Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Infected with Spyware2009


  • This topic is locked This topic is locked
16 replies to this topic

#1 CrisGer

CrisGer

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 29 December 2008 - 10:54 PM

I am trying to clean out an older system that has XP SP1 installed, HP Coppermine Pentium 4400 with 14 GB HD. I lent it to a friend and it has become infected with Spyware 2009, they keep getting popup ads from the program, and now they cant use any anti spyware programs in cluding AntiMalware or PCTools, or Spybot, they all cannot run, and i cant even un install Anti Malware to re load it or reload it. Also I cant start up in SafeMode...it hangs with a blank screen in Safe Mode but wont open to users or past that point, and the normal boot up takes a LONG time. I will load up DDS and HijackThis and get logs and post them. Help will be appreciated, this appears to be a nasty situation.

I cant run the infected computer on the internet as none of the browsers work, so i am using my main machine for this posting, and will work on the other machine when there are suggestoins here on what to do.

i ran the DDS scan as requested and post the log below and will attach the other file.

logs:

DDS


DDS (Version 1.1.0) - NTFSx86
Run by Christopher at 10:00:28.27 on Mon 12/29/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.230 [GMT -7:00]

AV: PC Tools AntiVirus 5.0.0.22 *On-access scanning enabled* (Updated)
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exe
C:\Program Files\PC Tools AntiVirus\Update.exe
C:\Documents and Settings\Christopher\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
BHO: &Research: {037c7b8a-151a-49e6-baed-cc05fcb50328} - c:\windows\system32\winsrc.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Smart-Shopper: {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
BHO: {a448229b-daec-43bf-a9e0-73f3b749b8fb} - c:\windows\system32\wuruteli.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: SmartShopper: {8bcb5337-ec01-4e38-840c-a964f174255b} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ieupdate] "c:\windows\system32\explorer32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [OutpostFeedBack] c:\progra~1\agnitum\outpos~1.0\feedback.exe /dump:os_startup
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [kofohoriti] Rundll32.exe "c:\windows\system32\sopukare.dll",s
mRun: [8c020bd0] rundll32.exe "c:\windows\system32\nimuhoke.dll",b
mRun: [CPM8f31384c] Rundll32.exe "c:\windows\system32\vanabesa.dll",a
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
IE: {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\progra~1\agnitum\outpos~1.0\plugins\browserbar\ie_bar.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
AppInit_DLLs: c:\windows\system32\yivabada.dll c:\windows\system32\vanabesa.dll
SSODL: UkBkrsMHGwok - {8C020B80-26A8-A12A-1AC4-6F008F970892} - c:\windows\system32\xhxkgj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vanabesa.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll
LSA: Notification Packages = scecli c:\windows\system32\yivabada.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\1dtlhf2p.default\
FF - plugin: c:\documents and settings\christopher\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\yahoo!\common\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-8-15 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-8-15 10760]
R2 avfilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2008-10-16 21904]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-8-15 4960]
R2 pctavsvc;PC Tools AntiVirus Engine;"c:\program files\pc tools antivirus\PCTAVSvc.exe" [2008-10-16 995520]
R3 avhook;AVHook;c:\windows\system32\drivers\AVHook.sys [2008-10-16 28568]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-8-15 821856]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-8-15 27776]
S1 vfilt;Outpost Firewall Kernel Driver;\??\c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS []
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe []
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe []
S2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe []
S3 adblock.dll;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL []
S3 cdavfs;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys []
S3 content.dll;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL []
S3 dnscache.dll;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL []
S3 ftpfilt.dll;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL []
S3 htmlfilt.dll;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL []
S3 httpfilt.dll;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL []
S3 imapfilt.dll;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL []
S3 mailfilt.dll;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL []
S3 nntpfilt.dll;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL []
S3 pop3filt.dll;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL []
S3 protect.dll;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL []
S3 sysrest.sys;sysrest.sys;\??\c:\windows\system32\sysrest.sys []

=============== Created Last 30 ================

2008-12-28 08:54 1,262,959 ---sh--- c:\windows\system32\ekohumin.ini
2008-12-27 19:43 1,262,959 ---sh--- c:\windows\system32\aguyalow.ini
2008-12-27 06:48 1,254,044 ---sh--- c:\windows\system32\ibiyuloh.ini
2008-12-26 13:10 1,254,115 ---sh--- c:\windows\system32\orumohuw.ini
2008-12-26 13:09 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-26 13:09 1,409 a------- c:\windows\QTFont.for
2008-12-25 14:06 1,603,449 ---sh--- c:\windows\system32\uzolesoh.ini
2008-12-24 07:04 1,603,449 ---sh--- c:\windows\system32\ejipipay.ini
2008-12-23 19:00 1,603,467 ---sh--- c:\windows\system32\opumuyep.ini
2008-12-22 16:00 0 a------- c:\windows\system32\winsrc.dll.tmp
2008-12-22 08:29 1,603,467 ---sh--- c:\windows\system32\ewumuvip.ini
2008-12-21 20:30 337,408 a------- c:\windows\system32\winsrc.dll
2008-12-21 20:30 123,904 a------- c:\windows\system32\explorer32.exe
2008-12-21 19:33 1,603,467 ---sh--- c:\windows\system32\ometelos.ini
2008-12-20 07:03 105 a------- c:\windows\wininit.ini
2008-12-19 10:59 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 09:26 61,440 a------- c:\windows\system32\drivers\hwwm.sys
2008-12-18 18:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\Smart-Shopper
2008-12-18 18:35 <DIR> --d----- c:\program files\Smart-Shopper
2008-12-18 18:27 54,112 ac------ C:\adinekir.ttf

==================== Find3M ====================

2008-12-28 08:54 99,019 a--sh--- c:\windows\system32\vanabesa.dll
2008-12-28 08:54 87,258 a--sh--- c:\windows\system32\nimuhoke.dll
2008-12-27 19:43 97,973 a--sh--- c:\windows\system32\fusigagi.dll
2008-12-27 19:43 87,142 -------- c:\windows\system32\wolayuga.dll
2008-12-27 18:43 99,592 a--sh--- c:\windows\system32\pinoteye.dll
2008-12-27 18:43 61,659 a--sh--- c:\windows\system32\mofebese.dll
2008-12-27 06:43 99,517 a--sh--- c:\windows\system32\nevihezu.dll
2008-12-26 13:10 98,885 a--sh--- c:\windows\system32\joduharu.dll
2008-12-26 13:10 87,152 -------- c:\windows\system32\wuhomuro.dll
2008-12-25 14:06 99,043 a--sh--- c:\windows\system32\zavidegu.dll
2008-12-25 14:06 87,325 a--sh--- c:\windows\system32\hoselozu.dll
2008-12-25 13:06 63,259 a--sh--- c:\windows\system32\wedusoha.dll
2008-12-24 07:04 99,086 a--sh--- c:\windows\system32\tefifohi.dll
2008-12-24 07:04 84,025 -------- c:\windows\system32\yapipije.dll
2008-12-23 19:00 99,089 a--sh--- c:\windows\system32\zakanilu.dll
2008-12-23 19:00 84,641 -------- c:\windows\system32\peyumupo.dll
2008-12-23 17:57 65,107 a--sh--- c:\windows\system32\yunukino.dll
2008-12-22 08:29 83,022 -------- c:\windows\system32\pivumuwe.dll
2008-12-22 08:29 94,827 a--sh--- c:\windows\system32\dasofupu.dll
2008-12-21 19:33 98,033 a--sh--- c:\windows\system32\nanemefu.dll
2008-12-21 19:33 85,103 -------- c:\windows\system32\soletemo.dll
2008-12-21 07:33 97,564 a--sh--- c:\windows\system32\hujepaka.dll
2008-12-20 19:33 97,576 a--sh--- c:\windows\system32\gozomose.dll
2008-12-20 07:33 94,960 a--sh--- c:\windows\system32\luyehaya.dll
2008-12-19 19:32 94,784 a--sh--- c:\windows\system32\dewulale.dll
2008-12-19 07:32 97,501 a--sh--- c:\windows\system32\nodedeje.dll
2008-12-18 18:31 96,921 a--sh--- c:\windows\system32\fefiweta.dll
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-05 07:51 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-04-19 12:34 32 a---h--- c:\docume~1\alluse~1\applic~1\ezsid.dat
2003-03-31 05:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 00:56 50,688 ---sh--- c:\windows\twain_32.dll
2008-09-25 13:06 80,896 a--sh--- c:\windows\system32\bisepufi.dll
2008-09-23 17:57 74,752 a--sh--- c:\windows\system32\kizosewa.dll
2004-08-04 00:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 00:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 00:56 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-09-25 13:06 63,259 a--sh--- c:\windows\system32\nefilepu.dll
2004-08-04 00:56 553,472 a--sh--- c:\windows\system32\oleaut32.dll
2004-08-04 00:56 83,456 a--sh--- c:\windows\system32\olepro32.dll
2004-08-04 00:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-09-27 18:43 2,048 a--sh--- c:\windows\system32\rohitelu.dll
2008-09-27 18:43 61,659 a--sh--- c:\windows\system32\sopukare.dll
2008-09-27 18:43 61,659 a--sh--- c:\windows\system32\wuruteli.dll
2008-09-27 18:43 61,659 a--sh--- c:\windows\system32\yivabada.dll

============= FINISH: 10:03:38.34 ===============

and I have a HijackThis log if useful, i got 2 errors trying to run it and i did get a log.

the internet IE 6.0 on that computer will not allow me to open any site other than default Google, and i cant use Firefox either, i tried opening Bleepingcomputer and the page keeps getting interrupted.

The default Google screen has a note from AntiVirus 2009 saying this page is corrupted (no kidding) and to install AntiVirus2009, boy these guys are amazingly brazen and arrogant.

Cant run AntiMalware or Spybot, a scan from PCTools does not show anything. But i still cant completely uninstall the old install of AntiMalware or intstall a new install.

I have the file from DDS to attach but i dont see any optoin to attach a file anymore here....it is a RAR file as i dont use WinZip and dont like zips.

the computer shows a popup message that keeps saying to install AntiVirus 2009.

