BleepingComputer.com: FakeAlert trojans moved to vault, Computer still being weird

Is it just me or is malware finding easier ways to get onto your computer? I was here about two months ago after terrible malware got on my computer and I decided just to reinstall Windows. Since then I've been avoiding unfamiliar websites for the most part, trying to be careful... and yesterday while I was on youtube, I made the mistake of clicking on an advertisement instead of deleting it when it came up in front of my video and since then my computer's been acting up.

For one, my Malwarebytes program won't open. It says it's browsing and that's it. It seems like everybody says this program wipes out anything, but it's always the first to be dismantled when an actual bug gets in your system... What good is it after that?

Anyway... I tried to reinstall it and it says it can't find the file to open. I downloaded Spybot to do a malware scan, it identified a virus, I could've sworn it began with V, but once it showed the result, my computer showed the blue screen and I was informed by Spybot after restarting that files for starting Malwarebytes AND Spybot had been deleted and it asked me if I wanted to deny these changes, which I said yes.

It will not let me go into safe mode. It loads and then shows me the blue screen.

AVG Anti-Virus has put two trojan files called FakeAlert into my virus vault. They are titled C:\WINDOWS\system32\lukopijo.exe, and C:\WINDOWS\system32\zujopuhe.exe. A couple tracking cookies were put in there too.

For some reason my computer's not being slow right now. I downloaded "ClamWin" based on a not exactly reputable Yahoo answers recommendation and it's still just scanning along, taking its sweet time. It did find something called "hiberfil.sys" though. I don't know if this program is even going to fix it.

Thank you for taking the time to read this, and I hope there is a way to fix this!
-Puppet

Here's my DDS log.


DDS (Ver_09-09-29.01) - NTFSx86
Run by Jennifer at 8:58:31.43 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway M366
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway M366
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] c:\program files\sound volume hotkeys\SoundVolumeHotkeys.exe -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [kunopofaz] Rundll32.exe "c:\windows\system32\kivigoru.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kivigoru.dll,botajida.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yezumahak - {892b225c-cb8a-47fd-a242-951d2e8ba236} - c:\windows\system32\kivigoru.dll
STS: mujuzedij: {892b225c-cb8a-47fd-a242-951d2e8ba236} - c:\windows\system32\kivigoru.dll
LSA: Notification Packages = scecli tibipaku.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\fi5xleh0.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc507.mail.yahoo.com/mc/welcome?.gx=1&.tm=1250221525&.rand=6ttqd85bq2qce
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-09 08:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 08:54 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-09 08:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 07:50 67 a------- c:\windows\wininit.ini
2009-10-08 23:12 <DIR> --d----- c:\docume~1\jennifer\applic~1\.clamwin
2009-10-08 23:11 <DIR> --d----- c:\program files\ClamWin
2009-10-08 23:11 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-10-08 20:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-08 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-03 21:16 <DIR> --d----- c:\program files\MagicDVDRipper
2009-10-03 20:12 <DIR> --d----- c:\program files\common files\CyberLink
2009-10-03 20:09 29,480 a------- c:\windows\system32\msxml3a.dll
2009-10-03 20:01 <DIR> --d----- C:\DECCHECK
2009-09-22 19:01 208,744 a------- c:\windows\system32\muweb.dll
2009-09-22 19:01 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-09-22 19:01 268,648 a------- c:\windows\system32\mucltui.dll
2009-09-21 21:15 <DIR> --d----- c:\documents and settings\jennifer\Tracing
2009-09-21 21:12 <DIR> --d----- c:\program files\Microsoft
2009-09-21 21:12 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-09-21 21:09 <DIR> --d----- c:\program files\common files\Windows Live
2009-09-16 13:59 <DIR> --d----- c:\program files\Free M4a to MP3 Converter
2009-09-16 12:06 37,270 a------- c:\windows\system32\OggDSUninst.exe
2009-09-16 11:45 497,664 a------- c:\windows\system32\ac3filter.acm
2009-09-16 11:45 <DIR> --d----- c:\program files\AC3Filter
2009-09-16 11:44 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-09-16 11:44 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-09-16 11:44 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-09-16 11:44 <DIR> --d----- c:\program files\ffdshow
2009-09-16 11:25 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-09-16 11:25 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-09-16 11:25 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-09-16 11:25 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-16 11:25 129,784 -------- c:\windows\system32\pxafs.dll
2009-09-16 11:24 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-16 11:24 <DIR> --d----- c:\program files\DivX
2009-09-16 11:02 <DIR> --d----- c:\program files\AVIcodec
2009-09-13 21:02 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-09-13 20:59 <DIR> --d--r-- c:\program files\Skype

