 2008-11-30 19:22 . 2004-08-03 23:0479,360--a--c---c:\windows\system32\dllcache\winar30.ime 2008-11-30 19:22 . 2003-07-16 13:2369,120--a--c---c:\windows\system32\dllcache\wingb.ime 2008-11-30 19:22 . 2004-08-03 23:0465,536--a--c---c:\windows\system32\dllcache\winime.ime 2008-11-30 19:22 . 2003-07-16 13:5141,600--a--c---c:\windows\system32\dllcache\weitekp9.dll 2008-11-30 19:22 . 2003-07-16 13:5131,232--a--c---c:\windows\system32\dllcache\weitekp9.sys 2008-11-30 19:20 . 2003-07-16 13:2210,129,408--a--c---c:\windows\system32\dllcache\hwxkor.dll 2008-11-30 19:19 . 2003-07-16 13:2213,463,552--a--c---c:\windows\system32\dllcache\hwxjpn.dll 2008-11-30 19:18 . 2001-08-17 22:362,134,528--a--c---c:\windows\system32\dllcache\EXCH_smtpsnap.dll 2008-11-30 19:18 . 2001-08-17 22:36175,104--a--c---c:\windows\system32\dllcache\EXCH_smtpadm.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0804.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0412.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0411.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt040d.dll 2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0404.dll 2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0401.dll 2008-11-30 19:18 . 2001-08-17 22:365,632--a--c---c:\windows\system32\dllcache\EXCH_adsiisex.dll 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\WindowsShell.Manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\wuaucpl.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\sapi.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\ncpa.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06488-rah-----c:\windows\system32\logonui.exe.manifest 2008-11-30 19:03 . 2004-08-04 00:56949,248--a------c:\windows\system32\msdtctm.dll 2008-11-30 19:02 . 2004-08-04 00:561,251,840--a------c:\windows\system32\comsvcs.dll 2008-11-30 18:26 . 2003-07-16 13:391,086,182-ra------c:\windows\SETE8.tmp 2008-11-30 18:26 . 2003-07-16 13:3013,608-ra------c:\windows\SETF4.tmp 2008-11-30 18:26 . 2003-07-16 13:547,046-ra------c:\windows\SET106.tmp 2008-11-30 16:35 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys 2008-11-30 16:34 . 2004-08-03 22:5957,472--a------c:\windows\system32\drivers\redbook.sys 2008-11-30 16:34 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\dmusic.sys 2008-11-30 16:32 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax 2008-11-30 16:32 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll 2008-11-30 16:31 . 2004-08-04 01:0140,840--a------c:\windows\system32\drivers\termdd.sys 2008-11-30 16:26 . 2008-11-30 16:26d---s----c:\windows\system32\config\systemprofile\History 2008-11-22 18:22 . 2008-11-22 18:22d--------c:\program files\Western Digital 2008-11-22 18:21 . 2008-11-22 18:21d--------c:\program files\Common Files\eSellerate 2008-11-22 18:19 . 2008-12-02 20:19d---s----c:\documents and settings\All Users\Application Data\Memeo 2008-11-22 18:15 . 2008-11-22 18:15d--------c:\program files\Western Digital Technologies 2008-11-17 17:04 . 2008-11-17 17:04d--------c:\documents and settings\Melissa\Application Data\MalwareRemovalBot . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 05:22---------d-----wc:\program files\Java 2008-12-03 05:46---------d-----wc:\documents and settings\All Users\Application Data\avg8 2008-12-02 00:54---------d-----wc:\program files\Common Files\Symantec Shared 2008-11-23 01:22---------d--h--wc:\program files\InstallShield Installation Information 2008-11-17 23:072,002----a-wc:\windows\Sysvxd.exe 2008-11-15 22:34---------d-----wc:\program files\Windows Live Safety Center 2008-11-11 22:59---------d-----wc:\documents and settings\Melissa\Application Data\NLOP . ------- Sigcheck ------- 2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\ServicePackFiles\i386\ip6fw.sys 2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys 2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys 2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\system32\drivers\ip6fw.sys . ((((((((((((((((((((((((((((( [emailprotected]_23.31.45.98 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-16 04:48:2616,384----atwc:\windows\Temp\Perflib_Perfdata_56c.dat + 2008-12-16 04:48:4416,384----atwc:\windows\Temp\Perflib_Perfdata_6f8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\services.