Attached Files


Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 05 January 2009 - 04:41 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 05 January 2009 - 05:09 PM

Well i tried, but got mixed results i think

I was not able to run ComboFix normally ...it ran but i got no prompts, and i just left it running in hopes it was doing its job.

i came back and the computer had rebooted, and there was an error notice...i found a log from something called cyberdefender that had attempted to register itself, was that ComboFix? if so i will take a chance and post the log:

[it may have tried to register itself but i cant get online with the current malware .it hijackes the connection almost immeciatly and will not allow use of browsers]

[INFO (Thread ID=)]
001 23 18:11:38 001 .=*** Cobrand = CYBERDEFENDER
001 23 18:12:44 001 .=*** Cobrand =
001 23 18:15:18 001 .=*** No Cobrand detected from command line.
002 23 18:15:18 563 .=CompanyNameShort = CyberDefender
001 23 18:41:59 001 .=*** No Cobrand detected from command line.
001 23 18:43:24 001 .=*** No Cobrand detected from command line.
001 05 13:29:08 001 .=*** No Cobrand detected from command line.
[ERROR (Thread ID=3996)]
002 23 18:11:38 563 .=.
003 23 18:11:38 193 .=***************************BEGIN***************************
067 23 18:12:10 303 .=C:\Program Files\CyberDefender\AntiSpyware\AWSDLL.dll attempted to be registered! (.NET, by regasm.exe)
[FLOW (Thread ID=3996)]
004 23 18:11:38 808 .=.
005 23 18:11:38 585 .=***************************BEGIN***************************
008 23 18:11:38 895 .=Command Line="C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\cdA.tmp\2006 codebase\installers\cdinstaller8\bin\runtime\edc-cyberdefender_v2\cdinstx.exe" /i /a 175907 /cobrand CYBERDEFENDER
010 23 18:11:38 746 .=Target Directory assigned = C:\Program Files\CyberDefender
011 23 18:11:38 174 .=Install Path Detected = C:\Program Files\CyberDefender
036 23 18:11:39 607 .=StartPage: Show=TRUE
037 23 18:11:39 783 .=StartPage: Show=FALSE
039 23 18:11:39 519 .=LicensePage: Show=TRUE
040 23 18:11:43 301 .=LicensePage: Show=FALSE
041 23 18:11:48 875 .=SkipPage: Show=TRUE
042 23 18:11:48 726 .=SkipPage: Show=FALSE
044 23 18:11:48 925 .=Target Directory assigned = C:\Program Files\CyberDefender
047 23 18:11:48 462 .=DestinationPage: Show=TRUE
049 23 18:11:52 862 .=Target Directory detected = C:\Program Files\CyberDefender
050 23 18:11:52 209 .=DestinationPage: Show=FALSE
051 23 18:11:52 001 .=3rd Party Install thread is running...
052 23 18:11:52 779 .=ProgressPage: Show=TRUE
053 23 18:11:52 001 .=Install thread is running...
054 23 18:11:52 563 .=CHECKED: file didn't exist before this installation.
056 23 18:11:52 808 .=Target Directory detected = C:\Program Files\CyberDefender
064 23 18:12:08 858 .=AntiSpam - all files have been copied from C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\cdA.tmp\2006 codebase\installers\cdinstaller8\bin\runtime\edc-cyberdefender_v2\InstallModule\AntiSpam to C:\Program Files\CyberDefender
065 23 18:12:09 710 .=AntiSpam: installation complete!!!
068 23 18:12:10 014 .=Create Process: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe" /silent /nologo "C:\Program Files\CyberDefender\AntiSpyware\AWSDLL.dll"
069 23 18:12:18 091 .=Create Process: "C:\Program Files\CyberDefender\AntiSpyware\gacutil.exe" /if "C:\Program Files\CyberDefender\AntiSpyware\AWSDLL.dll"
070 23 18:12:19 364 .=AntiSpyware: installation complete!!!
072 23 18:12:39 165 .=AV Driver: installation complete!!!
073 23 18:12:39 988 .=TuneUpActiveXDetector: installation complete!!!
074 23 18:12:39 445 .=AntiVirus: installation complete!!!
075 23 18:12:39 119 .=EDC: installation complete!!!
077 23 18:12:40 008 .=Create Process: C:\Program Files\CyberDefender\cdinstx.exe /i /m SecurityToolbar /s1 /cobrand
078 23 18:12:40 843 .=ProgressPage: Show=FALSE
079 23 18:14:59 996 .=SkipPage: Show=TRUE
080 23 18:14:59 999 .=SkipPage: Show=FALSE
083 23 18:15:04 266 .=SuccessPage: Show=FALSE
084 23 18:15:06 297 .=BrowserPage: Show=TRUE
085 23 18:15:06 840 .=Hidden Browser called the OnDocumentComplete function.
086 23 18:15:06 023 .=Hidden Browser called the OnDocumentComplete function.
087 23 18:15:06 375 .=Enterng CCDInstallerApp::ExitInstance()
088 23 18:15:06 092 .=Create Process: C:\Program Files\CyberDefender\AntiSpyware\cdasb.exe
102 23 18:15:09 468 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=3996)]
006 23 18:11:38 479 .=.
007 23 18:11:38 350 .=***************************BEGIN***************************
009 23 18:11:38 822 .=InstallSubPath="CyberDefender"
012 23 18:11:38 858 .=*cfg.ini detected:
013 23 18:11:38 710 .=(From .cfg file) ADP=-1
014 23 18:11:38 513 .=***Install Mode has been detected***
015 23 18:11:38 303 .=Title=CyberDefender Early Detection Center
016 23 18:11:38 014 .=caption=CyberDefender Internet Security Suite
017 23 18:11:38 091 .=CompanyNameShort = CyberDefender
018 23 18:11:38 364 .=ProductNameShort =
019 23 18:11:38 147 .=CompanyNameShort = CyberDefender Corp.
020 23 18:11:38 165 .=CompanyURL =http://www.cyberdefender.com
021 23 18:11:38 988 .=SupportURL =http://cyberdefender.com/products_comparesupport.html
022 23 18:11:38 445 .=PrivacyURL =http://edc.cyberdefender.com/privacy.htm
023 23 18:11:38 119 .=DisplayName =CyberDefender Early Detection Center
024 23 18:11:38 004 .=cobrand =CYBERDEFENDER
025 23 18:11:38 008 .=source=
026 23 18:11:38 377 .=*** Cobrand = CYBERDEFENDER (from .set file)
027 23 18:11:38 531 .=ShowWelcome=-1
028 23 18:11:38 571 .=CloseIE=-1
029 23 18:11:38 601 .=uinst6=-1
030 23 18:11:38 607 .=QuickInst=-1
031 23 18:11:38 166 .=QuickBuy=-1
032 23 18:11:38 663 .=(From .set file) ADP=0
033 23 18:11:38 450 .=(From .set file) FullTrial=0
034 23 18:11:38 352 .=InstallModule="AntiSpam"
035 23 18:11:39 057 .=Dialog caption: CyberDefender Internet Security Suite
038 23 18:11:39 802 .=p2d build configuration detected.
043 23 18:11:48 955 .=InstallSubPath="CyberDefender"
045 23 18:11:48 539 .=***Security Toolbar has already been installed (whatever ST layout is on the user machine).***
046 23 18:11:48 142 .=p2d build configuration detected.
048 23 18:11:52 235 .=InstallSubPath="CyberDefender"
055 23 18:11:52 193 .=InstallSubPath="CyberDefender"
057 23 18:11:52 585 .=CDAVFS driver: CDAVFS.UserFiles = C:\Program Files\CyberDefender\AntiVirus
058 23 18:11:52 479 .=CDAVFS driver: StartType = 3
059 23 18:11:52 350 .=CDAVFS driver: PatPath = "C:\Program Files\CyberDefender\AntiVirus\cdavpat.dat.03"
060 23 18:12:02 895 .=C:\Program Files\CyberDefender\InstallModule\AntiSpam\CSIDL_PROGRAM_FILES\earlySpam\cdaspm.dll has passed MD5 check and has not been replaced with the identical file from the installation package.
061 23 18:12:02 822 .=C:\Program Files\CyberDefender\InstallModule\AntiSpam\CSIDL_PROGRAM_FILES\earlySpam\oeapiinitcom.dll has passed MD5 check and has not been replaced with the identical file from the installation package.
062 23 18:12:02 746 .=C:\Program Files\CyberDefender\InstallModule\AntiSpam\CSIDL_PROGRAM_FILES\earlySpam\oecom.dll has passed MD5 check and has not been replaced with the identical file from the installation package.
063 23 18:12:02 174 .=C:\Program Files\CyberDefender\InstallModule\AntiSpam\CSIDL_PROGRAM_FILES\earlySpam\oestore.dll has passed MD5 check and has not been replaced with the identical file from the installation package.
066 23 18:12:10 513 .=p2d build configuration detected.
071 23 18:12:20 147 .=CDAVFS driver will be re-installed: clean installation
076 23 18:12:40 004 .=p2d build configuration detected.
081 23 18:14:59 611 .=*** Entering reading the cdinstx_restart key. ***
082 23 18:14:59 392 .=*** Exiting reading the cdinstx_restart key. ***
089 23 18:15:06 677 .=WaitURL has been set: http://www.cyberdefender.com/uninstallsurvey
090 23 18:15:06 056 .=GoodbyeURL has been set: http://www.cyberdefender.com/uninstall_confirmation.html
091 23 18:15:06 008 .=System Temp Directory: c:\docume~1\christ~1\locals~1\temp\cda.tmp
092 23 18:15:06 918 .=Application Path: c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 codebase\installers\cdinstaller8\bin\runtime
093 23 18:15:06 275 .=Folder(s) (from Temp directory) to be removed:
094 23 18:15:06 272 .=C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\cdA.tmp\2006 codebase\installers\cdinstaller8\bin\runtime\edc-cyberdefender_v2\cdinstx.exe -> to registry to delete after restart
095 23 18:15:06 587 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp -> to registry to delete after restart
096 23 18:15:09 691 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\ -> to registry to delete after restart
097 23 18:15:09 837 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\Installers\ -> to registry to delete after restart
098 23 18:15:09 726 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\Installers\CDInstaller8\ -> to registry to delete after restart
099 23 18:15:09 484 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\Installers\CDInstaller8\BIN\ -> to registry to delete after restart
100 23 18:15:09 205 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\Installers\CDInstaller8\BIN\runtime\ -> to registry to delete after restart
101 23 18:15:09 743 .=c:\docume~1\christ~1\locals~1\temp\cda.tmp\2006 Codebase\Installers\CDInstaller8\BIN\runtime\edc-cyberdefender_v2\ -> to registry to delete after restart
[ERROR (Thread ID=2388)]
002 23 18:12:44 563 .=.
003 23 18:12:44 193 .=***************************BEGIN***************************
079 23 18:12:47 119 .=File C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\AWSDLL.dll - does not exist!
[FLOW (Thread ID=2388)]
004 23 18:12:44 808 .=.
005 23 18:12:44 585 .=***************************BEGIN***************************
008 23 18:12:44 895 .=Command Line="C:\Program Files\CyberDefender\cdinstx.exe" /i /m SecurityToolbar /s1 /cobrand
010 23 18:12:44 746 .=Target Directory assigned = C:\Program Files\CyberDefender
011 23 18:12:44 174 .=Install Path Detected = C:\Program Files\CyberDefender
034 23 18:12:44 352 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
035 23 18:12:44 057 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
036 23 18:12:44 607 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
037 23 18:12:44 783 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
038 23 18:12:44 802 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
039 23 18:12:44 519 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
040 23 18:12:44 301 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
041 23 18:12:44 875 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
042 23 18:12:44 726 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
043 23 18:12:44 955 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
044 23 18:12:44 925 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
045 23 18:12:44 539 .=sOrderMatch become = sUpdaterOrder (0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30)
049 23 18:12:46 862 .=Target Directory detected = C:\Program Files\CyberDefender
052 23 18:12:46 001 .=3rd Party Install thread is running...
053 23 18:12:46 843 .=ProgressPage: Show=TRUE
054 23 18:12:46 996 .=DestinationPage: Show=TRUE
055 23 18:12:46 999 .=LicensePage: Show=TRUE
056 23 18:12:46 611 .=StartPage: Show=TRUE
057 23 18:12:46 001 .=Install thread is running...
060 23 18:12:46 808 .=Target Directory detected = C:\Program Files\CyberDefender
061 23 18:12:46 585 .=SecurityToolbar - all files have been copied from C:\Program Files\CyberDefender\InstallModule\SecurityToolbar to C:\Program Files\CyberDefender
070 23 18:12:47 513 .=ATTEMPTED: LogIE, Section = IE Key = Search Bar Value = http://www.google.com/ie
071 23 18:12:47 303 .=SUCCEEDED: LogIE, Section = IE Key = Search Bar Value = http://www.google.com/ie
074 23 18:12:47 364 .=ATTEMPTED: LogIE, Section = IE Key = DefaultScope Value =
075 23 18:12:47 147 .=SUCCEEDED: LogIE, Section = IE Key = DefaultScope Value =
076 23 18:12:47 165 .=Layout to settings.ini (szOrder, TuneUpST() ): 0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30
080 23 18:12:47 004 .=Secirity Toolbar: installation complete!!!
081 23 18:12:47 392 .=StartPage: Show=FALSE
082 23 18:12:47 266 .=LicensePage: Show=FALSE
084 23 18:12:47 840 .=Target Directory detected = C:\Program Files\CyberDefender
085 23 18:12:47 023 .=DestinationPage: Show=FALSE
086 23 18:12:47 375 .=ProgressPage: Show=FALSE
089 23 18:12:47 056 .=SuccessPage: Show=TRUE
090 23 18:12:47 008 .=Enterng CCDInstallerApp::ExitInstance()
091 23 18:12:47 918 .=m_sRun = . Empty path?!
094 23 18:12:47 587 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=2388)]
006 23 18:12:44 479 .=.
007 23 18:12:44 350 .=***************************BEGIN***************************
009 23 18:12:44 822 .=InstallSubPath="CyberDefender"
012 23 18:12:44 858 .=*cfg.ini detected: C:\Program Files\CyberDefender\AntiSpyware\cdascfg.ini
013 23 18:12:44 710 .=(From .cfg file) ADP=-1
014 23 18:12:44 513 .=***Install Mode has been detected***
015 23 18:12:44 303 .=Title=CyberDefender Early Detection Center
016 23 18:12:44 014 .=caption=CyberDefender Internet Security Suite
017 23 18:12:44 091 .=CompanyNameShort = CyberDefender
018 23 18:12:44 364 .=ProductNameShort =
019 23 18:12:44 147 .=CompanyNameShort = CyberDefender Corp.
020 23 18:12:44 165 .=CompanyURL =http://www.cyberdefender.com
021 23 18:12:44 988 .=SupportURL =http://cyberdefender.com/products_comparesupport.html
022 23 18:12:44 445 .=PrivacyURL =http://edc.cyberdefender.com/privacy.htm
023 23 18:12:44 119 .=DisplayName =CyberDefender Early Detection Center
024 23 18:12:44 004 .=cobrand =CYBERDEFENDER
025 23 18:12:44 008 .=source=
026 23 18:12:44 377 .=*** Cobrand = CYBERDEFENDER (from .set file)
027 23 18:12:44 531 .=ShowWelcome=-1
028 23 18:12:44 571 .=CloseIE=-1
029 23 18:12:44 601 .=uinst6=-1
030 23 18:12:44 607 .=QuickInst=-1
031 23 18:12:44 166 .=QuickBuy=-1
032 23 18:12:44 663 .=(From .set file) ADP=0
033 23 18:12:44 450 .=(From .set file) FullTrial=0
046 23 18:12:45 142 .=Dialog caption: CyberDefender Internet Security Suite
047 23 18:12:46 462 .=p2d build configuration detected.
048 23 18:12:46 235 .=InstallSubPath="CyberDefender"
050 23 18:12:46 209 .=***Security Toolbar has already been installed (whatever ST layout is on the user machine).***
051 23 18:12:46 779 .=p2d build configuration detected.
058 23 18:12:46 563 .=This Toolbar's Updater is targetting following EDC configurations: all
059 23 18:12:46 193 .=InstallSubPath="CyberDefender"
062 23 18:12:46 479 .=p2d build configuration detected.
063 23 18:12:46 350 .=Ready to be registered: C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
064 23 18:12:47 895 .=The ST searchcombo channel set to
065 23 18:12:47 822 .=The Address Bar channel set to
066 23 18:12:47 746 .=The IE7+ Search Bar channel set to
067 23 18:12:47 174 .=AddressBarSearch is set to 1
068 23 18:12:47 858 .=IE7SearchBar is set to 1
069 23 18:12:47 710 .=HomePageAccepted is set to 0
072 23 18:12:47 014 .=Search Bar is set to "http://safesearch.cyberdefender.com/smallsearch.html"
073 23 18:12:47 091 .=IE7's SearchScopes regvalue detected. It will put corresponding changes to the IE7 SearchBar.
077 23 18:12:47 988 .=The Buttons Order for ST has been set (reset) to 0,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-30
078 23 18:12:47 445 .=ITBarLayout: successfully cleaned.
083 23 18:12:47 297 .=InstallSubPath="CyberDefender"
087 23 18:12:47 092 .=*** Entering reading the cdinstx_restart key. ***
088 23 18:12:47 677 .=*** Exiting reading the cdinstx_restart key. ***
092 23 18:12:47 275 .=WaitURL has been set: http://www.cyberdefender.com/uninstallsurvey
093 23 18:12:47 272 .=GoodbyeURL has been set: http://www.cyberdefender.com/uninstall_confirmation.html
[ERROR (Thread ID=4076)]
002 23 18:15:18 563 .=.
003 23 18:15:18 193 .=***************************BEGIN***************************
[FLOW (Thread ID=4076)]
004 23 18:15:18 808 .=.
005 23 18:15:18 585 .=***************************BEGIN***************************
008 23 18:15:19 895 .=Command Line="C:\Program Files\CyberDefender\cdinstx.exe" /cfgwizard read
010 23 18:15:19 746 .=Install Path Detected = C:\Program Files\CyberDefender
036 23 18:15:19 607 .=Enterng CCDInstallerApp::ExitInstance()
037 23 18:15:19 783 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=4076)]
006 23 18:15:18 479 .=.
007 23 18:15:18 350 .=***************************BEGIN***************************
009 23 18:15:19 822 .=InstallSubPath="CyberDefender"
011 23 18:15:19 174 .=*cfg.ini detected: C:\Program Files\CyberDefender\AntiSpyware\cdascfg.ini
012 23 18:15:19 858 .=WaitURL =http://www.cyberdefender.com/uninstallsurvey
013 23 18:15:19 710 .=GoodbyeURL =http://www.cyberdefender.com/uninstall_confirmation.html
