Infected with Trojan.vundo and trojan.vundo.h

Hi,

Looking for some help with a pesky virus. Tried deleting with Malwarebytes. But the files keep coming back. It causes persistent popups and tells me I have a virus and offers a link to anti-virus software. From looking around the web, this is pretty standard, but appears complicated to get rid of. Thank you for any help you can give me.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jake at 23:11:29.93 on Fri 02/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.355 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1147388836\ee\AOLSoftware.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Jake\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jake\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
mWinlogon: SFCDisable=4 (0x4)
BHO: {69ee5fbc-2c71-4b35-8e25-a3b58242e94b} - c:\windows\system32\yeyanido.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar5.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\jake\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /startintray
mRun: [HostManager] c:\program files\common files\aol\1147388836\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [suritodipi] Rundll32.exe "c:\windows\system32\gobewowi.dll",s
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [suritodipi] Rundll32.exe "c:\windows\system32\gobewowi.dll",s
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
StartupFolder: c:\docume~1\jake\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
Trusted Zone: midtownlunch.com\www
Trusted Zone: musicmatch.com\online
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: karina.dat mthtkn.dll gzjsym.dll c:\windows\system32\modigege.dll gpnitw.dll knsvya.dll igtkrh.dll c:\windows\system32\misehebo.dll vmheff.dll

c:\windows\system32\vogajuwa.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\misehebo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\misehebo.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtsQGvt
LSA: Notification Packages = scecli c:\windows\system32\modigege.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jake\applic~1\mozilla\firefox\profiles\knggdunm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.garshjb.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\jake\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [2006-4-27 78336]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-4-17 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-4-17 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-4-17 122368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-16 24652]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-4-17 114464]
S1 core3;HTCore Controller;c:\windows\system32\core3.sys --> c:\windows\system32\core3.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-4-17 29744]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-4-17 245760]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-20 22:58 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 22:30 1,553,478 ---sh--- c:\windows\system32\uvosuyif.ini
2009-02-20 22:29 143,137 a--sh--- c:\windows\system32\vmheff.dll
2009-02-20 22:28 1,553,487 ---sh--- c:\windows\system32\odejukeg.ini
2009-02-20 20:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 20:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 20:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 19:18 129,024 a------- c:\windows\system32\lowbojgj.dll
2009-02-17 19:18 129,024 a------- c:\windows\system32\gzjsym.dll
2009-02-16 18:14 1,571,654 ---sh--- c:\windows\system32\wmuynqos.ini
2009-02-14 22:13 129,024 a------- c:\windows\system32\kddrcf.dll
2009-02-14 22:13 129,024 a------- c:\windows\system32\oyyccsaf.dll
2009-02-14 22:12 24,425 a--sh--- c:\windows\system32\tvGQstwa.ini2
2009-02-14 22:12 4,151 a--sh--- c:\windows\system32\tvGQstwa.ini
2009-02-14 22:12 302,592 a------- c:\windows\system32\awtsQGvt.dll.vir
2009-02-02 22:23 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-01 23:04 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-01 23:04 208,744 a------- c:\windows\system32\muweb.dll
2009-02-01 23:04 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-27 20:39 206 a------- c:\windows\system32\MRT.INI
2009-01-27 20:36 <DIR> --d----- C:\1ce802b99330f18fc2b327be9e