==================== Find3M ====================

2009-10-03 20:08 505,128 a------- c:\windows\system32\msvcp71.dll
2009-08-27 10:14 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-13 20:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-13 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-13 20:09 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-13 18:09 21,419 a------- c:\windows\system32\drivers\AegisP.sys
2009-08-13 17:58 8,552 a------- c:\windows\system32\drivers\asctrm.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 17:15 90,112 a------- c:\windows\system32\dpl100.dll
2009-07-13 17:15 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-07-13 17:15 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-07-13 17:15 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-07-13 17:15 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-07-13 17:15 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-07-13 17:15 685,056 a------- c:\windows\system32\DivX.dll
2009-07-09 07:41 50,688 a--sh--- c:\windows\system32\botajida.dll
2009-07-09 07:40 50,688 a--sh--- c:\windows\system32\fifugiku.dll
2009-07-08 19:40 167,424 a--sh--- c:\windows\system32\jomotewa.dll
2009-07-09 07:40 172,544 a--sh--- c:\windows\system32\kivigoru.dll
2009-07-09 07:40 88,576 a--sh--- c:\windows\system32\nevigapi.dll
2009-07-09 07:41 50,688 a--sh--- c:\windows\system32\peyeduli.dll
2009-07-08 19:40 83,968 a--sh--- c:\windows\system32\rimomuzo.dll
2009-07-09 07:41 50,688 a--sh--- c:\windows\system32\tibipaku.dll
2009-07-08 19:40 60,928 a--sh--- c:\windows\system32\vipafiyu.dll

============= FINISH: 9:04:26.15 ===============

Hello and to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
----------------------------*-------------------------------
We need to see some information about what is happening in your machine.

Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Kind regards
Net_Surfer

Hi! Sorry it took me a couple days to respond. For some reason I didn't receive an email notification of your reply even though I thought I'd watched the thread.

Since I last posted, I downloaded Super AntiSpyware and it seemed to work well. It picked up on a Vundo virus and some adware and deleted it, but the thing is, I'm still getting adware picked up on my scans, and since then I've gotten "Windows Security Center" warnings occasionally that my computer isn't protected. I've heard about notifications like this leading people to okaying things that damage the computer even more so I've ignored them.

I also noticed that I keep being redirected on Google, so I feel pretty sure I've still got something on my computer.

I attached a Root Repeal report and the other part of the DDS results. Here's a new log:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Jennifer at 19:08:11.88 on Tue 10/27/2009
Internet Explorer: 6.0.2900.5512

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway M366
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway M366
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [Aim6]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] c:\program files\sound volume hotkeys\SoundVolumeHotkeys.exe -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kivigoru.dll,botajida.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: mogepazen - {076c4b94-5428-4eb5-8226-599e53f9c4fa} - No File
SSODL: yezumahak - {892b225c-cb8a-47fd-a242-951d2e8ba236} - No File
STS: {892b225c-cb8a-47fd-a242-951d2e8ba236} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli tibipaku.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\fi5xleh0.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc507.mail.yahoo.com/mc/welcome?.gx=1&.tm=1250221525&.rand=6ttqd85bq2qce
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-25 20:01 <DIR> --d----- c:\program files\Youtube Downloader HD
2009-10-24 20:56 <DIR> --d----- C:\Temp
2009-10-24 20:55 <DIR> --d----- c:\program files\Cheetah Burner
2009-10-24 20:41 67 a------- c:\windows\Easy Video to DVD.INI
2009-10-24 20:40 <DIR> --d----- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-10-19 19:41 5,632 a------- c:\windows\system32\ptpusb.dll
2009-10-19 19:41 159,232 a------- c:\windows\system32\ptpusd.dll
2009-10-16 16:12 <DIR> --d----- c:\docume~1\jennifer\applic~1\LimeWire
2009-10-16 16:11 <DIR> --d----- c:\program files\LimeWire
2009-10-09 15:27 <DIR> --d----- c:\program files\CCleaner
2009-10-09 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-09 14:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-09 14:21 <DIR> --d----- c:\docume~1\jennifer\applic~1\SUPERAntiSpyware.com
2009-10-09 14:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-09 08:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 08:54 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-09 08:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 07:50 67 a------- c:\windows\wininit.ini
2009-10-08 20:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-08 20:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-03 21:16 <DIR> --d----- c:\program files\MagicDVDRipper
2009-10-03 20:12 <DIR> --d----- c:\program files\common files\CyberLink
2009-10-03 20:09 29,480 a------- c:\windows\system32\msxml3a.dll
2009-10-03 20:01 <DIR> --d----- C:\DECCHECK