014 23 18:15:19 513 .=(From .cfg file) ADP=-1
015 23 18:15:19 303 .=***Install Mode has been detected***
016 23 18:15:19 014 .=Title=CyberDefender Early Detection Center
017 23 18:15:19 091 .=caption=CyberDefender Internet Security Suite
018 23 18:15:19 364 .=CompanyNameShort = CyberDefender
019 23 18:15:19 147 .=ProductNameShort =
020 23 18:15:19 165 .=CompanyNameShort = CyberDefender Corp.
021 23 18:15:19 988 .=CompanyURL =http://www.cyberdefender.com
022 23 18:15:19 445 .=SupportURL =http://cyberdefender.com/products_comparesupport.html
023 23 18:15:19 119 .=PrivacyURL =http://edc.cyberdefender.com/privacy.htm
024 23 18:15:19 004 .=DisplayName =CyberDefender Early Detection Center
025 23 18:15:19 008 .=cobrand =CYBERDEFENDER
026 23 18:15:19 377 .=source=
027 23 18:15:19 531 .=*** Cobrand = CYBERDEFENDER (from .set file)
028 23 18:15:19 571 .=ShowWelcome=-1
029 23 18:15:19 601 .=CloseIE=-1
030 23 18:15:19 607 .=uinst6=-1
031 23 18:15:19 166 .=QuickInst=-1
032 23 18:15:19 663 .=QuickBuy=-1
033 23 18:15:19 450 .=(From .set file) ADP=0
034 23 18:15:19 352 .=(From .set file) FullTrial=0
035 23 18:15:19 057 .=InstallModule="AntiSpam"
[FLOW (Thread ID=)]
003 23 18:15:20 193 .=Enterng CCDInstallerApp::ExitInstance()
004 23 18:15:20 808 .=Exiting CCDInstallerApp::ExitInstance()
[ERROR (Thread ID=2344)]
002 23 18:41:59 563 .=.
003 23 18:41:59 193 .=***************************BEGIN***************************
044 23 18:43:20 563 .=*** Could NOT report to the Server: ....com:6083/aaa.html?uinst=0&UA=Q2033&aid=webmetro_yahoop2dbrand ***
046 23 18:43:21 808 .=Could not open the registry key (HKEY_LOCAL_MACHINE): SOFTWARE\Digital River\SoftwarePassport\CyberDefender Corp.\CyberDefender Early Detection Center 2.0\0 (not found?), logInfo
051 23 18:43:26 822 .=C:\Program Files\CyberDefender\AntiSpyware\AWSDLL.dll attempted to be UnRegistered (.NET, regASM)!
054 23 18:43:35 858 .=C:\Program Files\CyberDefender\AntiVirus\uwcdsolk.dll attempted to be UnRegistered!
055 23 18:43:35 710 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\ANTIVI~1\uwcdsolk.dll, NULL, SW_SHOW)
056 23 18:43:35 513 .=C:\Program Files\CyberDefender\AntiVirus\capicom.dll attempted to be UnRegistered!
057 23 18:43:38 303 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\ANTIVI~1\capicom.dll, NULL, SW_SHOW)
058 23 18:43:38 014 .=C:\Program Files\CyberDefender\AntiVirus\CybDefCom.dll attempted to be UnRegistered!
059 23 18:43:38 091 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\ANTIVI~1\CYBDEF~2.DLL, NULL, SW_SHOW)
060 23 18:43:38 364 .=C:\Program Files\CyberDefender\HomePage\CDWebVw.dll attempted to be UnRegistered!
061 23 18:43:39 147 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\HomePage\CDWebVw.dll, NULL, SW_SHOW)
096 23 18:43:45 999 .=Could not remove (!) the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
098 23 18:43:45 392 .=Could not remove (!) the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
100 23 18:43:45 297 .=Could not remove (!) the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[FLOW (Thread ID=2344)]
004 23 18:41:59 808 .=.
005 23 18:41:59 585 .=***************************BEGIN***************************
008 23 18:41:59 895 .=Command Line="C:\Program Files\CyberDefender\cdinstx.exe" /u
010 23 18:41:59 746 .=Install Path Detected = C:\Program Files\CyberDefender
038 23 18:42:23 802 .=SkipPage: Show=TRUE
039 23 18:42:23 519 .=SkipPage: Show=FALSE
041 23 18:42:40 875 .=Create Process: "C:\Program Files\CyberDefender\AntiVirus\CyberDefenderEDC.exe" /remove_from_sc
042 23 18:42:42 726 .=ProgressPage: Show=TRUE
043 23 18:42:42 001 .=UnInstall thread is running...
049 23 18:43:21 350 .=Create Process: "C:\Program Files\CyberDefender\cdinstx.exe" /u "C:\Program Files\CyberDefender\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam" /s
052 23 18:43:26 746 .=Create Process: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe" /unregister /silent "C:\PROGRA~1\CYBERD~1\ANTISP~1\AWSDLL.dll"
053 23 18:43:34 174 .=Create Process: "C:\Program Files\CyberDefender\AntiSpyware\gacutil.exe" /uf AWSDLL
102 23 18:43:45 955 .=ProgressPage: Show=FALSE
105 23 18:43:50 142 .=SuccessPage: Show=FALSE
107 23 18:43:50 235 .=Enterng CCDInstallerApp::ExitInstance()
108 23 18:43:50 862 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=2344)]
006 23 18:41:59 479 .=.
007 23 18:41:59 350 .=***************************BEGIN***************************
009 23 18:41:59 822 .=InstallSubPath="CyberDefender"
011 23 18:41:59 174 .=Uninstall: Title=CyberDefender Early Detection Center
012 23 18:41:59 858 .=*cfg.ini detected: C:\Program Files\CyberDefender\AntiSpyware\cdascfg.ini
013 23 18:41:59 710 .=WaitURL =http://www.cyberdefender.com/uninstallsurvey
014 23 18:41:59 513 .=GoodbyeURL =http://www.cyberdefender.com/uninstall_confirmation.html
015 23 18:41:59 303 .=(From .cfg file) ADP=0
016 23 18:41:59 014 .=***Install Mode has been detected***
017 23 18:41:59 091 .=Title=CyberDefender Early Detection Center
018 23 18:41:59 364 .=caption=CyberDefender Internet Security Suite
019 23 18:41:59 147 .=CompanyNameShort = CyberDefender
020 23 18:41:59 165 .=ProductNameShort =
021 23 18:41:59 988 .=CompanyNameShort = CyberDefender Corp.
022 23 18:41:59 445 .=CompanyURL =http://www.cyberdefender.com
023 23 18:41:59 119 .=SupportURL =http://cyberdefender.com/products_comparesupport.html
024 23 18:41:59 004 .=PrivacyURL =http://edc.cyberdefender.com/privacy.htm
025 23 18:41:59 008 .=DisplayName =CyberDefender Early Detection Center
026 23 18:41:59 377 .=cobrand =CYBERDEFENDER
027 23 18:41:59 531 .=source=
028 23 18:41:59 571 .=*** Cobrand = CYBERDEFENDER (from .set file)
029 23 18:41:59 601 .=ShowWelcome=-1
030 23 18:41:59 607 .=CloseIE=-1
031 23 18:41:59 166 .=uinst6=-1
032 23 18:41:59 663 .=QuickInst=-1
033 23 18:41:59 450 .=QuickBuy=-1
034 23 18:41:59 352 .=(From .set file) ADP=0
035 23 18:41:59 057 .=(From .set file) FullTrial=0
036 23 18:41:59 607 .=InstallModule="AntiSpam"
037 23 18:41:59 783 .=p2d build configuration detected.
040 23 18:42:40 301 .=p2d build configuration detected.
045 23 18:43:21 193 .=***Uninstall has been reported to the server.***
047 23 18:43:21 585 .=Could not open the registry key (HKEY_CURRENT_USER): SOFTWARE\Digital River\SoftwarePassport\CyberDefender Corp.\CyberDefender Early Detection Center 2.0\0 (not found?)
048 23 18:43:21 479 .="C:\Program Files\CyberDefender\cdinstx.exe" /u "C:\Program Files\CyberDefender\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam" /s uninstall string has been detected.
050 23 18:43:26 895 .=Silent Uninstall has been initiated: "C:\Program Files\CyberDefender\cdinstx.exe" /u "C:\Program Files\CyberDefender\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam" /s
062 23 18:43:45 165 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiVirus\Install Information
063 23 18:43:45 988 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiVirus\Install Information
064 23 18:43:45 445 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiSpyware\Install Information
065 23 18:43:45 119 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiSpyware\Install Information
066 23 18:43:45 004 .=bAllowRemoving = TRUE for registry key SOFTWARE\CyberDefender\AntiSpyware
067 23 18:43:45 008 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiSpyware
068 23 18:43:45 377 .=bAllowRemoving = TRUE for registry key SOFTWARE\CyberDefender\AntiVirus
069 23 18:43:45 531 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\AntiVirus
070 23 18:43:45 571 .=bAllowRemoving = TRUE for registry key SYSTEM\CurrentControlSet\Services\CDAVFS
071 23 18:43:45 601 .=bAllowRemoving = TRUE for registry key SOFTWARE\WsLiveUp
072 23 18:43:45 607 .=bAllowRemoving = TRUE for registry key SOFTWARE\WsLiveUp
073 23 18:43:45 166 .=bAllowRemoving = TRUE for registry key REGKEY_WSLIVEUP_MAIN
074 23 18:43:45 663 .=bAllowRemoving = TRUE for registry key REGKEY_WSLIVEUP_MAIN
075 23 18:43:45 450 .=bAllowRemoving = TRUE for registry key SOFTWARE\eBlocsKeepSafe
076 23 18:43:45 352 .=bAllowRemoving = TRUE for registry key SOFTWARE\CybDefKeepSafe
077 23 18:43:45 057 .=bAllowRemoving = TRUE for registry key SOFTWARE\CyberDefender
078 23 18:43:45 607 .=bAllowRemoving = TRUE for registry key SOFTWARE\CyberDefender
079 23 18:43:45 783 .=bAllowRemoving = TRUE for registry key SOFTWARE\eBlocs
080 23 18:43:45 802 .=bAllowRemoving = TRUE for registry key SOFTWARE\ebc
081 23 18:43:45 519 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\AppID\EDCConfig.EXE
082 23 18:43:45 301 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\AppID\{0F0ED099-0402-4CF8-8A74-520F0ED354DF}
083 23 18:43:45 875 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\CLSID\{5E53AE00-5746-475E-8F7F-4EA85A1BC7A4}
084 23 18:43:45 726 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\CLSID\{CEF3D8E2-7497-48d8-B574-DA1C4AB22B93}
085 23 18:43:45 955 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\CyberDefender.EDCConfigWizard
086 23 18:43:45 925 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\CyberDefender.EDCConfigWizard.1
087 23 18:43:45 539 .=bAllowRemoving = TRUE for registry key SOFTWARE\Classes\Interface\{95888CF7-CF1A-4CBF-86C4-467EDEDA7ECD}
088 23 18:43:45 142 .=bAllowRemoving = TRUE for registry key TypeLib\{EE3739AE-27BB-48BE-BD79-E820389BD8C0}
089 23 18:43:45 462 .=bAllowRemoving = TRUE for registry key CLSID\{F6DCBA17-D2E9-430E-8D6F-83198004F674}
090 23 18:43:45 235 .=bAllowRemoving = TRUE for registry key CLSID\{D197ACF1-13C9-4C0C-B1CF-E868EAF58531}
091 23 18:43:45 862 .=bAllowRemoving = TRUE for registry key TypeLib\{AD4E8864-245A-4C8D-BE59-23A6C9DD54AA}
092 23 18:43:45 209 .=bAllowRemoving = TRUE for registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC5352DA-F4F2-4A59-A1BF-41546342746B}
093 23 18:43:45 779 .=Installer Exe self-removing has been initiated
094 23 18:43:45 843 .=Attemped to clean up the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
095 23 18:43:45 996 .=Attemped to clean up the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
097 23 18:43:45 611 .=Attemped to clean up the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
099 23 18:43:45 266 .=Attemped to clean up the c:\program files\cyberdefender\antispyware\cdasb.exe from the SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
101 23 18:43:45 840 .=Attemped to clean up the SYSTEM\ControlSet002\Services\CDAVFS
103 23 18:43:45 925 .=*** Entering reading the cdinstx_restart key. ***
104 23 18:43:45 539 .=*** Exiting reading the cdinstx_restart key. ***
106 23 18:43:50 462 .=p2d build configuration detected.
[ERROR (Thread ID=2228)]
002 23 18:43:24 563 .=.
003 23 18:43:24 193 .=***************************BEGIN***************************
017 23 18:43:25 563 .=C:\Program Files\CyberDefender\earlySpam\oecom.dll attempted to be UnRegistered!
018 23 18:43:25 193 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\EARLYS~1\oecom.dll, NULL, SW_SHOW)
019 23 18:43:25 808 .=C:\Program Files\CyberDefender\earlySpam\oeapiinitcom.dll attempted to be UnRegistered!
020 23 18:43:25 585 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\EARLYS~1\OEAPII~1.DLL, NULL, SW_SHOW)
021 23 18:43:25 479 .=C:\Program Files\CyberDefender\earlySpam\oestore.dll attempted to be UnRegistered!
022 23 18:43:25 350 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\EARLYS~1\oestore.dll, NULL, SW_SHOW)
023 23 18:43:25 895 .=C:\Program Files\CyberDefender\earlySpam\cdaspm.dll attempted to be UnRegistered!
024 23 18:43:26 822 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\PROGRA~1\CYBERD~1\EARLYS~1\cdaspm.dll, NULL, SW_SHOW)
[FLOW (Thread ID=2228)]
004 23 18:43:24 808 .=.
005 23 18:43:24 585 .=***************************BEGIN***************************
008 23 18:43:24 895 .=Command Line="C:\Program Files\CyberDefender\cdinstx.exe" /u "C:\Program Files\CyberDefender\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam" /s
010 23 18:43:24 746 .=Install Path Detected =
014 23 18:43:25 513 .=ProgressPage: Show=TRUE
015 23 18:43:25 303 .=StartPage: Show=TRUE
016 23 18:43:25 001 .=UnInstall thread is running...
027 23 18:43:26 014 .=StartPage: Show=FALSE
028 23 18:43:26 091 .=ProgressPage: Show=FALSE
031 23 18:43:26 165 .=SuccessPage: Show=TRUE
032 23 18:43:26 988 .=Enterng CCDInstallerApp::ExitInstance()
033 23 18:43:26 445 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=2228)]
006 23 18:43:24 479 .=.
007 23 18:43:24 350 .=***************************BEGIN***************************
009 23 18:43:24 822 .=InstallSubPath="CyberDefender"
011 23 18:43:24 174 .=***Install Mode has been detected***
012 23 18:43:24 858 .=InstallModule="AntiSpam"
013 23 18:43:25 710 .=Dialog caption:
025 23 18:43:26 746 .=bAllowRemoving = TRUE for registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA63780B-DDB7-417b-8A13-E5AFBE08E807}
026 23 18:43:26 174 .=Installer Exe self-removing has NOT been initiated (bDeleteBF = FALSE)
029 23 18:43:26 364 .=*** Entering reading the cdinstx_restart key. ***
030 23 18:43:26 147 .=*** Exiting reading the cdinstx_restart key. ***
[ERROR (Thread ID=3072)]
002 05 13:29:08 563 .=.
003 05 13:29:08 193 .=***************************BEGIN***************************
041 05 13:29:17 563 .=*** Could NOT report to the Server: ...biz/?affl=&action=uninstall ***
043 05 13:29:17 808 .=C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll attempted to be UnRegistered!
044 05 13:29:17 585 .=UnregisterCOM function failed on ShellExecute(NULL, "open", "regsvr32.exe /u", C:\DOCUME~1\CHRIST~1\LOCALS~1\APPLIC~1\CYBERD~1\cdmyidd.dll, NULL, SW_SHOW)
[FLOW (Thread ID=3072)]
004 05 13:29:08 808 .=.
005 05 13:29:08 585 .=***************************BEGIN***************************
008 05 13:29:08 895 .=Command Line="C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdinstx.exe" /u
010 05 13:29:08 746 .=Install Path Detected = C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender
037 05 13:29:09 783 .=StartPage: Show=TRUE
038 05 13:29:16 802 .=StartPage: Show=FALSE
039 05 13:29:16 519 .=ProgressPage: Show=TRUE
040 05 13:29:16 001 .=UnInstall thread is running...
052 05 13:29:18 301 .=ProgressPage: Show=FALSE
055 05 13:29:21 955 .=SuccessPage: Show=FALSE
056 05 13:29:21 925 .=Enterng CCDInstallerApp::ExitInstance()
057 05 13:29:21 539 .=Exiting CCDInstallerApp::ExitInstance()
[INFO (Thread ID=3072)]
006 05 13:29:08 479 .=.
007 05 13:29:08 350 .=***************************BEGIN***************************
009 05 13:29:08 822 .=InstallSubPath="CyberDefender"
011 05 13:29:08 174 .=Uninstall: Title=CyberDefender Early Detection Center
012 05 13:29:08 858 .=*cfg.ini detected:
013 05 13:29:08 710 .=WaitURL =
014 05 13:29:08 513 .=GoodbyeURL =
015 05 13:29:08 303 .=***Install Mode has been detected***
016 05 13:29:08 014 .=Title=MyIdentityDefender
017 05 13:29:08 091 .=caption=MyIdentityDefender Toolbar
018 05 13:29:08 364 .=CompanyNameShort = CyberDefender
019 05 13:29:08 147 .=ProductNameShort = MyIdentityDefender
020 05 13:29:08 165 .=CompanyNameShort = CyberDefender Corp.
021 05 13:29:08 988 .=CompanyURL =http://www.cyberdefender.com
022 05 13:29:08 445 .=SupportURL =http://support.cyberdefender.com/cgi-bin/support/kb.cgi
023 05 13:29:08 119 .=PrivacyURL =http://edc.cyberdefender.com/privacy.htm
024 05 13:29:08 004 .=DisplayName =MyIdentityDefender Toolbar (CyberDefender Corporation)
025 05 13:29:08 008 .=cobrand =
026 05 13:29:08 377 .=source=Security Toolbar V2
027 05 13:29:08 531 .=*** No Cobrand detected from .set file.
028 05 13:29:08 571 .=ShowWelcome=1
029 05 13:29:08 601 .=CloseIE=1
030 05 13:29:08 607 .=uinst6=-1
031 05 13:29:08 166 .=QuickInst=-1
032 05 13:29:08 663 .=QuickBuy=-1
033 05 13:29:08 450 .=(From .set file) ADP=-1
034 05 13:29:08 352 .=(From .set file) FullTrial=-1
035 05 13:29:08 057 .=InstallModule=""
036 05 13:29:09 607 .=Dialog caption: MyIdentityDefender Toolbar
042 05 13:29:17 193 .=***Uninstall has been reported to the server.***
045 05 13:29:17 479 .=bAllowRemoving = TRUE for registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6}
046 05 13:29:17 350 .=bAllowRemoving = TRUE for registry key CLSID\{68FF9E0F-2E96-4467-87FA-1A8B9734C7E7}
047 05 13:29:17 895 .=bAllowRemoving = TRUE for registry key CLSID\{F35CE83E-9EBF-40d5-AE87-53F982389740}
048 05 13:29:17 822 .=bAllowRemoving = TRUE for registry key CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}
049 05 13:29:18 746 .=bAllowRemoving = TRUE for registry key SOFTWARE\CyberDefender\SecurityToolbar
050 05 13:29:18 174 .=bAllowRemoving = TRUE for registry key Software\CyberDefender\SecurityToolbar
051 05 13:29:18 858 .=Installer Exe self-removing has been initiated
053 05 13:29:19 875 .=*** Entering reading the cdinstx_restart key. ***
054 05 13:29:19 726 .=*** Exiting reading the cdinstx_restart key. ***