==================== Find3M ====================

2009-02-20 22:29 109,213 a--sh--- c:\windows\system32\misehebo.dll
2009-02-20 22:29 95,509 -------- c:\windows\system32\fiyusovu.dll
2009-02-20 22:29 143,137 a--sh--- c:\windows\system32\rodugema.dll
2008-12-12 12:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-08-23 14:39 19,335 a------- c:\docume~1\alluse~1\applic~1\sopimohyd.reg
2008-08-23 14:39 18,025 a------- c:\program files\common files\vovage.bin
2008-08-14 21:54 19,556 a------- c:\docume~1\alluse~1\applic~1\zepomiru.scr
2008-08-14 21:54 19,107 a------- c:\docume~1\jake\applic~1\ezuwiwi.bat
2008-08-14 21:54 15,955 a------- c:\program files\common files\uqemahav.sys
2008-08-14 21:54 15,507 a------- c:\docume~1\alluse~1\applic~1\emifego.exe
2008-08-14 21:54 12,837 a------- c:\docume~1\jake\applic~1\sosete.exe
2008-08-14 21:54 12,505 a------- c:\program files\common files\jimawoh.lib
2008-08-14 21:54 11,134 a------- c:\docume~1\jake\applic~1\lejig.dat
2008-08-14 21:54 10,611 a------- c:\program files\common files\bagalo.vbs
2007-09-03 09:19 88 ---shr-- c:\windows\system32\0973144BF0.sys
2006-04-24 20:03 56 ---shr-- c:\windows\system32\F04B147309.sys
2007-09-03 09:19 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 72,743 a--sh--- c:\windows\system32\modigege.dll

============= FINISH: 23:16:01.06 ===============

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Thanks for your help. Here's the combofix log:

ComboFix 09-02-19.01 - Jake 2009-02-21 10:35:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.467 [GMT -5:00]
Running from: c:\documents and settings\Jake\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jake\Cookies\eparaxapu._sy
c:\documents and settings\Jake\Cookies\upuxyn.lib
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\anucu._sy
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\begohopo.bat
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\exebasyzi.scr
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\hyvyhoqoga.reg
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\ibynybo.inf
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\jidexagu.dll
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\jusuqyd._sy
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\lesuz.ban
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\lumygax._sy
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\pupitycid.dll
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\ragygafuki.dl
c:\documents and settings\Jake\Local Settings\Temporary Internet Files\ypusededo.pif
c:\windows\g32.txt
c:\windows\IE4 Error Log.txt
c:\windows\system32\eludazay.ini
c:\windows\system32\girubuwa.dll
c:\windows\system32\gzjsym.dll
c:\windows\system32\kddrcf.dll
c:\windows\system32\lowbojgj.dll
c:\windows\system32\modigege.dll
c:\windows\system32\morisili.dll
c:\windows\system32\njgnob.dll
c:\windows\system32\ojepidup.ini
c:\windows\system32\oyyccsaf.dll
c:\windows\system32\pafimole.dll
c:\windows\system32\pashfc.dll
c:\windows\system32\pudipejo.dll
c:\windows\system32\tvGQstwa.ini
c:\windows\system32\tvGQstwa.ini2
c:\windows\system32\wmuynqos.ini
c:\windows\system32\yazadule.dll
c:\windows\system32\zoripuzo.dll
c:\windows\Tasks\imozsysc.job
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_CORE3
-------\Legacy_DOMAINSERVICE
-------\Service_core3