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560] S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] . Contents of the 'Scheduled Tasks' folder 2008-12-15 c:\windows\Tasks\At3.job - c:\windows\system32\f0Rb45Pe.exe [] 2008-12-15 c:\windows\Tasks\At4.job - c:\windows\system32\f0Rb45Pe.exe [] 2008-12-15 c:\windows\Tasks\At5.job - c:\windows\system32\f0Rb45Pe.exe [] 2008-12-15 c:\windows\Tasks\At6.job - c:\windows\system32\f0Rb45Pe.exe [] 2008-12-15 c:\windows\Tasks\At7.job - c:\windows\system32\f0Rb45Pe.exe [] 2008-12-16 c:\windows\Tasks\XoftSpySE 2.job - c:\program files\XoftSpySE\XoftSpy.exe [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=⟨=en FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\ FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157 FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 21:48:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(616) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe . ************************************************************************ . Completion time: 2008-12-15 21:53:24 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 04:53:20 ComboFix2.txt 2008-12-15 06:32:40 Pre-Run: 57,830,338,560 bytes free Post-Run: 57,821,102,080 bytes free 323--- E O F ---2008-10-27 02:53:48There are still some traces of the infection, but we've worn it down quite a bit. Let's try one more CFScript... Code: [Select]KillAll:: File:: c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\system32\f0Rb45Pe.exe Do the same this with this CFScript as you did with the previous two.TYVM-Sorry my machine was such an infected mess to start with. Pasted below is my new ComboFix Log: ComboFix 08-12-14.04 - Melissa 2008-12-16 21:43:31.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.222 [GMT -7:00] Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\f0Rb45Pe.exe c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job . ((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))))) . 2008-12-13 21:47 . 2008-12-13 21:47577,024--a--c---c:\windows\system32\dllcache\user32.dll 2008-12-13 21:42 . 2008-12-13 21:43d--------c:\windows\ERUNT 2008-12-13 21:29 . 2008-12-13 22:04d--------C:\SDFix 2008-12-08 22:25 . 2008-12-08 22:25d--------c:\program files\Trend Micro 2008-12-08 22:22 . 2008-12-08 22:22410,984--a------c:\windows\system32\deploytk.dll 2008-12-08 22:22 . 2008-12-08 22:2273,728--a------c:\windows\system32\javacpl.cpl 2008-12-08 19:04 . 2008-12-08 19:06d--------c:\program files\Malwarebytes' Anti-Malware 2008-12-08 19:04 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-08 19:04 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\program files\SUPERAntiSpyware 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com 2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-07 21:52 . 2008-12-07 21:52d--------c:\program files\Common Files\Wise Installation Wizard 2008-12-02 21:20 . 2008-12-02 21:20d--------c:\program files\Alwil Software 2008-12-01 01:01 . 2004-08-04 00:56380,416--a------c:\windows\system32\irprops.cpl 2008-12-01 01:01 . 2004-08-04 00:56162,304--a------c:\windows\system32\wuaucpl.cpl 2008-12-01 00:52 . 2004-07-17 11:4019,528--a------c:\windows\002405_.tmp 2008-11-30 23:54 . 2008-11-30 23:54d--------c:\program files\CCleaner 2008-11-30 19:37 . 2004-02-10 10:50155,648--a------c:\windows\system32\igfxres.dll 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winzm.ime 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winsp.ime 2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winpy.ime 2008-11-30 19:22 . 2004-08-03 23:0479,360--a--c---c:\windows\system32\dllcache\winar30.ime 2008-11-30 19:22 . 2003-07-16 13:2369,120--a--c---c:\windows\system32\dllcache\wingb.ime 2008-11-30 19:22 . 2004-08-03 23:0465,536--a--c---c:\windows\system32\dllcache\winime.ime 2008-11-30 19:22 . 2003-07-16 13:5141,600--a--c---c:\windows\system32\dllcache\weitekp9.dll 2008-11-30 19:22 . 2003-07-16 13:5131,232--a--c---c:\windows\system32\dllcache\weitekp9.sys 2008-11-30 19:20 . 2003-07-16 13:2210,129,408--a--c---c:\windows\system32\dllcache\hwxkor.dll 2008-11-30 19:19 . 2003-07-16 13:2213,463,552--a--c---c:\windows\system32\dllcache\hwxjpn.dll 2008-11-30 19:18 . 2001-08-17 22:362,134,528--a--c---c:\windows\system32\dllcache\EXCH_smtpsnap.dll 2008-11-30 19:18 . 2001-08-17 22:36175,104--a--c---c:\windows\system32\dllcache\EXCH_smtpadm.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0804.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0412.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0411.dll 2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt040d.dll 2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0404.dll 2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0401.dll 2008-11-30 19:18 . 2001-08-17 22:365,632--a--c---c:\windows\system32\dllcache\EXCH_adsiisex.dll 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\WindowsShell.Manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\wuaucpl.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\sapi.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\ncpa.cpl.manifest 2008-11-30 19:06 . 2008-11-30 19:06488-rah-----c:\windows\system32\logonui.exe.manifest 2008-11-30 19:03 . 2004-08-04 00:56949,248--a------c:\windows\system32\msdtctm.dll 2008-11-30 19:02 . 2004-08-04 00:561,251,840--a------c:\windows\system32\comsvcs.dll 2008-11-30 18:26 . 