i ran Hijack this...and got this:...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:27 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Christopher\Desktop\ComboFix.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Christopher\Desktop\HJTInstall.exe
C:\Documents and Settings\Christopher\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - ~E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: &Research - {037c7b8a-151a-49e6-baed-cc05fcb50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Smart-Shopper - {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MyIdentityDefender - {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: (no name) - {a448229b-daec-43bf-a9e0-73f3b749b8fb} - C:\WINDOWS\system32\seretisa.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [8c020bd0] rundll32.exe "C:\WINDOWS\system32\nimuhoke.dll",b
O4 - HKLM\..\Run: [CPM8f31384c] Rundll32.exe "c:\windows\system32\vanabesa.dll",a
O4 - HKLM\..\Run: [kofohoriti] Rundll32.exe "C:\WINDOWS\system32\fugafizu.dll",s
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SmartShopper - Compare product prices - {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solit...litairerush.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spide...ersolitaire.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - AppInit_DLLs: c:\windows\system32\vanabesa.dll,C:\WINDOWS\system32\vasidifu.dll
O21 - SSODL: UkBkrsMHGwok - {8C020B80-26A8-A12A-1AC4-6F008F970892} - C:\WINDOWS\system32\xhxkgj.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Cobian Backup 8 service (cobbmservice) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (outpostfirewall) - Unknown owner - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (pctavsvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--

