System Security hijacked my PC

I can't access anything. Only internet explorer works. It won't let me use my task manager, firefox, or any other program besides IE.

I can't go into safe mode it won't let me it just gives me a BSOD if I do.

I'm screwed aren't I :/

Hello,

Please follow these instructions to try and remove System Security
http://www.geekpolice.net/malware-removal-guides-f12/how-to-remove-system-security-removal-guide-t5264.htm

If this does not work please follow these instructions and post the log in this thread.
http://www.geekpolice.net/-t3821.htm

If there are problems please post back stating what it is and The GeekPolice staff will try to help you as soon as possible.

Thank you,
Safan

What part of i can't open anything can you not understand? I can't install anything, i can't open any programs. i tried that guide got MBAM to run but the virus BSOD'd my PC 30 minutes into the scan.

I guess I should bump

Hello.
Not even the renamed version of Hijack This works?

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Sorry for teh late reply my power has been shut off till tonight (im at school) I'll get to it tonight.

And yes I renamed HJT, to funny.xyz and it still wouldn't open. i can't reformat due to not having a CD and can't back up my data. I had back ups from july but someone lost them.

And we didn't find out till ti was too late :/

Okay, can you still try SilentRunners for me?

It won't unzip...wonderful. winrar won't open either.

Hello.
Try this version of Hijack This, no longer an exe file.
http://www.sendspace.com/pro/dl/fpzz64

Yeah didn't work.

Okay the bastard just installed an icon on my desktop and I found out where iit was located and moved it to a new folder...

GOOOD NEWS I got it to work. Somehow it installed itself on my PC and I found where it was installed and moved it toa new location.

I regained control over my PC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:43 PM, on 9/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 www.antivirsystem.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [13420934] C:\Documents and Settings\All Users\Application Data\13420934\13420934.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229622507750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212791649687
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7484 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: Shell=Explorer.exe logon.exe
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 94.232.248.66 antivirsystem.com
  O1 - Hosts: 94.232.248.66 www.antivirsystem.com
  O4 - HKLM\..\Run: [13420934] C:\Documents and Settings\All Users\Application Data\13420934\13420934.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:54 PM, on 9/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\iqflnq\ygsmsysguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
O1 - Hosts: 91.212.127.221 awareremover.com
O1 - Hosts: 91.212.127.221 www.awareremover.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BHO - {12BC3DAB-D768-4f05-88A5-FCC9099F5A0F} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229622507750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212791649687
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rendere...eb.2007.4.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7728 bytes

I managed to remove the virus...and then my brother reinfects me.

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
  O1 - Hosts: 91.212.127.221 awareremover.com
  O1 - Hosts: 91.212.127.221 www.awareremover.com
  O2 - BHO: BHO - {12BC3DAB-D768-4f05-88A5-FCC9099F5A0F} - C:\WINDOWS\system32\iehelper.dll
  O4 - HKLM\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
  O4 - HKCU\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Okay, but also my anti virus avira won't work. I can update it but yah. And I still have the remains of that system security 2009. Just an icon and folder they don't work, but want me to remove them too?

Yes, remove the leftovers.
If you can, please run MBAM.

Im running MBAM...

a folder called back ups appeared on my desktop. I'm assuming its my back ups

Malwarebytes' Anti-Malware 1.40
Database version: 2758
Windows 5.1.2600 Service Pack 2

9/8/2009 11:21:00 AM
mbam-log-2009-09-08 (11-21-00).txt

Scan type: Quick Scan
Objects scanned: 107693
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lsp.dll (LSP.Hijacker) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lsp.dll (LSP.Hijacker) -> Delete on reboot.
C:\WINDOWS\syssvc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\gap\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Avira still isn't working

Hello.
We'll look at Avira now, but I want one more scan.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.
  

DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 16:05:06.03 on Tue 09/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.552 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229622507750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212791649687
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38193.7732407407
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/boards/index.php
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {7C11F23E-325D-495E-B43D-3D68CCA702E4} - c:\documents and settings\gap\local settings\application data\{7C11F23E-325D-495E-B43D-3D68CCA702E4}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 npkycryp;npkycryp;\??\c:\documents and settings\gap\desktop\flow\npkycryp.sys --> c:\documents and settings\gap\desktop\flow\npkycryp.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 XDva076;XDva076;\??\c:\windows\system32\xdva076.sys --> c:\windows\system32\XDva076.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\docume~1\temp\locals~1\temp\dine3.tmp --> c:\docume~1\temp\locals~1\temp\DINE3.tmp [?]
S3 XDva277;XDva277;\??\c:\windows\system32\xdva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-07 23:03 --d----- c:\program files\where im storing the virus
2009-09-04 18:21 -cd----- c:\windows\system32\dllcache\cache
2009-09-04 17:57 230,912 a------- c:\windows\PEV.exe
2009-09-04 17:57 161,792 a------- c:\windows\SWREG.exe
2009-09-04 17:57 98,816 a------- c:\windows\sed.exe
2009-09-04 17:57 --ds---- C:\ComboFix
2009-08-25 19:09 --d----- C:\test
2009-08-25 14:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-25 14:41 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-10 16:28 --d----- C:\ultima7
2009-08-10 16:13 --d----- c:\program files\Cobian Backup 8
2009-08-10 16:10 --d----- c:\program files\Cobian Backup 9
2009-08-10 13:30 --d----- c:\program files\Exult

==================== Find3M ====================

2009-09-03 10:28 8,416 a------- c:\windows\system32\drivers\61883.sys
2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:49 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 16:05:44.71 ===============

Well, I'm glad I asked for another scan, more malware has cropped up.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  

GooredFix by jpshortstuff (12.07.09)
Log created at 19:01 on 08/09/2009 (gap)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7C11F23E-325D-495E-B43D-3D68CCA702E4} -> Success!
Deleting C:\Documents and Settings\gap\Local Settings\Application Data\{7C11F23E-325D-495E-B43D-3D68CCA702E4} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:52 27/07/2005]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [19:41 20/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [08:22 15/08/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:08 08/08/2009]

-=E.O.F=-

What exactly did it delete? And you sure it was malware and not a mistake?

Either way...firefox just sped up to faster than chrome what the hell did you do you just made my firefox ultra fast.

Well whatever you did I love you. My PC is no longer slow ^__^

Hello.

Either way...firefox just sped up to faster than chrome what the hell did you do you just made my firefox ultra fast.

Heh, it removed a Firefox hijacker, cause random Google searches to re-direct to malicious websites.

Lets clean this up now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Java(TM) 6 Update 1
Java(TM) 6 Update 2

Next, I need to know if you know what this folder is and what's inside it:

c:\program files\where im storing the virus

Lastly,

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :services
  kl1
  npkycryp
  Partizan
  PsSdk30
  XDva076
  XDva090
  XDva134
  XDva167
  XDva277
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Uhh thats where the virus was being stored. I disabled it from running by moving the folder intoa new folder...I'll assume you want me to delete it.

Can I ask why we're removing java?

========== SERVICES/DRIVERS ==========

Service\Driver kl1 deleted successfully.

Service\Driver npkycryp deleted successfully.

Service\Driver Partizan deleted successfully.

Service\Driver PsSdk30 deleted successfully.

Service\Driver XDva076 deleted successfully.

Service\Driver XDva090 deleted successfully.

Service\Driver XDva134 deleted successfully.

Service\Driver XDva167 deleted successfully.

Service\Driver XDva277 deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_192211


Uhh npkycrpyt wasn't a virus that was part of my game...oh damnit, i really hope my game works

I dunno what happened it came back...nobody was on. It just keeps coming back. Maybe it'sa rootkit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:58 AM, on 9/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\PC clean\HJTfunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - Startup: ikowin32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229622507750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212791649687
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7897 bytes

Hello.
I think Sony is to blame here, do you/have you installed anything from Sony lately? a game perhaps? anything at all from Sony?

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
  O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
  O4 - Startup: ikowin32.exe
  O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
  O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Yeah I do have stuff installed from Sony. Securom can't be deleted or I can't play any games. Because it's an anti piracy software that does more harm than good. :/

Should I go ahead and delete UAService7 and UAService? >__>

Hello.
I wouldn't trust Sony, they have been sued in the past for using malware in their products, see here:
More: http://news.cnet.com/Sony-settles-rootkit-class-action-lawsuit/2100-1002_3-6012173.html

I don't trust that crap either but last time I removed it none of my games worked anymore <__<...