2003-07-16 13:391,086,182-ra------c:\windows\SETE8.tmp 2008-11-30 18:26 . 2003-07-16 13:3013,608-ra------c:\windows\SETF4.tmp 2008-11-30 18:26 . 2003-07-16 13:547,046-ra------c:\windows\SET106.tmp 2008-11-30 16:35 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys 2008-11-30 16:34 . 2004-08-03 22:5957,472--a------c:\windows\system32\drivers\redbook.sys 2008-11-30 16:34 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\dmusic.sys 2008-11-30 16:32 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax 2008-11-30 16:32 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll 2008-11-30 16:31 . 2004-08-04 01:0140,840--a------c:\windows\system32\drivers\termdd.sys 2008-11-30 16:26 . 2008-11-30 16:26d---s----c:\windows\system32\config\systemprofile\History 2008-11-22 18:22 . 2008-11-22 18:22d--------c:\program files\Western Digital 2008-11-22 18:21 . 2008-11-22 18:21d--------c:\program files\Common Files\eSellerate 2008-11-22 18:19 . 2008-12-02 20:19d---s----c:\documents and settings\All Users\Application Data\Memeo 2008-11-22 18:15 . 2008-11-22 18:15d--------c:\program files\Western Digital Technologies 2008-11-17 17:04 . 2008-11-17 17:04d--------c:\documents and settings\Melissa\Application Data\MalwareRemovalBot . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 05:22---------d-----wc:\program files\Java 2008-12-03 05:46---------d-----wc:\documents and settings\All Users\Application Data\avg8 2008-12-02 00:54---------d-----wc:\program files\Common Files\Symantec Shared 2008-11-23 01:22---------d--h--wc:\program files\InstallShield Installation Information 2008-11-17 23:072,002----a-wc:\windows\Sysvxd.exe 2008-11-15 22:34---------d-----wc:\program files\Windows Live Safety Center 2008-11-11 22:59---------d-----wc:\documents and settings\Melissa\Application Data\NLOP . ------- Sigcheck ------- 2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\ServicePackFiles\i386\ip6fw.sys 2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys 2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys 2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\system32\drivers\ip6fw.sys . ((((((((((((((((((((((((((((( [emailprotected]_23.31.45.98 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-17 04:50:3216,384----atwc:\windows\Temp\Perflib_Perfdata_630.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\services.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560] S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] . Contents of the 'Scheduled Tasks' folder 2008-12-17 c:\windows\Tasks\XoftSpySE 2.job - c:\program files\XoftSpySE\XoftSpy.exe [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=⟨=en FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\ FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157 FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 21:50:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe . ********************************************************************** . Completion time: 2008-12-16 21:55:26 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-17 04:55:22 ComboFix2.txt 2008-12-16 04:53:27 ComboFix3.txt 2008-12-15 06:32:40 Pre-Run: 57,796,665,344 bytes free Post-Run: 57,786,298,368 bytes free 183--- E O F ---2008-10-27 02:53:48No need to apologize. Everything looks much better, by the way. How are things running now? Since you no longer need ComboFix, go ahead and uninstall it. Go to Start > Run and type combofix /u (note the space between combofix and /u) and click OK. If that doesn't work, then download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. Then clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps... 1. Go to Start > Programs > Accessories > System Tools > System Restore 2. Click on System Restore Settings. 3. Check Turn off System Restore** and click OK. 4. Restart your computer. 5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK. 6. Create a new restore point and close the program. System Restore will now be active again. If you would like to learn more about System Restore, go here.Everything is working great. The computer's speed is much better, no mysterious error messages, and all programs are working perfectly. I have a new restore point created and things look good. Just wanted to say thank you to CBMatt(Chris?) for your help through this. You are very clear and helpful with your instruction, and make people's frustrating problems much EASIER. Also with your help I have learned a lot about battling viruses through this experience. Good Job, I will recommend this site to all. Thank You again and have a wonderful holiday season. CBMatt and Chris are both appropriate when referring to me. I'll respond to either one. Heh. Thank you for the kind words, Melissa (the name is in your logs, so I assume it's correct?). I'm very glad to hear that things are going well now.