I also Ran DOS BEFORE i tried to run ComboFix, when i was not getting any prompts and was not sure if it would run at all...

the DOS on screen log said:


DDS (Version 1.1.0) - NTFSx86
Run by Christopher at 13:20:51.58 on Mon 01/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.291 [GMT -7:00]

AV: PC Tools AntiVirus 5.0.0.22 *On-access scanning enabled* (Updated)
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Christopher\Desktop\ComboFix.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Christopher\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
BHO: &Research: {037c7b8a-151a-49e6-baed-cc05fcb50328} - c:\windows\system32\winsrc.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Smart-Shopper: {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
BHO: {a448229b-daec-43bf-a9e0-73f3b749b8fb} - c:\windows\system32\seretisa.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\christopher\local settings\application data\cyberdefender\cdmyidd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: SmartShopper: {8bcb5337-ec01-4e38-840c-a964f174255b} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ieupdate] "c:\windows\system32\explorer32.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [OutpostFeedBack] c:\progra~1\agnitum\outpos~1.0\feedback.exe /dump:os_startup
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [8c020bd0] rundll32.exe "c:\windows\system32\nimuhoke.dll",b
mRun: [CPM8f31384c] Rundll32.exe "c:\windows\system32\vanabesa.dll",a
mRun: [kofohoriti] Rundll32.exe "c:\windows\system32\fugafizu.dll",s
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
IE: {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\progra~1\agnitum\outpos~1.0\plugins\browserbar\ie_bar.dll
AppInit_DLLs: c:\windows\system32\vanabesa.dll,c:\windows\system32\vasidifu.dll
SSODL: UkBkrsMHGwok - {8C020B80-26A8-A12A-1AC4-6F008F970892} - c:\windows\system32\xhxkgj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vanabesa.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll
LSA: Notification Packages = scecli c:\windows\system32\vasidifu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\1dtlhf2p.default\
FF - plugin: c:\documents and settings\christopher\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\yahoo!\common\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-8-15 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-8-15 10760]
R3 avhook;AVHook;c:\windows\system32\drivers\AVHook.sys [2008-10-16 28568]
R4 avfilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2008-10-16 21904]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-8-15 4960]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-8-15 821856]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-8-15 27776]
S1 vfilt;Outpost Firewall Kernel Driver;\??\c:\progra~1\agnitum\outpos~1.0\kernel\2000\filtnt.sys --> c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [?]
S3 adblock.dll;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\adblock.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [?]
S3 cdavfs;CDAVFS;c:\windows\system32\drivers\cdavfs.sys --> c:\windows\system32\drivers\CDAVFS.sys [?]
S3 content.dll;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\content.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [?]
S3 dnscache.dll;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\dnscache.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [?]
S3 ftpfilt.dll;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\ftpfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [?]
S3 htmlfilt.dll;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\htmlfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [?]
S3 httpfilt.dll;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\httpfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [?]
S3 imapfilt.dll;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\imapfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [?]
S3 mailfilt.dll;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\mailfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [?]
S3 nntpfilt.dll;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\nntpfilt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [?]
S3 pop3filt.dll;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\pop3filt.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [?]
S3 protect.dll;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\agnitum\outpos~1.0\kernel\protect.dll --> c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [?]
S3 sysrest.sys;sysrest.sys;\??\c:\windows\system32\sysrest.sys --> c:\windows\system32\sysrest.sys [?]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe --> c:\progra~1\grisoft\avg7\avgamsvr.exe [?]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe --> c:\progra~1\grisoft\avg7\avgupsvc.exe [?]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe --> c:\progra~1\grisoft\avg7\avgemc.exe [?]
S4 pctavsvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2008-10-16 995520]

=============== Created Last 30 ================

2009-01-05 13:17 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-05 13:13 61,440 a------- c:\windows\system32\drivers\irmcwvco.sys
2008-12-28 08:54 1,262,959 ---sh--- c:\windows\system32\ekohumin.ini
2008-12-27 19:43 1,262,959 ---sh--- c:\windows\system32\aguyalow.ini
2008-12-27 06:48 1,254,044 ---sh--- c:\windows\system32\ibiyuloh.ini
2008-12-26 13:10 1,254,115 ---sh--- c:\windows\system32\orumohuw.ini
2008-12-26 13:09 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-26 13:09 1,409 a------- c:\windows\QTFont.for
2008-12-25 14:06 1,603,449 ---sh--- c:\windows\system32\uzolesoh.ini
2008-12-24 07:04 1,603,449 ---sh--- c:\windows\system32\ejipipay.ini
2008-12-23 19:00 1,603,467 ---sh--- c:\windows\system32\opumuyep.ini
2008-12-22 16:00 0 a------- c:\windows\system32\winsrc.dll.tmp
2008-12-22 08:29 1,603,467 ---sh--- c:\windows\system32\ewumuvip.ini
2008-12-21 20:30 337,408 a------- c:\windows\system32\winsrc.dll
2008-12-21 20:30 123,904 a------- c:\windows\system32\explorer32.exe
2008-12-21 19:33 1,603,467 ---sh--- c:\windows\system32\ometelos.ini
2008-12-20 07:03 105 a------- c:\windows\wininit.ini
2008-12-19 10:59 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 09:26 61,440 a------- c:\windows\system32\drivers\hwwm.sys
2008-12-18 18:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\Smart-Shopper
2008-12-18 18:35 <DIR> --d----- c:\program files\Smart-Shopper
2008-12-18 18:27 54,112 ac------ C:\adinekir.ttf