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-20 22:58 . 2009-02-20 22:58 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 21:23 . 2009-02-20 21:35 <DIR> d-------- c:\documents and settings\Jake\Application Data\Download Manager
2009-02-20 20:30 . 2009-02-20 20:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 20:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 20:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-14 22:12 . 2009-02-14 22:12 302,592 --a------ c:\windows\system32\awtsQGvt.dll.vir
2009-02-02 22:23 . 2009-02-02 22:23 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-01 23:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-01 23:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-01 23:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-31 17:39 . 2009-01-31 17:39 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-27 20:39 . 2009-01-27 20:39 206 --a------ c:\windows\system32\MRT.INI
2009-01-27 20:36 . 2009-01-28 12:36 <DIR> d-------- C:\1ce802b99330f18fc2b327be9e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-13 14:05 --------- d-----w c:\program files\Soulseek
2009-02-12 23:03 --------- d-----w c:\documents and settings\Jake\Application Data\Move Networks
2009-01-23 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2008-12-25 01:43 --------- d-----w c:\documents and settings\Jake\Application Data\Apple Computer
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-08-23 19:39 19,335 ----a-w c:\documents and settings\All Users\Application Data\sopimohyd.reg
2008-08-23 19:39 18,025 ----a-w c:\program files\Common Files\vovage.bin
2008-08-15 02:54 19,556 ----a-w c:\documents and settings\All Users\Application Data\zepomiru.scr
2008-08-15 02:54 19,107 ----a-w c:\documents and settings\Jake\Application Data\ezuwiwi.bat
2008-08-15 02:54 15,955 ----a-w c:\program files\Common Files\uqemahav.sys
2008-08-15 02:54 15,507 ----a-w c:\documents and settings\All Users\Application Data\emifego.exe
2008-08-15 02:54 12,837 ----a-w c:\documents and settings\Jake\Application Data\sosete.exe
2008-08-15 02:54 12,505 ----a-w c:\program files\Common Files\jimawoh.lib
2008-08-15 02:54 11,134 ----a-w c:\documents and settings\Jake\Application Data\lejig.dat
2008-08-15 02:54 10,611 ----a-w c:\program files\Common Files\bagalo.vbs
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SETF7.tmp
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET98.tmp
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET3DE.tmp
2004-08-10 10:00 28,672 ----a-w c:\program files\mozilla firefox\plugins\custsat.dll
2004-08-10 10:00 356,352 ----a-w c:\program files\mozilla firefox\plugins\mpvis.dll
2005-04-20 16:32 47,616 ----a-w c:\program files\mozilla firefox\plugins\msoobci.dll
2004-08-10 10:00 77,824 ----a-w c:\program files\mozilla firefox\plugins\wmpband.dll
2008-08-12 05:34 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-09-03 14:19 88 --sh--r c:\windows\system32\0973144BF0.sys
2006-04-25 01:03 56 --sh--r c:\windows\system32\F04B147309.sys
2007-09-03 14:19 5,852 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Google Update"="c:\documents and settings\Jake\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-12 29744]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 57344]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-01-25 3405312]
"HostManager"="c:\program files\Common Files\AOL\1147388836\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-29 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-09 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-29 136768]

c:\documents and settings\Jake\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-04-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147388836\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147388836\\ee\\aim6.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\windows\system32\ppopjsse.exe"= c:\windows\system32\ppo
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [2006-04-27 78336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-16 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-17 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4145821211-80828704-1328512760-1005.job
- c:\documents and settings\Jake\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:48]

2009-02-19 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D7JDBT91-Jake).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 17:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{69ee5fbc-2c71-4b35-8e25-a3b58242e94b} - c:\windows\system32\yeyanido.dll
BHO-{d41accc4-b831-4134-bf7a-7d28b9f7bc42} - c:\windows\system32\pashfc.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-suritodipi - c:\windows\system32\gobewowi.dll
HKU-Default-Run-suritodipi - c:\windows\system32\gobewowi.dll
SafeBoot-core3.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: midtownlunch.com\www
Trusted Zone: musicmatch.com\online
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 10:41:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WRLogonNTF.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-02-19 10:48:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 15:48:42

Pre-Run: 64,137,805,824 bytes free
Post-Run: 66,792,198,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2009-02-12 08:04:00

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\ppopjsse.exe
c:\windows\system32\awtsQGvt.dll.vir
c:\documents and settings\All Users\Application Data\sopimohyd.reg
c:\program files\Common Files\vovage.bin
c:\documents and settings\All Users\Application Data\zepomiru.scr
c:\documents and settings\Jake\Application Data\ezuwiwi.bat
c:\program files\Common Files\uqemahav.sys
c:\documents and settings\All Users\Application Data\emifego.exe
c:\documents and settings\Jake\Application Data\sosete.exe
c:\program files\Common Files\jimawoh.lib
c:\documents and settings\Jake\Application Data\lejig.dat
c:\program files\Common Files\bagalo.vbs
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\windows\system32\ppopjsse.exe"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Again, thanks for the help.

ComboFix 09-02-19.01 - Jake 2009-02-21 16:38:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.591 [GMT -5:00]
Running from: c:\documents and settings\Jake\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jake\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\emifego.exe
c:\documents and settings\All Users\Application Data\sopimohyd.reg
c:\documents and settings\All Users\Application Data\zepomiru.scr
c:\documents and settings\Jake\Application Data\ezuwiwi.bat
c:\documents and settings\Jake\Application Data\lejig.dat
c:\documents and settings\Jake\Application Data\sosete.exe
c:\program files\Common Files\bagalo.vbs
c:\program files\Common Files\jimawoh.lib
c:\program files\Common Files\uqemahav.sys
c:\program files\Common Files\vovage.bin
c:\windows\system32\awtsQGvt.dll.vir
c:\windows\system32\ppopjsse.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\emifego.exe
c:\documents and settings\All Users\Application Data\sopimohyd.reg
c:\documents and settings\All Users\Application Data\zepomiru.scr
c:\documents and settings\Jake\Application Data\ezuwiwi.bat
c:\documents and settings\Jake\Application Data\lejig.dat
c:\documents and settings\Jake\Application Data\sosete.exe
c:\program files\Common Files\bagalo.vbs
c:\program files\Common Files\jimawoh.lib
c:\program files\Common Files\uqemahav.sys
c:\program files\Common Files\vovage.bin
c:\windows\system32\awtsQGvt.dll.vir
c:\windows\system32\ppopjsse.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-20 22:58 . 2009-02-20 22:58 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 21:23 . 2009-02-20 21:35 <DIR> d-------- c:\documents and settings\Jake\Application Data\Download Manager
2009-02-20 20:30 . 2009-02-20 20:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 20:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 20:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 22:23 . 2009-02-02 22:23 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-01 23:04 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-01 23:04 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-01 23:04 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-31 17:39 . 2009-01-31 17:39 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-27 20:39 . 2009-01-27 20:39 206 --a------ c:\windows\system32\MRT.INI
2009-01-27 20:36 . 2009-01-28 12:36 <DIR> d-------- C:\1ce802b99330f18fc2b327be9e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 21:33 --------- d-----w c:\program files\Viewpoint
2009-02-21 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-20 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-13 14:05 --------- d-----w c:\program files\Soulseek
2009-02-12 23:03 --------- d-----w c:\documents and settings\Jake\Application Data\Move Networks
2009-01-23 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2008-12-25 01:43 --------- d-----w c:\documents and settings\Jake\Application Data\Apple Computer
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SETF7.tmp
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET98.tmp
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET3DE.tmp
2004-08-10 10:00 28,672 ----a-w c:\program files\mozilla firefox\plugins\custsat.dll
2004-08-10 10:00 356,352 ----a-w c:\program files\mozilla firefox\plugins\mpvis.dll
2005-04-20 16:32 47,616 ----a-w c:\program files\mozilla firefox\plugins\msoobci.dll
2004-08-10 10:00 77,824 ----a-w c:\program files\mozilla firefox\plugins\wmpband.dll
2008-08-12 05:34 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-09-03 14:19 88 --sh--r c:\windows\system32\0973144BF0.sys
2006-04-25 01:03 56 --sh--r c:\windows\system32\F04B147309.sys
2007-09-03 14:19 5,852 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Google Update"="c:\documents and settings\Jake\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-12 29744]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 57344]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-01-25 3405312]
"HostManager"="c:\program files\Common Files\AOL\1147388836\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-29 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-07-09 c:\windows\system32\WDBtnMgr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-29 136768]

c:\documents and settings\Jake\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-04-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147388836\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147388836\\ee\\aim6.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [2006-04-27 78336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-17 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4145821211-80828704-1328512760-1005.job
- c:\documents and settings\Jake\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:48]

2009-02-19 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D7JDBT91-Jake).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: midtownlunch.com\www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\knggdunm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.garshjb.com
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Jake\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 16:43:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WRLogonNTF.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-02-21 16:46:40
ComboFix-quarantined-files.txt 2009-02-21 21:46:37
ComboFix2.txt 2009-02-19 15:48:48

Pre-Run: 66,712,498,176 bytes free
Post-Run: 66,703,388,672 bytes free

209 --- E O F --- 2009-02-12 08:04:00

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

It looks like we're back to normal. Many thanks. Does the HJT take donations? Or do you do this out of the kindness of your heart?

J

Glad I could help.

For the donations, as it says in my signature below: "My help is ALWAYS FREE", so it's your choice if you want to donate or not.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.