==================== Find3M ====================

2009-10-03 20:08 505,128 a------- c:\windows\system32\msvcp71.dll
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-09-25 09:41 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-09-25 09:41 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-09-25 09:41 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-09-25 09:41 696,320 a------- c:\windows\system32\DivX.dll
2009-09-16 12:06 37,270 a------- c:\windows\system32\OggDSUninst.exe
2009-08-27 10:14 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-13 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-08 19:40 60,928 a--sh--- c:\windows\system32\vipafiyu.dll

============= FINISH: 19:10:49.00 ===============

Hello ,
And to the Bleeping Computer Malware Removal Forum, My name is Elise. I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

• The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Hello Puppet,

P2P WARNING
-------------------
Going over your logs I noticed that you have LimeWire installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  
• They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

• Viewpoint Media Player

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:

• Combofix.txt

Hello, Elise!

Thank you for coming to help me. I uninstalled Viewpoint Media Player. I'm a little hesitant about ComboFix, though. I've heard that it's a very powerful tool, and was wondering if "in case something goes wrong" when trying to remove malware with this program, it would screw up my Windows or even have to make me restart Windows? I'll give it a try if it's the necessary next step, but is there any more information about it that you can share with me? Thank you so much if you can.

It really is a necessary step Its very good you are aware about the risks and you NEVER should run this tool on your own. However, if you follow the directions I gave you, even if there should be complications, I will be able to assist you to undo the damage.

As long as you are running combofix under guidance, you will be assured from proper support in case something goes wrong.

Let me know if this answers your questions!

Hi Puppet, are you still there?

Hello! Sorry about that.

I downloaded ComboFix and finally did it after some hesitance!

This was my log. I think it may have deleted some things too.