==================== Find3M ====================

2009-01-05 13:21 109,150 a------- c:\windows\system32\drivers\ef915411.sys
2008-12-29 10:58 62,118 a--sh--- c:\windows\system32\futajido.dll
2008-12-28 08:54 99,019 a--sh--- c:\windows\system32\vanabesa.dll
2008-12-28 08:54 87,258 a--sh--- c:\windows\system32\nimuhoke.dll
2008-12-27 19:43 97,973 a--sh--- c:\windows\system32\fusigagi.dll
2008-12-27 19:43 87,142 -------- c:\windows\system32\wolayuga.dll
2008-12-27 18:43 99,592 a--sh--- c:\windows\system32\pinoteye.dll
2008-12-27 18:43 61,659 a--sh--- c:\windows\system32\mofebese.dll
2008-12-27 06:43 99,517 a--sh--- c:\windows\system32\nevihezu.dll
2008-12-26 13:10 98,885 a--sh--- c:\windows\system32\joduharu.dll
2008-12-26 13:10 87,152 -------- c:\windows\system32\wuhomuro.dll
2008-12-25 14:06 99,043 a--sh--- c:\windows\system32\zavidegu.dll
2008-12-25 14:06 87,325 a--sh--- c:\windows\system32\hoselozu.dll
2008-12-25 13:06 63,259 a--sh--- c:\windows\system32\wedusoha.dll
2008-12-24 07:04 99,086 a--sh--- c:\windows\system32\tefifohi.dll
2008-12-24 07:04 84,025 -------- c:\windows\system32\yapipije.dll
2008-12-23 19:00 99,089 a--sh--- c:\windows\system32\zakanilu.dll
2008-12-23 19:00 84,641 -------- c:\windows\system32\peyumupo.dll
2008-12-23 17:57 65,107 a--sh--- c:\windows\system32\yunukino.dll
2008-12-22 08:29 83,022 -------- c:\windows\system32\pivumuwe.dll
2008-12-22 08:29 94,827 a--sh--- c:\windows\system32\dasofupu.dll
2008-12-21 19:33 98,033 a--sh--- c:\windows\system32\nanemefu.dll
2008-12-21 19:33 85,103 -------- c:\windows\system32\soletemo.dll
2008-12-21 07:33 97,564 a--sh--- c:\windows\system32\hujepaka.dll
2008-12-20 19:33 97,576 a--sh--- c:\windows\system32\gozomose.dll
2008-12-20 07:33 94,960 a--sh--- c:\windows\system32\luyehaya.dll
2008-12-19 19:32 94,784 a--sh--- c:\windows\system32\dewulale.dll
2008-12-19 07:32 97,501 a--sh--- c:\windows\system32\nodedeje.dll
2008-12-18 18:31 96,921 a--sh--- c:\windows\system32\fefiweta.dll
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-04-19 12:34 32 a---h--- c:\docume~1\alluse~1\applic~1\ezsid.dat
2003-03-31 05:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 00:56 50,688 ---sh--- c:\windows\twain_32.dll
2008-09-25 13:06 80,896 a--sh--- c:\windows\system32\bisepufi.dll
2008-09-29 10:58 62,118 a--sh--- c:\windows\system32\fugafizu.dll
2008-09-29 10:58 93,184 a--sh--- c:\windows\system32\hukibopa.dll
2008-09-23 17:57 74,752 a--sh--- c:\windows\system32\kizosewa.dll
2004-08-04 00:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 00:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 00:56 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-09-25 13:06 63,259 a--sh--- c:\windows\system32\nefilepu.dll
2004-08-04 00:56 553,472 a--sh--- c:\windows\system32\oleaut32.dll
2004-08-04 00:56 83,456 a--sh--- c:\windows\system32\olepro32.dll
2004-08-04 00:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-09-27 18:43 2,048 a--sh--- c:\windows\system32\rohitelu.dll
2008-09-29 10:58 62,118 a--sh--- c:\windows\system32\seretisa.dll
2008-09-29 10:58 62,118 a--sh--- c:\windows\system32\vasidifu.dll

============= FINISH: 13:22:34.50 ===============

and i willl attach the ATTACH log

btw, i UNINSTALLED Spybot, and PCTOOLS to be sure they were not running at all...

and this was the error report i got ...during the ComboFix run:


Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Chris\Desktop\Mini111508-59.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sat Nov 15 17:46:05.484 2008 (GMT-7)
System Uptime: 0 days 0:01:13.065
Loading Kernel Symbols
.......................................................................................................................
Loading User Symbols
Loading unloaded module list
.....
Unable to load image ef915411.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ef915411.sys
*** ERROR: Module load completed but symbols could not be loaded for ef915411.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80565579, badc3c8c, 0}

Probably caused by : ef915411.sys ( ef915411+92ad )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80565579, The address that the exception occurred at
Arg3: badc3c8c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ProbeForWrite+39
80565579 8a06 mov al,byte ptr [esi]

TRAP_FRAME: badc3c8c -- (.trap 0xffffffffbadc3c8c)
ErrCode = 00000000
eax=00c53000 ebx=80565540 ecx=00001000 edx=fffff000 esi=000003e8 edi=00c53000
eip=80565579 esp=badc3d00 ebp=badc3d08 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ProbeForWrite+0x39:
80565579 8a06 mov al,byte ptr [esi] ds:0023:000003e8=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 59

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: services.exe

LAST_CONTROL_TRANSFER: from f6ac42ad to 80565579

STACK_TEXT:
badc3d08 f6ac42ad 000003e8 00c521c8 00000001 nt!ProbeForWrite+0x39
WARNING: Stack unwind information not available. Following frames may be wrong.
badc3d48 804de7ec 00e4ff0c dc17e241 00000000 ef915411+0x92ad
badc3d48 7c90eb94 00e4ff0c dc17e241 00000000 nt!KiFastCallEntry+0xf8
00e4ff20 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
ef915411+92ad
f6ac42ad ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: ef915411+92ad

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ef915411

IMAGE_NAME: ef915411.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 488eee22

FAILURE_BUCKET_ID: 0x8E_ef915411+92ad

BUCKET_ID: 0x8E_ef915411+92ad

Followup: MachineOwner
---------

kd> lmvm ef915411
start end module name
f6abb000 f6acb200 ef915411 T (no symbols)
Loaded symbol image file: ef915411.sys
Image path: ef915411.sys
Image name: ef915411.sys
Timestamp: Tue Jul 29 04:17:06 2008 (488EEE22)
CheckSum: 00025889
ImageSize: 00010200
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0


End of file - 8773 bytes

i also ran

Attached Files


Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 05 January 2009 - 11:08 PM

Uninstall Spybot - Search & Destroy 1.4 and SmartShopper first, then do below..


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - ~E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: &Research - {037c7b8a-151a-49e6-baed-cc05fcb50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: Smart-Shopper - {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O2 - BHO: MyIdentityDefender - {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: (no name) - {a448229b-daec-43bf-a9e0-73f3b749b8fb} - C:\WINDOWS\system32\seretisa.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [8c020bd0] rundll32.exe "C:\WINDOWS\system32\nimuhoke.dll",b
O4 - HKLM\..\Run: [CPM8f31384c] Rundll32.exe "c:\windows\system32\vanabesa.dll",a
O4 - HKLM\..\Run: [kofohoriti] Rundll32.exe "C:\WINDOWS\system32\fugafizu.dll",s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O9 - Extra button: SmartShopper - Compare product prices - {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O20 - AppInit_DLLs: c:\windows\system32\vanabesa.dll,C:\WINDOWS\system32\vasidifu.dll
O21 - SSODL: UkBkrsMHGwok - {8C020B80-26A8-A12A-1AC4-6F008F970892} - C:\WINDOWS\system32\xhxkgj.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    sysrest.sys
    
    :files
    C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender
    C:\WINDOWS\system32\winsrc.dll
    C:\WINDOWS\system32\seretisa.dll
    C:\WINDOWS\system32\nimuhoke.dll
    c:\windows\system32\vanabesa.dll
    C:\WINDOWS\system32\fugafizu.dll
    C:\WINDOWS\system32\vasidifu.dll
    C:\WINDOWS\system32\xhxkgj.dll
    c:\windows\system32\ekohumin.ini
    c:\windows\system32\aguyalow.ini
    c:\windows\system32\ibiyuloh.ini
    c:\windows\system32\orumohuw.ini
    c:\windows\system32\drivers\irmcwvco.sys
    c:\windows\system32\uzolesoh.ini
    c:\windows\system32\ejipipay.ini
    c:\windows\system32\opumuyep.ini
    c:\windows\system32\winsrc.dll.tmp
    c:\windows\system32\ewumuvip.ini
    c:\windows\system32\winsrc.dll
    c:\windows\system32\explorer32.exe
    c:\windows\system32\ometelos.ini
    c:\windows\system32\drivers\ef915411.sys
    c:\windows\system32\futajido.dll
    c:\windows\system32\vanabesa.dll
    c:\windows\system32\nimuhoke.dll
    c:\windows\system32\fusigagi.dll
    c:\windows\system32\wolayuga.dll
    c:\windows\system32\pinoteye.dll
    c:\windows\system32\mofebese.dll
    c:\windows\system32\nevihezu.dll
    c:\windows\system32\joduharu.dll
    c:\windows\system32\wuhomuro.dll
    c:\windows\system32\zavidegu.dll
    c:\windows\system32\hoselozu.dll
    c:\windows\system32\wedusoha.dll
    c:\windows\system32\tefifohi.dll
    c:\windows\system32\yapipije.dll
    c:\windows\system32\zakanilu.dll
    c:\windows\system32\peyumupo.dll
    c:\windows\system32\yunukino.dll
    c:\windows\system32\pivumuwe.dll
    c:\windows\system32\dasofupu.dll
    c:\windows\system32\nanemefu.dll
    c:\windows\system32\soletemo.dll
    c:\windows\system32\hujepaka.dll
    c:\windows\system32\gozomose.dll
    c:\windows\system32\luyehaya.dll
    c:\windows\system32\dewulale.dll
    c:\windows\system32\nodedeje.dll
    c:\windows\system32\fefiweta.dll
    c:\windows\system32\bisepufi.dll
    c:\windows\system32\fugafizu.dll
    c:\windows\system32\hukibopa.dll
    c:\windows\system32\kizosewa.dll
    c:\windows\system32\mfc42.dll
    c:\windows\system32\msvcirt.dll
    c:\windows\system32\msvcrt.dll
    c:\windows\system32\nefilepu.dll
    c:\windows\system32\oleaut32.dll
    c:\windows\system32\olepro32.dll
    c:\windows\system32\regsvr32.exe
    c:\windows\system32\rohitelu.dll
    c:\windows\system32\seretisa.dll
    c:\windows\system32\vasidifu.dll
    c:\windows\system32\sysrest.sys
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



NEXT


Delete your version of ComboFix and download a new one from below..