Answer»

Thanks to everyone for the posts and help with these symptoms. I had ALL of the following on my machine:
1) Weird sounds playing from ads, without me even on the internet
2) Internet browser windows linking to inexplicable pages, unprompted by anything
3) Extreme Slowness
4) On reboot Windows would often freeze up on the Windows XP or Welcome screen.
5) "Antivirus 2009" garbage
6) All helpful antispyware software blocked from downloading, updating, INSTALLING, etc.
7) Websites such as microsoft.com and avg.com won't load.
System Restore capabilities were impacted and lost.

With extreme patience, a different internet connection, a zip drive, and lots of luck I was able to walk through the "Malware Removal Guide". Step "A" was the hardest - I needed to manually UPDATE my existing AVG, scan & remove, then uninstall. I then had luck with the Avast! but only after the AVG quarantined some things and was uninstalled - I could tell it was not working properly. Then after the Avast! software scanned and did its thing, CCleaner and SAS worked. Then MBAM would work after the SAS scan. After COMPLETING the steps (IN ORDER ONLY) my machine seems to be running normally, but I wanted to post my logs for the experts to be sure to catch anything that is still hanging. I'd guess with these viruses I'm not out of the woods yet even with no visible symptoms right now. Thanks to the pros for your help, and thanks in advance for reviewing my logs. Everyone hang in there, and I hope I can help someone.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 11:29 PM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:29:36

Memory items scanned : 355
Memory threats detected : 1
Registry items scanned : 13055
Registry threats detected : 172
File items scanned : 83040
File threats detected : 52

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\RROZXE.DLL
C:\WINDOWS\SYSTEM32\RROZXE.DLL
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2322F83-BFE6-481A-8423-8FE206FF26BC}

Adware.Mirar/NetNucleus
HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Affiliate
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Show3X
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#ShowType
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#PopupCount
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BlockEnable
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#WalkThrough
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\WINNB55.DLL
HKLM\Software\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#UninstallString

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2322f83-bfe6-481a-8423-8fe206ff26bc}
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32#ThreadingModel

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\FunWebProducts

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\GetModule

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
C:\WINDOWS\SYSTEM32\NQTWA.INI2

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Control Panel\don't load#wscui.cpl [ No ]

Trojan.Downloader-Gen
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ]

Trojan.Fake-Alert
C:\Documents and Settings\Melissa\Application Data\gadcom

Rogue.Component/Trace
HKLM\Software\Microsoft\40ADE431
HKLM\Software\Microsoft\40ADE431#40ade431
HKLM\Software\Microsoft\40ADE431#40ad49b1
HKLM\Software\Microsoft\40ADE431#40ad2054
HKLM\Software\Microsoft\40ADE431#Version

Rogue.AntiVirusPro2009
HKLM\Software\AntivirusPro2009
HKLM\Software\AntivirusPro2009#info

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\Microsoft\fias4013
C:\WINDOWS\system32\TDSSfpmp.dll

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#build
HKLM\SOFTWARE\TDSS#type
HKLM\SOFTWARE\TDSS#affid
HKLM\SOFTWARE\TDSS#subid
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#2a4fe91c
HKLM\SOFTWARE\TDSS\connections#87214514
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\TDSS\disallowed#daft.exe
HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\versions
HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged

Adware.Tracking Cookie
www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt

Trojan.Fake-Drop/Gen
C:\WINDOWS\SYSTEM32\MSVBVM31.DLL

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\TDSSOSVN.DAT
C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSTHYM.LOG
C:\WINDOWS\SYSTEM32\TDSSTKDV.LOG

============================
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/8/2008 9:46:42 PM
mbam-log-2008-12-08 (21-46-42).txt

Scan type: Quick Scan
Objects scanned: 74673
Time elapsed: 10 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40adf6bf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Melissa\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Melissa\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

Please find the attached files for other logs.

Thanks Again for your help.

[Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

Pasted Below is the SDFix Report.txt.