ComboFix 09-11-03.01 - Jennifer 11/03/2009 22:15.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.170 [GMT -8:00]
Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\recycler\S-1-5-21-1359548162-1147282193-4273110680-500
c:\windows\kb913800.exe
c:\windows\system32\img_utils.dll
c:\windows\system32\imgscaler.dll
c:\windows\system32\logon.exe
c:\windows\system32\moyomego.dll.tmp
c:\windows\system32\pihimage.dll.tmp
c:\windows\system32\sufetida.dll.tmp
c:\windows\system32\videocore.dll
c:\windows\system32\videoformat.dll
c:\windows\system32\wehemeru.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 04:05 . 2009-11-04 04:18 -------- d-----w- C:\$AVG
2009-11-04 04:02 . 2009-11-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-04 03:59 . 2009-11-04 03:59 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-26 03:01 . 2009-10-26 03:02 -------- d-----w- c:\program files\Youtube Downloader HD
2009-10-25 03:56 . 2009-10-25 03:56 -------- d-----w- C:\Temp
2009-10-25 03:40 . 2009-10-25 03:53 -------- d-----w- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-10-20 02:41 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-20 02:41 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-16 23:12 . 2009-11-04 06:05 -------- d-----w- c:\documents and settings\Jennifer\Application Data\LimeWire
2009-10-16 23:11 . 2009-10-16 23:11 -------- d-----w- c:\program files\LimeWire
2009-10-09 22:27 . 2009-10-09 22:27 -------- d-----w- c:\program files\CCleaner
2009-10-09 21:22 . 2009-10-09 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-09 21:21 . 2009-10-16 00:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-09 21:21 . 2009-10-09 21:21 -------- d-----w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com
2009-10-09 21:21 . 2009-10-09 21:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 15:54 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 15:54 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 15:54 . 2009-10-09 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 03:52 . 2009-10-09 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 03:52 . 2009-10-09 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 04:04 . 2009-08-14 03:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-04 04:04 . 2009-08-14 03:09 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 04:04 . 2009-08-14 03:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-04 04:03 . 2009-08-14 03:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-04 04:02 . 2009-08-14 03:09 -------- d-----w- c:\program files\AVG
2009-10-29 17:24 . 2009-08-17 20:29 -------- d-----w- c:\documents and settings\Jennifer\Application Data\OpenOffice.org2
2009-10-29 05:42 . 2009-08-14 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-26 03:03 . 2009-08-17 18:36 -------- d-----w- c:\program files\Easy Video Downloader
2009-10-25 05:28 . 2009-09-16 18:24 -------- d-----w- c:\program files\DivX
2009-10-25 05:27 . 2009-09-16 18:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-25 04:00 . 2009-10-04 02:44 -------- d-----w- c:\documents and settings\Jennifer\Application Data\CyberLink
2009-10-25 03:55 . 2009-10-25 03:55 -------- d-----w- c:\program files\Cheetah Burner
2009-10-25 03:55 . 2009-08-14 00:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 04:48 . 2009-09-14 04:01 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Skype
2009-10-23 02:33 . 2009-09-14 04:02 -------- d-----w- c:\documents and settings\Jennifer\Application Data\skypePM
2009-10-05 01:18 . 2009-08-18 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2009-10-05 01:18 . 2009-08-18 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-10-04 04:16 . 2009-10-04 04:16 -------- d-----w- c:\program files\MagicDVDRipper
2009-10-04 03:13 . 2009-10-04 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-04 03:12 . 2009-10-04 03:12 -------- d-----w- c:\program files\Common Files\CyberLink
2009-10-04 03:10 . 2009-08-14 00:53 -------- d-----w- c:\program files\CyberLink
2009-10-04 03:08 . 2009-10-04 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2009-10-04 03:08 . 2009-10-04 03:09 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-04 03:08 . 2009-08-14 00:54 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-04 02:41 . 2009-10-04 02:41 131 ----a-w- c:\documents and settings\Jennifer\Local Settings\Application Data\fusioncache.dat
2009-09-30 00:54 . 2009-09-30 00:54 -------- d-----w- c:\documents and settings\Jennifer\Application Data\AdobeUM
2009-09-26 01:27 . 2009-08-14 04:16 -------- d-----w- c:\program files\Paint.NET
2009-09-26 01:27 . 2009-08-14 04:07 -------- d-----w- c:\program files\QuickTime
2009-09-26 01:27 . 2009-08-14 00:57 -------- d-----w- c:\program files\Common Files\AOL
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-23 14:07 . 2009-08-14 00:56 -------- d-----w- c:\program files\Microsoft Works
2009-09-22 04:13 . 2006-06-19 04:25 36624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 04:12 . 2009-09-22 04:12 -------- d-----w- c:\program files\Microsoft
2009-09-22 04:12 . 2009-09-22 04:11 -------- d-----w- c:\program files\Windows Live
2009-09-22 04:12 . 2009-09-22 04:12 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 04:09 . 2009-09-22 04:09 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-16 20:59 . 2009-09-16 20:59 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2009-09-16 19:06 . 2009-09-16 19:06 37270 ----a-w- c:\windows\system32\OggDSUninst.exe
2009-09-16 18:45 . 2009-09-16 18:45 -------- d-----w- c:\program files\AC3Filter
2009-09-16 18:44 . 2009-09-16 18:44 -------- d-----w- c:\program files\ffdshow
2009-09-16 18:27 . 2009-09-16 18:27 -------- d-----w- c:\documents and settings\Jennifer\Application Data\DivX
2009-09-16 18:02 . 2009-09-16 18:02 -------- d-----w- c:\program files\AVIcodec
2009-09-14 04:02 . 2009-09-14 04:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-14 03:59 . 2009-09-14 03:59 -------- d-----w- c:\program files\Common Files\Skype
2009-09-14 03:59 . 2009-09-14 03:59 -------- d-----r- c:\program files\Skype
2009-09-14 03:59 . 2009-09-14 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-14 01:09 . 2009-08-14 01:09 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-14 00:58 . 2009-08-14 00:58 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-08-14 00:57 . 2009-08-14 00:57 335 ----a-w- c:\windows\nsreg.dat
2009-08-14 00:39 . 2009-08-14 00:39 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 577536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"="c:\program files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe" [2008-04-13 136704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-04-28 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-28 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-08 75048]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-04 2010904]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]

c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-8-13 2168360]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-3-14 622653]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-04 04:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jennifer^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Jennifer\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/13/2009 7:09 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/13/2009 7:09 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/10/03 20:12];c:\program files\CyberLink\PowerDVD9\000.fcl [5/7/2009 8:05 PM 87536]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/3/2009 8:02 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/3/2009 8:02 PM 285392]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway M366
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\fi5xleh0.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc507.mail.yahoo.com/mc/welcome?.gx=1&.tm=1250221525&.rand=6ttqd85bq2qce
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-kunopofaz - c:\windows\system32\wehemeru.dll
SharedTaskScheduler-{892b225c-cb8a-47fd-a242-951d2e8ba236} - (no file)
SharedTaskScheduler-{caed50f6-2f6c-4b80-b308-dbd8990fa83d} - c:\windows\system32\wehemeru.dll
SSODL-mogepazen-{076c4b94-5428-4eb5-8226-599e53f9c4fa} - (no file)
SSODL-yezumahak-{892b225c-cb8a-47fd-a242-951d2e8ba236} - (no file)
SSODL-ledemimun-{caed50f6-2f6c-4b80-b308-dbd8990fa83d} - c:\windows\system32\wehemeru.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 22:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuauclt.exe.wusetup.228046.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.232156.bak 1809944 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-04 22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 06:35

Pre-Run: 51,745,562,624 bytes free
Post-Run: 51,735,068,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Hello Puppet,

That looks a whole lot better! We got rid of a nasty rootkit

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please start MBAM and on the Update tab, click on Check for updates now.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:

• MBAM log

Hey Elise,

I just performed the Malwarebytes scan, but I wanted to bring something to your attention.