Link 1
Link 2
Link 3

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Run Combo-Fix and post the log here..


Post these logs in your next reply..

1. OTMoveIt3
2. Combo-Fix
3. A fresh HijackThis log (after Combo-Fix step)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 06 January 2009 - 04:56 AM

Scans run and logs posted below.

I deleted Spybot and smartshopper, and I deleted AVG 7.5 two months ago but there is one dll that i cant delete so CombFix thought it was running.

I was not able to install the consol that ComboFix wanted because i could not get online with the infected computer.

Also, another note, i was NOT able to install AntiMalware Malwarebytes still, i tried to install it after the seocnd HijackThis scan and it wont run, possibly because i am not online :thumbsup:

here are the logs requested:

OTMoveIT LOG:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service sysrest.sys stopped successfully.
Service sysrest.sys deleted successfully.
========== FILES ==========
File/Folder C:\Documents and Settings\Christopher\Local Settings\Application Data\CyberDefender not found.
File/Folder C:\WINDOWS\system32\winsrc.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\seretisa.dll
C:\WINDOWS\system32\seretisa.dll NOT unregistered.
C:\WINDOWS\system32\seretisa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nimuhoke.dll
C:\WINDOWS\system32\nimuhoke.dll NOT unregistered.
C:\WINDOWS\system32\nimuhoke.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\vanabesa.dll
c:\windows\system32\vanabesa.dll NOT unregistered.
c:\windows\system32\vanabesa.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fugafizu.dll
C:\WINDOWS\system32\fugafizu.dll NOT unregistered.
C:\WINDOWS\system32\fugafizu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vasidifu.dll
C:\WINDOWS\system32\vasidifu.dll NOT unregistered.
C:\WINDOWS\system32\vasidifu.dll moved successfully.
File/Folder C:\WINDOWS\system32\xhxkgj.dll not found.
c:\windows\system32\ekohumin.ini moved successfully.
c:\windows\system32\aguyalow.ini moved successfully.
c:\windows\system32\ibiyuloh.ini moved successfully.
c:\windows\system32\orumohuw.ini moved successfully.
File/Folder c:\windows\system32\drivers\irmcwvco.sys not found.
c:\windows\system32\uzolesoh.ini moved successfully.
c:\windows\system32\ejipipay.ini moved successfully.
c:\windows\system32\opumuyep.ini moved successfully.
c:\windows\system32\winsrc.dll.tmp moved successfully.
c:\windows\system32\ewumuvip.ini moved successfully.
File/Folder c:\windows\system32\winsrc.dll not found.
c:\windows\system32\explorer32.exe moved successfully.
c:\windows\system32\ometelos.ini moved successfully.
File move failed. c:\windows\system32\drivers\ef915411.sys scheduled to be moved on reboot.
DllUnregisterServer procedure not found in c:\windows\system32\futajido.dll
c:\windows\system32\futajido.dll NOT unregistered.
c:\windows\system32\futajido.dll moved successfully.
File/Folder c:\windows\system32\vanabesa.dll not found.
File/Folder c:\windows\system32\nimuhoke.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\fusigagi.dll
c:\windows\system32\fusigagi.dll NOT unregistered.
c:\windows\system32\fusigagi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\wolayuga.dll
c:\windows\system32\wolayuga.dll NOT unregistered.
c:\windows\system32\wolayuga.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\pinoteye.dll
c:\windows\system32\pinoteye.dll NOT unregistered.
c:\windows\system32\pinoteye.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mofebese.dll
c:\windows\system32\mofebese.dll NOT unregistered.
c:\windows\system32\mofebese.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nevihezu.dll
c:\windows\system32\nevihezu.dll NOT unregistered.
c:\windows\system32\nevihezu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\joduharu.dll
c:\windows\system32\joduharu.dll NOT unregistered.
c:\windows\system32\joduharu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\wuhomuro.dll
c:\windows\system32\wuhomuro.dll NOT unregistered.
c:\windows\system32\wuhomuro.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\zavidegu.dll
c:\windows\system32\zavidegu.dll NOT unregistered.
c:\windows\system32\zavidegu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hoselozu.dll
c:\windows\system32\hoselozu.dll NOT unregistered.
c:\windows\system32\hoselozu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\wedusoha.dll
c:\windows\system32\wedusoha.dll NOT unregistered.
c:\windows\system32\wedusoha.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tefifohi.dll
c:\windows\system32\tefifohi.dll NOT unregistered.
c:\windows\system32\tefifohi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\yapipije.dll
c:\windows\system32\yapipije.dll NOT unregistered.
c:\windows\system32\yapipije.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\zakanilu.dll
c:\windows\system32\zakanilu.dll NOT unregistered.
c:\windows\system32\zakanilu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\peyumupo.dll
c:\windows\system32\peyumupo.dll NOT unregistered.
c:\windows\system32\peyumupo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\yunukino.dll
c:\windows\system32\yunukino.dll NOT unregistered.
c:\windows\system32\yunukino.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\pivumuwe.dll
c:\windows\system32\pivumuwe.dll NOT unregistered.
c:\windows\system32\pivumuwe.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dasofupu.dll
c:\windows\system32\dasofupu.dll NOT unregistered.
c:\windows\system32\dasofupu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nanemefu.dll
c:\windows\system32\nanemefu.dll NOT unregistered.
c:\windows\system32\nanemefu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\soletemo.dll
c:\windows\system32\soletemo.dll NOT unregistered.
c:\windows\system32\soletemo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hujepaka.dll
c:\windows\system32\hujepaka.dll NOT unregistered.
c:\windows\system32\hujepaka.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\gozomose.dll
c:\windows\system32\gozomose.dll NOT unregistered.
c:\windows\system32\gozomose.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\luyehaya.dll
c:\windows\system32\luyehaya.dll NOT unregistered.
c:\windows\system32\luyehaya.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dewulale.dll
c:\windows\system32\dewulale.dll NOT unregistered.
c:\windows\system32\dewulale.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nodedeje.dll
c:\windows\system32\nodedeje.dll NOT unregistered.
c:\windows\system32\nodedeje.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\fefiweta.dll
c:\windows\system32\fefiweta.dll NOT unregistered.
c:\windows\system32\fefiweta.dll moved successfully.
LoadLibrary failed for c:\windows\system32\bisepufi.dll
c:\windows\system32\bisepufi.dll NOT unregistered.
c:\windows\system32\bisepufi.dll moved successfully.
File/Folder c:\windows\system32\fugafizu.dll not found.
LoadLibrary failed for c:\windows\system32\hukibopa.dll
c:\windows\system32\hukibopa.dll NOT unregistered.
c:\windows\system32\hukibopa.dll moved successfully.
LoadLibrary failed for c:\windows\system32\kizosewa.dll
c:\windows\system32\kizosewa.dll NOT unregistered.
c:\windows\system32\kizosewa.dll moved successfully.
c:\windows\system32\mfc42.dll unregistered successfully.
c:\windows\system32\mfc42.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\msvcirt.dll
c:\windows\system32\msvcirt.dll NOT unregistered.
c:\windows\system32\msvcirt.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\msvcrt.dll
c:\windows\system32\msvcrt.dll NOT unregistered.
c:\windows\system32\msvcrt.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nefilepu.dll
c:\windows\system32\nefilepu.dll NOT unregistered.
c:\windows\system32\nefilepu.dll moved successfully.
c:\windows\system32\oleaut32.dll NOT unregistered.
c:\windows\system32\oleaut32.dll moved successfully.
c:\windows\system32\olepro32.dll unregistered successfully.
c:\windows\system32\olepro32.dll moved successfully.
c:\windows\system32\regsvr32.exe moved successfully.
LoadLibrary failed for c:\windows\system32\rohitelu.dll
c:\windows\system32\rohitelu.dll NOT unregistered.
c:\windows\system32\rohitelu.dll moved successfully.
File/Folder c:\windows\system32\seretisa.dll not found.
File/Folder c:\windows\system32\vasidifu.dll not found.
File/Folder c:\windows\system32\sysrest.sys not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_660.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01062009_004219

Files moved on Reboot...
File move failed. c:\windows\system32\drivers\ef915411.sys scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_660.dat not found!

then after i did that scan and started up the system, i got errors onscreen that said:

Error loading c:\windows\system32\vanabesa.dll
The Specified module could not be found

Error Loading C:\WINDOWS\system32\fugafizu.dll
The specified module could not be found.

ComboFix log

ComboFix 09-01-05.05 - Christopher 2009-01-06 2:17:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.361 [GMT -7:00]
Running from: c:\documents and settings\Christopher\Desktop\Combo-Fix.exe
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\ef915411.sys
c:\windows\system32\drivers\TDSSmaxt.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tdssserv.sys
-------\Legacy_tdssserv.sys
-------\Legacy_VFILT
-------\Service_ef915411
-------\Service_vfilt


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 00:46 . 2009-01-06 02:22 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-06 00:46 . 2009-01-06 02:15 1,409 --a------ c:\windows\QTFont.for
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d----c--- C:\_OTMoveIt
2009-01-05 13:17 . 2009-01-05 13:17 <DIR> d-------- c:\program files\Cobian Backup 8
2008-12-26 13:49 . 2008-12-26 13:49 0 --a------ c:\windows\nsreg.dat
2008-12-20 07:03 . 2008-12-20 07:03 105 --a------ c:\windows\wininit.ini
2008-12-19 10:59 . 2008-12-19 10:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 09:26 . 2008-12-19 09:26 61,440 --a------ c:\windows\system32\drivers\hwwm.sys
2008-12-18 18:35 . 2009-01-06 00:30 <DIR> d-------- c:\program files\Smart-Shopper
2008-12-18 18:27 . 1994-10-04 11:42 54,112 -----c--- C:\adinekir.ttf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 20:05 --------- d--ha-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 21:50 --------- d-----w c:\program files\Google
2008-12-20 14:48 --------- d--h--w c:\documents and settings\Christopher\Application Data\AdobeUM
2008-12-19 17:57 --------- d-----w c:\program files\Java
2008-12-04 02:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 02:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 17:32 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-27 17:32 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-04-19 19:34 32 ---h--w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-31 12:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 50,688 --sh--w c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-12-10 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-22 77824]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Christopher\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-01-15 81920]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Photodex\\ProShowGold\\scsiaccess.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

S3 adblock.dll;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [?]
S3 cdavfs;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys --> c:\windows\system32\DRIVERS\CDAVFS.sys [?]
S3 content.dll;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [?]
S3 dnscache.dll;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [?]
S3 ftpfilt.dll;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [?]
S3 htmlfilt.dll;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [?]
S3 httpfilt.dll;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [?]
S3 imapfilt.dll;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [?]
S3 mailfilt.dll;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [?]
S3 nntpfilt.dll;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [?]
S3 pop3filt.dll;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [?]
S3 protect.dll;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{a448229b-daec-43bf-a9e0-73f3b749b8fb} - c:\windows\system32\seretisa.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
HKLM-Run-OutpostFeedBack - c:\progra~1\Agnitum\OUTPOS~1.0\feedback.exe
HKLM-Run-Outpost Firewall - c:\program files\Agnitum\Outpost Firewall 1.0\outpost.exe
HKLM-Run-CPM8f31384c - c:\windows\system32\vanabesa.dll
HKLM-Run-kofohoriti - c:\windows\system32\fugafizu.dll
HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vanabesa.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\1dtlhf2p.default\
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 02:22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 2:25:29 - machine was rebooted [Christopher]
ComboFix-quarantined-files.txt 2009-01-06 09:25:26

Pre-Run: 6,048,735,232 bytes free
Post-Run: 5,982,732,288 bytes free

154

HijackThis Log after Coimbo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:57 AM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solit...litairerush.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spide...ersolitaire.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Cobian Backup 8 service (cobbmservice) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (outpostfirewall) - Unknown owner - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 5863 bytes

thank you very much for your help

Edited by CrisGer, 06 January 2009 - 04:58 AM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 06 January 2009 - 06:00 AM

Just to double-confirm with you.. Do you still use these programs?