FYI: I had an error message with the heading-
16 Bit MS-DOS Subsystem:
C:\Progra~1\Symantec\S32EVNT1.DLL. An installable Virtual Devise Driver failed Dll initialization. Choose close to terminate the application.
Close Ignore

After choosing "close" every time this thing popped up in the SDFix process, it seemed to run fine. Please let me know if I need to do anything different with this.
I REALLY appreciate your help and time with this. Here is the log:

============================
SDFix: Version 1.231
Run by Melissa on Sat 12/13/2008 at 09:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value

Rebooting

Checking Files :

No Trojan Files Found

Folder C:\Program Files\kernel - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 21:59:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
"TDSSl"="\systemroot\system32\TDSSoeqh.dll"
"tdssservers"="\systemroot\system32\TDSSosvn.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfub.dll"
"tdssinit"="\systemroot\system32\TDSSfpmp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdsserrors"="\systemroot\system32\TDSSthym.log"
"TDSSproc"="\systemroot\system32\TDSStkdv.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
"TDSSl"="\systemroot\system32\TDSSoeqh.dll"
"tdssservers"="\systemroot\system32\TDSSosvn.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfub.dll"
"tdssinit"="\systemroot\system32\TDSSfpmp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdsserrors"="\systemroot\system32\TDSSthym.log"
"TDSSproc"="\systemroot\system32\TDSStkdv.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"
"group"="file system"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\lpyjidcp.exe"="C:\\WINDOWS\\system32\\lpy"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:IEXPLORE"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\system32\\ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe:*:Enabled:ctfmon"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:services"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!
This particular infection will occasionally corrupt certain files, so that could be the case for your Symantec. It may require a reinstall or repair. For the time being, download ComboFix from one of the links on this page:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If you can't access the page, you may need to use another computer and then transfer the file. Once it's on your computer, do the following...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
C:\WINDOWS\system32\drivers\TDSSpaxt.sys
C:\WINDOWS\system32\TDSSoeqh.dll
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSScfub.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSthym.log
C:\WINDOWS\system32\TDSStkdv.log

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply along with a HijackThis log.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeThanks again for your help. ComboFix log is attached - too long to post.

Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:57 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=&lang=en
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O20 - AppInit_DLLs: karna.dat,rrozxe.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 4952 bytes

[Saving space - attachment deleted by admin]Well, your HijackThis looks pretty good, but your ComboFix is another story. But no worries, I identified many bad files and we will now instruct ComboFix to remove them. Copy the text in the box below and create a new CFScript file...

Code: [Select]KillAll::

Folder::
C:\Program Files\malwareremovalbot

File::
C:\Program Files\malwareremovalbot\malwareremovalbot.exe
C:\WINDOWS\system32\qomfeffe.dll
C:\WINDOWS\system32\f0rb45pe.exe
C:\WINDOWS\system32\oygl44yr.exe
C:\WINDOWS\system32\r7q7v4nc.exe
C:\WINDOWS\system32\sysvxd.exe
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\rrozxe.dll
C:\WINDOWS\system32\geBuRKcB.dll
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Then go ahead and follow the same instructions from my previous post. A new HijackThis log isn't necessary, but I would like to see the new ComboFix log.Thank You - Posted below is my new ComboFix log:

ComboFix 08-12-14.04 - Melissa 2008-12-15 21:41:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.205 [GMT -7:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\malwareremovalbot\malwareremovalbot.exe
c:\windows\system32\f0rb45pe.exe
c:\windows\system32\geBuRKcB.dll
c:\windows\system32\karna.dat
c:\windows\system32\oygl44yr.exe
c:\windows\system32\qomfeffe.dll
c:\windows\system32\r7q7v4nc.exe
c:\windows\system32\rrozxe.dll
c:\windows\system32\sysvxd.exe
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-13 21:47 . 2008-12-13 21:47577,024--a--c---c:\windows\system32\dllcache\user32.dll
2008-12-13 21:42 . 2008-12-13 21:43d--------c:\windows\ERUNT
2008-12-13 21:29 . 2008-12-13 22:04d--------C:\SDFix
2008-12-08 22:25 . 2008-12-08 22:25d--------c:\program files\Trend Micro
2008-12-08 22:22 . 2008-12-08 22:22410,984--a------c:\windows\system32\deploytk.dll
2008-12-08 22:22 . 2008-12-08 22:2273,728--a------c:\windows\system32\javacpl.cpl
2008-12-08 19:04 . 2008-12-08 19:06d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-08 19:04 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 19:04 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\program files\SUPERAntiSpyware
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 21:52 . 2008-12-07 21:52d--------c:\program files\Common Files\Wise Installation Wizard
2008-12-02 21:20 . 2008-12-02 21:20d--------c:\program files\Alwil Software
2008-12-01 01:01 . 2004-08-04 00:56380,416--a------c:\windows\system32\irprops.cpl
2008-12-01 01:01 . 2004-08-04 00:56162,304--a------c:\windows\system32\wuaucpl.cpl
2008-12-01 00:52 . 2004-07-17 11:4019,528--a------c:\windows\002405_.tmp
2008-11-30 23:54 . 2008-11-30 23:54d--------c:\program files\CCleaner
2008-11-30 19:37 . 2004-02-10 10:50155,648--a------c:\windows\system32\igfxres.dll
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winzm.ime
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winsp.ime
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winpy.ime
2008-11-30 19:22 . 2004-08-03 23:0479,360--a--c---c:\windows\system32\dllcache\winar30.ime
2008-11-30 19:22 . 2003-07-16 13:2369,120--a--c---c:\windows\system32\dllcache\wingb.ime
2008-11-30 19:22 . 2004-08-03 23:0465,536--a--c---c:\windows\system32\dllcache\winime.ime
2008-11-30 19:22 . 2003-07-16 13:5141,600--a--c---c:\windows\system32\dllcache\weitekp9.dll
2008-11-30 19:22 . 2003-07-16 13:5131,232--a--c---c:\windows\system32\dllcache\weitekp9.sys
2008-11-30 19:20 . 2003-07-16 13:2210,129,408--a--c---c:\windows\system32\dllcache\hwxkor.dll
2008-11-30 19:19 . 2003-07-16 13:2213,463,552--a--c---c:\windows\system32\dllcache\hwxjpn.dll
2008-11-30 19:18 . 2001-08-17 22:362,134,528--a--c---c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2008-11-30 19:18 . 2001-08-17 22:36175,104--a--c---c:\windows\system32\dllcache\EXCH_smtpadm.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0804.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0412.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0411.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt040d.dll
2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0404.dll
2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0401.dll
2008-11-30 19:18 . 2001-08-17 22:365,632--a--c---c:\windows\system32\dllcache\EXCH_adsiisex.dll
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\WindowsShell.Manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\wuaucpl.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\sapi.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\ncpa.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06488-rah-----c:\windows\system32\logonui.exe.manifest
2008-11-30 19:03 . 2004-08-04 00:56949,248--a------c:\windows\system32\msdtctm.dll
2008-11-30 19:02 . 2004-08-04 00:561,251,840--a------c:\windows\system32\comsvcs.dll
2008-11-30 18:26 . 2003-07-16 13:391,086,182-ra------c:\windows\SETE8.tmp
2008-11-30 18:26 . 2003-07-16 13:3013,608-ra------c:\windows\SETF4.tmp
2008-11-30 18:26 . 2003-07-16 13:547,046-ra------c:\windows\SET106.tmp
2008-11-30 16:35 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys
2008-11-30 16:34 . 2004-08-03 22:5957,472--a------c:\windows\system32\drivers\redbook.sys
2008-11-30 16:34 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\dmusic.sys
2008-11-30 16:32 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax
2008-11-30 16:32 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll
2008-11-30 16:31 . 2004-08-04 01:0140,840--a------c:\windows\system32\drivers\termdd.sys
2008-11-30 16:26 . 2008-11-30 16:26d---s----c:\windows\system32\config\systemprofile\History
2008-11-22 18:22 . 2008-11-22 18:22d--------c:\program files\Western Digital
2008-11-22 18:21 . 2008-11-22 18:21d--------c:\program files\Common Files\eSellerate
2008-11-22 18:19 . 2008-12-02 20:19d---s----c:\documents and settings\All Users\Application Data\Memeo
2008-11-22 18:15 . 2008-11-22 18:15d--------c:\program files\Western Digital Technologies
2008-11-17 17:04 . 2008-11-17 17:04d--------c:\documents and settings\Melissa\Application Data\MalwareRemovalBot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:22---------d-----wc:\program files\Java
2008-12-03 05:46---------d-----wc:\documents and settings\All Users\Application Data\avg8
2008-12-02 00:54---------d-----wc:\program files\Common Files\Symantec Shared
2008-11-23 01:22---------d--h--wc:\program files\InstallShield Installation Information
2008-11-17 23:072,002----a-wc:\windows\Sysvxd.exe
2008-11-15 22:34---------d-----wc:\program files\Windows Live Safety Center
2008-11-11 22:59---------d-----wc:\documents and settings\Melissa\Application Data\NLOP
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys
2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( [emailprotected]_23.31.45.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-16 04:48:2616,384----atwc:\windows\Temp\Perflib_Perfdata_56c.dat
+ 2008-12-16 04:48:4416,384----atwc:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\services.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\At3.job
- c:\windows\system32\f0Rb45Pe.exe []