After I ran ComboFix, my computer was running a lot faster, and it seemed like the program had whiped everything out of my system. But I remember upon the first use of regular Windows afterward, a popup told me a certain dll file couldn't be found. The message disappeared without me clicking anything and, as I said, everything worked really well. It worked well this morning too. But when I came home this afternoon to use my computer, it wouldn't let me open Firefox. It ran it as a process, but it would not open the window, no matter which method I used. It also wouldn't open Internet Explorer. Also, the processes in the Task Manager were showing up as using as much as 50% CPU. I tried opening the browsers in Safe Mode with almost as scarce luck - only Internet Explorer works. I went back to regular Windows and it showed a blue screen I couldn't read before the computer shut off. However, I've since logged into regular Windows more than once without that problem.

AVG picked up "Threat detected in C:\System Volume Information\_restore ; Trojan horse SHeur2.BPSH" while I was running the Malwarebytes scan. And then when the scan was done, a bunch of Vundos and Worms showed up in the results! It doesn't make any sense to me, since the computer was running so well, and I really haven't done anything unsafe since yesterday. I feel like ComboFix might not have gotten it all, but perhaps you knew it wouldn't already and Malwarebytes was going to clean up after it.

My web browsers still won't open, unless I'm in safe mode, and only Internet Explorer. (The Firefox problem I've learned could be from a nasty virus called Poison Ivy, but I don't think that's it -- there aren't processes showing up on their own, or multiple ones, and it goes away when I end the process. Nothing suspicious seems to be happening with my mouse moving or anything.) So I don't know why Firefox isn't working suddenly. :/

Anyway, here is my Malwarebytes log.

Malwarebytes' Anti-Malware 1.41
Database version: 3102
Windows 5.1.2600 Service Pack 3

11/4/2009 5:00:15 PM
mbam-log-2009-11-04 (17-00-15).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 182745
Time elapsed: 1 hour(s), 20 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\logon.exe.vir (Worm.Emold) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\moyomego.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pihimage.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sufetida.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wehemeru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP75\A0033181.exe (Worm.Emold) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP75\A0033186.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP75\A0033338.exe (Worm.Emold) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP75\A0033341.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\296VOD6B\main_[1].exe (Worm.Emold) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U1OPA9KJ\load-full[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Hello Puppet,

Thanks for the description! Really no need to panic here, you had a nasty rootkit, and we have some cleanup to do after it.

Quote

Does this still happen at start up? If so, can you please note down the name of the DLL for me?

After I see the OTL log I might be able to determine what is wrong with your internet browsers.
For Internet Explorer, please install Internet Explorer 8. You have now IE6, which is real old. IE8 is really not bad at all and a lot safer. You can download it from the microsoft website.
As for Firefox, I will come back to that after I have had a look on your log.

We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

In your next reply, please include the following:

• OTL report

Thank you, it's good to know that finding all those things was normal. I actually fixed the Firefox problem. Somehow my default web browser was set to "current" in "Set Program Access and Defaults", which confused it or something. I changed it back.

The popup about the DLL file being missing has not shown up since, and nothing dysfunctional has happened.

I have the two OTL reports, but I thought I should let you know - twice in the past hour, AVG picked up and blocked "win32/Cryptor"! It was sent to the Virus Vault, but I'm running Malwarebytes again to be safe. It seems to have already picked up on it and it's in that "System Volume Information" folder again. Ugh, this is a real pain! I've never had problems like this with malware before and I've had my laptop for three years. I'm so thankful there is a forum like this and people like you to get personal help from.

I attached both files.

Glad to hear everything is working better already

Hows internet explorer doing? Can you use it in normal mode and did you try to update to IE8?

Don't worry about the AVG detection, if it is in System Restore, we will take care of it in a later stage.

Both my browsers work again in normal and safe mode. =) I also upgraded to IE8 and to be extra safe, I uninstalled Limewire.

I read not long ago that bad files in the System Restore just restore themselves after you delete them, and something about turning off the restore before getting rid of them, but I haven't tried to follow any extra advice besides yours.