1. AVG7.5
2. Outpost Firewall


In the mean time, lets do this...


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\drivers\hwwm.sys
c:\windows\Tasks\rpc.job

Folder::
c:\program files\Smart-Shopper
c:\program files\Winferno

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 06 January 2009 - 01:30 PM

no Outpost and AVG 7.5 have both been deleted from the system. But there is one dll from AVG that i cant delete and CombFix kept saying it is in there... i cant see it on the program list or in the program files folders...is there some way it can be running and hidden?

same on outpost, deleted it two months ago

i will run new cleaners and get logs.
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#8 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 06 January 2009 - 02:19 PM

ComboFix Log after Kill

ComboFix 09-01-05.05 - Christopher 2009-01-06 11:50:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.296 [GMT -7:00]
Running from: c:\documents and settings\Christopher\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Christopher\Desktop\CFScript.txt
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\hwwm.sys
c:\windows\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Smart-Shopper
c:\windows\system32\drivers\hwwm.sys
c:\windows\Tasks\rpc.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VFILT


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 00:46 . 2009-01-06 11:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-06 00:46 . 2009-01-06 02:25 1,409 --a------ c:\windows\QTFont.for
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d----c--- C:\_OTMoveIt
2009-01-05 13:17 . 2009-01-05 13:17 <DIR> d-------- c:\program files\Cobian Backup 8
2008-12-26 13:49 . 2008-12-26 13:49 0 --a------ c:\windows\nsreg.dat
2008-12-20 07:03 . 2008-12-20 07:03 105 --a------ c:\windows\wininit.ini
2008-12-19 10:59 . 2008-12-19 10:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-18 18:27 . 1994-10-04 11:42 54,112 -----c--- C:\adinekir.ttf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 20:05 --------- d--ha-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 21:50 --------- d-----w c:\program files\Google
2008-12-20 14:48 --------- d--h--w c:\documents and settings\Christopher\Application Data\AdobeUM
2008-12-19 17:57 --------- d-----w c:\program files\Java
2008-12-04 02:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 02:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 17:32 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-27 17:32 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-04-19 19:34 32 ---h--w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-31 12:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 50,688 --sh--w c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 2.24.09.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-06 18:53:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-12-10 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-22 77824]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Christopher\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-01-15 81920]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Photodex\\ProShowGold\\scsiaccess.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

S3 adblock.dll;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [?]
S3 cdavfs;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys --> c:\windows\system32\DRIVERS\CDAVFS.sys [?]
S3 content.dll;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [?]
S3 dnscache.dll;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [?]
S3 ftpfilt.dll;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [?]
S3 htmlfilt.dll;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [?]
S3 httpfilt.dll;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [?]
S3 imapfilt.dll;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [?]
S3 mailfilt.dll;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [?]
S3 nntpfilt.dll;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [?]
S3 pop3filt.dll;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [?]
S3 protect.dll;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [?]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\1dtlhf2p.default\
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 11:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 11:57:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 18:57:26
ComboFix2.txt 2009-01-06 09:25:30

Pre-Run: 5,968,138,240 bytes free
Post-Run: 5,966,528,512 bytes free

133


New Hijack Log Today, Tuesday, Jan 6

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:40 PM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solit...litairerush.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spide...ersolitaire.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Cobian Backup 8 service (cobbmservice) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (outpostfirewall) - Unknown owner - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 5881 bytes


it looks like both AVG and Outpost services are still on the start list, can i kill those with some program that deletes unnecesary services running?

thanks again for the help, i am very encouraged. CombFix really works well
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 07 January 2009 - 01:41 AM

Since you mentioned that, let's delete both AVG and Outpost for good..


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Avg7Alrt
Avg7UpdSvc
AVGEMS
outpostfirewall

Folder::
C:\Program Files\Grisoft
C:\Program Files\Agnitum

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Then immediately install ONLY ONE of these free and excellent antivirus below..
Then post me a fresh HijackThis log in your next reply..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 07 January 2009 - 03:45 AM

ran the Combo and then a hijack

for some reason, Combo stil thinks i have AVG inatalled...

here is HIJACK log....

i have to go back and get the Combo file as i forgot to copy the log :thumbsup:

sorry late.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:59 AM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solit...litairerush.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spide...ersolitaire.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cobian Backup 8 service (cobbmservice) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 5973 bytes

Edited by CrisGer, 07 January 2009 - 03:46 AM.

Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 07 January 2009 - 04:17 AM

Don't worry.. Make sure you install ONE antivirus first.. Then re-run HijackThis for my review.. :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 07 January 2009 - 02:38 PM

I am posting this from the formerly infected machine, the browser appears to work well and the virus tag line that appeared on Google default page is gone

here is the comboFix log from after that last kill order for AVG and Outpost:

ComboFix 09-01-05.05 - Christopher 2009-01-07 1:12:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.295 [GMT -7:00]
Running from: c:\documents and settings\Christopher\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Christopher\Desktop\CFScript.txt
AV: AVG 7.5.524 *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Grisoft
c:\program files\Grisoft\AVG7\avgse.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVG7ALRT
-------\Legacy_AVG7UPDSVC
-------\Legacy_AVGEMS
-------\Legacy_outpostfirewall
-------\Legacy_VFILT
-------\Service_Avg7Alrt
-------\Service_Avg7UpdSvc
-------\Service_AVGEMS
-------\Service_outpostfirewall


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 00:46 . 2009-01-07 01:15 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-06 00:46 . 2009-01-06 02:25 1,409 --a------ c:\windows\QTFont.for
2009-01-06 00:42 . 2009-01-06 00:42 <DIR> d----c--- C:\_OTMoveIt
2009-01-05 13:17 . 2009-01-05 13:17 <DIR> d-------- c:\program files\Cobian Backup 8
2008-12-26 13:49 . 2008-12-26 13:49 0 --a------ c:\windows\nsreg.dat
2008-12-20 07:03 . 2008-12-20 07:03 105 --a------ c:\windows\wininit.ini
2008-12-19 10:59 . 2008-12-19 10:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-18 18:27 . 1994-10-04 11:42 54,112 -----c--- C:\adinekir.ttf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 20:05 --------- d--ha-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 21:50 --------- d-----w c:\program files\Google
2008-12-20 14:48 --------- d--h--w c:\documents and settings\Christopher\Application Data\AdobeUM
2008-12-19 17:57 --------- d-----w c:\program files\Java
2008-12-04 02:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 02:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 17:32 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-27 17:32 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-04-19 19:34 32 ---h--w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-31 12:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 50,688 --sh--w c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_ 2.24.09.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-07 08:15:27 16,384 ----atw c:\windows\temp\Perflib_Perfdata_534.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-12-10 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-22 77824]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Christopher\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-15 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-01-15 81920]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Photodex\\ProShowGold\\scsiaccess.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

S3 adblock.dll;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [?]
S3 cdavfs;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys --> c:\windows\system32\DRIVERS\CDAVFS.sys [?]
S3 content.dll;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [?]
S3 dnscache.dll;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [?]
S3 ftpfilt.dll;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [?]
S3 htmlfilt.dll;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [?]
S3 httpfilt.dll;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [?]
S3 imapfilt.dll;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [?]
S3 mailfilt.dll;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [?]
S3 nntpfilt.dll;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [?]
S3 pop3filt.dll;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [?]
S3 protect.dll;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [?]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\1dtlhf2p.default\
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 01:15:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-07 1:19:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 08:19:26
ComboFix2.txt 2009-01-06 18:57:31
ComboFix3.txt 2009-01-06 09:25:30

Pre-Run: 5,892,628,480 bytes free
Post-Run: 5,890,150,400 bytes free

138

and another HiJack This Log for good luck:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:20 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 3 for HiJackThis.zip\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solit...litairerush.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spide...ersolitaire.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cobian Backup 8 service (cobbmservice) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6056 bytes

PC TOOLS is up and running

I think i may install Outpost firewall again after you sign off on my ticket, i do so much appreciate your help and that of Bleeping, you are a Powerful force for Good in a world of evil stuff in IT thanks
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 08 January 2009 - 12:59 AM

Lets do an online scan first to see what might left in the computer.. :thumbsup:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 CrisGer

CrisGer
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado and California
  • Local time:12:22 AM

Posted 08 January 2009 - 11:46 PM

scan completed. log follows:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3752 (20090108)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=17d64a1ff3f10a46bf9689489fb3c800
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-09 04:04:28
# local_time=2009-01-08 09:04:28 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=357799
# found=13
# scan_time=4324
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\0YNO7N6Y\SpywareGuard2008[2].exe a variant of Win32/Kryptik.EH trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\9Y2R4HRM\SpywareGuard2008[1].exe a variant of Win32/Kryptik.EH trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfub.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Win32/Agent.OIK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoeqh.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Win32/Agent.OIK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ef915411_.sys.zip Win32/Rustock trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ef915411_.sys.zip »ZIP »ef915411.sys Win32/Rustock trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ef915411_.sys.zip »ZIP »ef915411.sys.1 Win32/Rustock trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Win32/Agent.ODG trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip »ZIP »TDSSmaxt.sys Win32/Agent.ODG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\bobebeji.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\fidetiga.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000

No virus found in this incoming message
Checked by PC Tools AntiVirus (5.0.0.22 - 10.100.077).
http://www.pctools.com/free-antivirus/
Game Researcher and Designer
http://3dworldandgamedevelopers.blogspot.com//
Admin
3D Worlds and Game Developers Group Linkedin

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 09 January 2009 - 09:56 AM

Looks good to me.. Lets do some cleanup...


Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users