2008-12-15 c:\windows\Tasks\At4.job
- c:\windows\system32\f0Rb45Pe.exe []

2008-12-15 c:\windows\Tasks\At5.job
- c:\windows\system32\f0Rb45Pe.exe []

2008-12-15 c:\windows\Tasks\At6.job
- c:\windows\system32\f0Rb45Pe.exe []

2008-12-15 c:\windows\Tasks\At7.job
- c:\windows\system32\f0Rb45Pe.exe []

2008-12-16 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=⟨=en
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 21:48:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-12-15 21:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 04:53:20
ComboFix2.txt 2008-12-15 06:32:40

Pre-Run: 57,830,338,560 bytes free
Post-Run: 57,821,102,080 bytes free

323--- E O F ---2008-10-27 02:53:48There are still some traces of the infection, but we've worn it down quite a bit. Let's try one more CFScript...

Code: [Select]KillAll::

File::
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\system32\f0Rb45Pe.exe

Do the same this with this CFScript as you did with the previous two.TYVM-Sorry my machine was such an infected mess to start with. Pasted below is my new ComboFix Log:

ComboFix 08-12-14.04 - Melissa 2008-12-16 21:43:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.222 [GMT -7:00]
Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melissa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\f0Rb45Pe.exe
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-13 21:47 . 2008-12-13 21:47577,024--a--c---c:\windows\system32\dllcache\user32.dll
2008-12-13 21:42 . 2008-12-13 21:43d--------c:\windows\ERUNT
2008-12-13 21:29 . 2008-12-13 22:04d--------C:\SDFix
2008-12-08 22:25 . 2008-12-08 22:25d--------c:\program files\Trend Micro
2008-12-08 22:22 . 2008-12-08 22:22410,984--a------c:\windows\system32\deploytk.dll
2008-12-08 22:22 . 2008-12-08 22:2273,728--a------c:\windows\system32\javacpl.cpl
2008-12-08 19:04 . 2008-12-08 19:06d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-08 19:04 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 19:04 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\program files\SUPERAntiSpyware
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\Melissa\Application Data\SUPERAntiSpyware.com
2008-12-07 21:53 . 2008-12-07 21:53d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 21:52 . 2008-12-07 21:52d--------c:\program files\Common Files\Wise Installation Wizard
2008-12-02 21:20 . 2008-12-02 21:20d--------c:\program files\Alwil Software
2008-12-01 01:01 . 2004-08-04 00:56380,416--a------c:\windows\system32\irprops.cpl
2008-12-01 01:01 . 2004-08-04 00:56162,304--a------c:\windows\system32\wuaucpl.cpl
2008-12-01 00:52 . 2004-07-17 11:4019,528--a------c:\windows\002405_.tmp
2008-11-30 23:54 . 2008-11-30 23:54d--------c:\program files\CCleaner
2008-11-30 19:37 . 2004-02-10 10:50155,648--a------c:\windows\system32\igfxres.dll
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winzm.ime
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winsp.ime
2008-11-30 19:22 . 2004-08-03 23:04156,672--a--c---c:\windows\system32\dllcache\winpy.ime
2008-11-30 19:22 . 2004-08-03 23:0479,360--a--c---c:\windows\system32\dllcache\winar30.ime
2008-11-30 19:22 . 2003-07-16 13:2369,120--a--c---c:\windows\system32\dllcache\wingb.ime
2008-11-30 19:22 . 2004-08-03 23:0465,536--a--c---c:\windows\system32\dllcache\winime.ime
2008-11-30 19:22 . 2003-07-16 13:5141,600--a--c---c:\windows\system32\dllcache\weitekp9.dll
2008-11-30 19:22 . 2003-07-16 13:5131,232--a--c---c:\windows\system32\dllcache\weitekp9.sys
2008-11-30 19:20 . 2003-07-16 13:2210,129,408--a--c---c:\windows\system32\dllcache\hwxkor.dll
2008-11-30 19:19 . 2003-07-16 13:2213,463,552--a--c---c:\windows\system32\dllcache\hwxjpn.dll
2008-11-30 19:18 . 2001-08-17 22:362,134,528--a--c---c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2008-11-30 19:18 . 2001-08-17 22:36175,104--a--c---c:\windows\system32\dllcache\EXCH_smtpadm.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0804.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0412.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt0411.dll
2008-11-30 19:18 . 2003-07-16 13:2419,456--a--c---c:\windows\system32\dllcache\agt040d.dll
2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0404.dll
2008-11-30 19:18 . 2003-07-16 13:2319,456--a--c---c:\windows\system32\dllcache\agt0401.dll
2008-11-30 19:18 . 2001-08-17 22:365,632--a--c---c:\windows\system32\dllcache\EXCH_adsiisex.dll