O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e

isn't being deleted. I pressed fixed and it still appears.

Malwarebytes' Anti-Malware 1.40
Database version: 2766
Windows 5.1.2600 Service Pack 2

9/9/2009 2:49:56 PM
mbam-log-2009-09-09 (14-49-56).txt

Scan type: Quick Scan
Objects scanned: 112735
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nbinajijoh (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sgavd32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sgavd32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\qhg3d54.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tceb586.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\Documents and Settings\gap\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv391251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv511248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv801251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\abizuwip.dll (Trojan.Agent) -> Delete on reboot.

What happens if we just stop the services? but not delete the files?

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.
  

Nuddin...I always stop them when I get bored.


DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 17:47:57.26 on Wed 09/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.579 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_15.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229622507750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212791649687
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38193.7732407407
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/boards/index.php
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {1181DA92-58E9-4113-9B4F-DB76EFF5A537} - c:\documents and settings\gap\local settings\application data\{1181da92-58e9-4113-9b4f-db76eff5a537}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-09 16:51 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-09 07:07 120 a------- c:\windows\Pzacohahurozec.dat
2009-09-08 19:22 --d----- C:\_OTM
2009-09-07 23:03 --d----- c:\program files\where im storing the virus
2009-09-04 18:21 -cd----- c:\windows\system32\dllcache\cache
2009-09-04 17:57 230,912 a------- c:\windows\PEV.exe
2009-09-04 17:57 161,792 a------- c:\windows\SWREG.exe
2009-09-04 17:57 98,816 a------- c:\windows\sed.exe
2009-09-04 17:57 --ds---- C:\ComboFix
2009-08-25 19:09 --d----- C:\test
2009-08-25 14:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-25 14:41 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-09-03 10:28 8,416 a------- c:\windows\system32\drivers\61883.sys
2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:49 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 17:48:47.71 ===============

Can you download/run GooredFix again?

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\windows\Pzacohahurozec.dat
  c:\windows\system32\drivers\61883.sys
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== FILES ==========
c:\windows\Pzacohahurozec.dat moved successfully.
c:\windows\system32\drivers\61883.sys moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09102009_143233

UYhhh can I delete the folder where I was storing the virus...you always ask what's in it but never ask me to delete it...<__<

and yeah I can use goorfix I still have it

Hello.
Yeah, you can delete that folder where you stored it.
Then delete this folder.

C:\_OTM

Please run Gooredfix.

GooredFix by jpshortstuff (12.07.09)
Log created at 09:06 on 11/09/2009 (gap)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!
Deleting C:\Documents and Settings\gap\Local Settings\Application Data\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:52 27/07/2005]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [21:51 09/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:08 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:51 09/09/2009]

---------- Old Logs ----------
GooredFix[00.01.49_09-09-2009].txt

-=E.O.F=-

Hello.
How is it now? this should be fine now from what I can tell.

How is what now? I still can't turn on my avira.

Oh, and am I clean yet?

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

GMER 1.0.15.15086 - http://www.gmer.net
Rootkit scan 2009-09-14 11:43:56
Windows 5.1.2600 Service Pack 2
Running: pwyfyyj4.exe; Driver: C:\DOCUME~1\gap\LOCALS~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT F7E70FC6 ZwCreateKey
SSDT F7E70FBC ZwCreateThread
SSDT F7E70FCB ZwDeleteKey
SSDT F7E70FD5 ZwDeleteValueKey
SSDT F7E70FDA ZwLoadKey
SSDT F7E70FA8 ZwOpenProcess
SSDT F7E70FAD ZwOpenThread
SSDT F7E70FE4 ZwReplaceKey
SSDT F7E70FDF ZwRestoreKey
SSDT F7E70FD0 ZwSetValueKey
SSDT F7E70FB7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? hoeq.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\gap\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.fileunemployment.com.\settings.sol 95 bytes

---- EOF - GMER 1.0.15 ----

Hello.
This should be okay now, just uninstall Avira, then re-install it.

yeah but what about the viruses inside my quarantine? I have several from when I was last reinfected a long while ago that got sent will they be released?

No, once quarantined, they are dead. When Avira is uninstalled, the quarantine location is removed, and so are the files inside it.

Okay, I reinstalled and it works.

I'm assuming I'm now clean ^__^