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\WindowsShell.Manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\wuaucpl.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\sapi.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06749-rah-----c:\windows\system32\ncpa.cpl.manifest
2008-11-30 19:06 . 2008-11-30 19:06488-rah-----c:\windows\system32\logonui.exe.manifest
2008-11-30 19:03 . 2004-08-04 00:56949,248--a------c:\windows\system32\msdtctm.dll
2008-11-30 19:02 . 2004-08-04 00:561,251,840--a------c:\windows\system32\comsvcs.dll
2008-11-30 18:26 . 2003-07-16 13:391,086,182-ra------c:\windows\SETE8.tmp
2008-11-30 18:26 . 2003-07-16 13:3013,608-ra------c:\windows\SETF4.tmp
2008-11-30 18:26 . 2003-07-16 13:547,046-ra------c:\windows\SET106.tmp
2008-11-30 16:35 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys
2008-11-30 16:34 . 2004-08-03 22:5957,472--a------c:\windows\system32\drivers\redbook.sys
2008-11-30 16:34 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\dmusic.sys
2008-11-30 16:32 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax
2008-11-30 16:32 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll
2008-11-30 16:31 . 2004-08-04 01:0140,840--a------c:\windows\system32\drivers\termdd.sys
2008-11-30 16:26 . 2008-11-30 16:26d---s----c:\windows\system32\config\systemprofile\History
2008-11-22 18:22 . 2008-11-22 18:22d--------c:\program files\Western Digital
2008-11-22 18:21 . 2008-11-22 18:21d--------c:\program files\Common Files\eSellerate
2008-11-22 18:19 . 2008-12-02 20:19d---s----c:\documents and settings\All Users\Application Data\Memeo
2008-11-22 18:15 . 2008-11-22 18:15d--------c:\program files\Western Digital Technologies
2008-11-17 17:04 . 2008-11-17 17:04d--------c:\documents and settings\Melissa\Application Data\MalwareRemovalBot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:22---------d-----wc:\program files\Java
2008-12-03 05:46---------d-----wc:\documents and settings\All Users\Application Data\avg8
2008-12-02 00:54---------d-----wc:\program files\Common Files\Symantec Shared
2008-11-23 01:22---------d--h--wc:\program files\InstallShield Installation Information
2008-11-17 23:072,002----a-wc:\windows\Sysvxd.exe
2008-11-15 22:34---------d-----wc:\program files\Windows Live Safety Center
2008-11-11 22:59---------d-----wc:\documents and settings\Melissa\Application Data\NLOP
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ip6fw.sys
2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
2008-04-13 11:53 36608 3bb22519a194418d5fec05d800a19ad0c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( [emailprotected]_23.31.45.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-17 04:50:3216,384----atwc:\windows\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\services.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 110160]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://products.webroot.com/disp0201.php?pc=64002&rc=3029&oc=11&ps=T&mjv=3&mnv=5&bld=198&sid=⟨=en
FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 21:50:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-12-16 21:55:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 04:55:22
ComboFix2.txt 2008-12-16 04:53:27
ComboFix3.txt 2008-12-15 06:32:40

Pre-Run: 57,796,665,344 bytes free
Post-Run: 57,786,298,368 bytes free

183--- E O F ---2008-10-27 02:53:48No need to apologize. Everything looks much better, by the way. How are things running now?

Since you no longer need ComboFix, go ahead and uninstall it. Go to Start > Run and type combofix /u (note the space between combofix and /u) and click OK.

If that doesn't work, then download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Then clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.Everything is working great. The computer's speed is much better, no mysterious error messages, and all programs are working perfectly. I have a new restore point created and things look good.

Just wanted to say thank you to CBMatt(Chris?) for your help through this. You are very clear and helpful with your instruction, and make people's frustrating problems much EASIER. Also with your help I have learned a lot about battling viruses through this experience. Good Job, I will recommend this site to all.
Thank You again and have a wonderful holiday season.
CBMatt and Chris are both appropriate when referring to me. I'll respond to either one. Heh. Thank you for the kind words, Melissa (the name is in your logs, so I assume it's correct?). I'm very glad to hear that things are going well now.

Solve : I had a lot of similar symptoms here.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment