Help - reached the end of my rope....

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The results are far too long for a post. Is there some portion I should post? These two lines below were highlighted in Red.


Service C:\WINDOWS\system32\drivers\ziuohuddt.sys (*** hȋdden *** ) [AUTO] jlxhm

File C:\WINDOWS\system32\drivers\ziuohuddt.sys 75264 bytes executable

Can you look at the bottom of the log for something like thIS?

"C:\WINDOWS\system32\drivers\ziuohuddt.sys <-- ROOTKIT!!!"

Let me know.

This is just a sample from the botton of the log. Should I try to post more?



---- Threads - GMER 1.0.15 ----

Thread msmsgs.exe [4068:4072] SSDT 0x85DC7B90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.4072] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.4072] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread msmsgs.exe [4068:476] SSDT 0x85DACB90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.476] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 msmsgs.exe [4068.476] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 msmsgs.exe [4068.476] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 msmsgs.exe [4068.476] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 msmsgs.exe [4068.476] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 msmsgs.exe [4068.476] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 msmsgs.exe [4068.476] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.476] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 msmsgs.exe [4068.476] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 msmsgs.exe [4068.476] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread ISUSPM.exe [4092:2008] SSDT 0x85DC7B90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.2008] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.2008] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread ISUSPM.exe [4092:1424] SSDT 0x85DACB90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.1424] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.1424] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwWriteVirtualMemory [0x85DB171B]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ziuohuddt.sys (*** hȋdden *** ) [AUTO] jlxhm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@ImagePath \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@DisplayName jlxhm
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@RulesData 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@krnl_sleepfreq 0x08 0x07 0x00 0x00
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@krnl_servers_list 0x68 0x74 0x74 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@ImagePath \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@DisplayName jlxhm
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@RulesData 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@krnl_sleepfreq 0x08 0x07 0x00 0x00
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@krnl_servers_list 0x68 0x74 0x74 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\str.sys 213024 bytes
File C:\WINDOWS\system32\drivers\ziuohuddt.sys 75264 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
jlxhm

Drivers to delete:
jlxhm

Files to delete:
C:\WINDOWS\system32\drivers\ziuohuddt.sys
C:\WINDOWS\system32\drivers\str.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\jlxhm
HKLM\SYSTEM\ControlSet003\Services\jlxhm

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hi, here is Avenger log file.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

hȋdden driver "jlxhm" found!
DisplayName: jlxhm
ImagePath: \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "jlxhm" disabled successfully.
Driver "jlxhm" deleted successfully.
File "C:\WINDOWS\system32\drivers\ziuohuddt.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\str.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\jlxhm" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\jlxhm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\jlxhm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Can you run Combofix now?

Yes, report is below.

ComboFix 09-12-02.05 - Rick Hyman 12/05/2009 22:43.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.402 [GMT -5:00]
Running from: c:\documents and settings\Rick Hyman\Desktop\Combo-Fix.exe
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
.
---- Previous Run -------
.
c:\windows\system32\drivers\str.sys . . . . failed to delete

-- Previous Run --

Infected copy of c:\windows\system32\es.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\es.dll

--------

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-05 23:51 . 2009-08-12 21:48 270336 ----a-w- c:\windows\system32\cdg.dll
2009-12-05 23:51 . 2006-09-27 22:46 348160 ----a-w- c:\windows\system32\cdga.dll
2009-12-05 23:51 . 2006-07-18 02:42 14909 ----a-w- c:\windows\system32\A_reg.reg
2009-12-05 23:51 . 2009-12-05 23:51 -------- d-----w- c:\program files\Cucusoft
2009-12-05 17:27 . 2009-12-05 17:27 0 ----a-w- C:\backup.reg
2009-12-05 17:27 . 2009-12-05 17:27 574 ----a-w- C:\cleanup.bat
2009-12-05 17:27 . 2009-12-05 17:27 135168 ----a-w- C:\zip.exe
2009-12-04 00:52 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-04 00:42 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-12-04 00:42 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-12-04 00:42 . 2008-10-16 19:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-12-04 00:42 . 2008-10-16 19:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-12-04 00:42 . 2008-10-16 19:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-12-04 00:42 . 2008-10-16 19:09 92696 ----a-w- c:\windows\system32\cdm.dll
2009-12-04 00:42 . 2008-10-16 19:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-12-03 09:11 . 2009-08-07 00:24 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-12-03 09:11 . 2009-08-07 00:24 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-12-03 09:11 . 2009-08-07 00:24 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-12-03 09:11 . 2009-08-07 00:23 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-12-03 09:11 . 2009-08-07 00:24 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-12-01 09:37 . 2009-12-01 09:37 79488 ----a-w- c:\documents and settings\Rick Hyman\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 19:42 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Rick Hyman\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-27 19:41 . 2009-11-27 19:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-27 19:40 . 2009-11-27 19:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-27 19:39 . 2009-11-27 19:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-27 19:39 . 2009-12-01 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-27 16:37 . 2008-10-16 19:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-11-27 16:37 . 2008-10-16 19:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-11-27 16:36 . 2008-10-16 19:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-11-22 01:05 . 2009-11-22 01:05 -------- d-----w- c:\program files\iPod
2009-11-22 01:05 . 2009-11-22 01:05 -------- d-----w- c:\program files\iTunes
2009-11-22 00:26 . 2009-11-22 00:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-19 11:55 . 2009-11-19 11:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 10:26 . 2004-08-10 10:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2009-11-15 19:56 . 2009-12-04 01:03 -------- d-----w- c:\windows\LastGood
2009-11-12 12:06 . 2009-11-12 12:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-12 12:06 . 2009-11-12 12:06 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-12 12:06 . 2009-11-12 12:06 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-12 12:06 . 2009-11-21 05:43 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-12 12:06 . 2009-11-12 12:06 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-12 12:06 . 2009-11-12 12:06 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-12 12:06 . 2009-11-12 12:06 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-12 12:06 . 2009-11-12 12:06 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-12 12:05 . 2009-11-12 12:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-12 12:05 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-06 23:39 . 2009-12-06 03:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-12-05 17:32 . 2009-01-25 08:09 439158 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-12-02 00:53 . 2008-11-16 12:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 03:21 . 2006-12-03 22:28 19178 -c--a-w- c:\documents and settings\Rick Hyman\Application Data\wklnhst.dat
2009-11-23 12:09 . 2008-10-03 23:20 -------- d-----w- c:\program files\QuickTime
2009-11-22 01:05 . 2007-10-17 10:40 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 14:04 . 2006-11-27 21:08 96696 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 12:06 . 2009-08-04 10:22 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-12 12:06 . 2009-08-04 10:22 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-10-15 20:21 . 2009-10-15 20:21 -------- d-----w- c:\documents and settings\Jill Hyman\Application Data\Malwarebytes
2009-10-10 14:23 . 2009-09-22 21:12 3584 ----a-w- c:\documents and settings\Matthew Hyman\Application Data\Macromedia\Common\1223407419.exe
2009-10-09 22:41 . 2009-09-22 17:13 3584 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\1223407419.exe
2009-10-05 21:01 . 2009-09-28 21:22 3584 ----a-w- c:\documents and settings\Danni Hyman\Application Data\Macromedia\Common\1223407419.exe
2009-09-29 01:24 . 2009-09-29 01:25 388608 ----a-w- c:\windows\system32\CF7074.exe
2009-09-29 00:19 . 2009-09-29 00:21 388608 ----a-w- c:\windows\system32\CF20058.exe
2009-09-28 23:21 . 2009-09-28 23:54 388608 ----a-w- c:\windows\system32\CF23298.exe
2009-09-28 19:47 . 2009-09-28 19:49 388608 ----a-w- c:\windows\system32\CF6897.exe
2009-09-24 02:44 . 2009-09-24 02:44 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-24 00:20 . 2009-09-24 00:20 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-24 00:20 . 2009-03-28 21:15 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-24 00:20 . 2009-09-24 00:20 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-24 00:20 . 2009-09-24 00:20 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-24 00:19 . 2009-08-04 10:21 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-14 23:07 . 2007-03-25 23:59 13278 -c--a-w- c:\documents and settings\Danni Hyman\Application Data\wklnhst.dat
2009-09-10 19:54 . 2008-11-16 12:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-11-16 12:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-06-08 12:15 . 2008-06-08 12:15 0 -c--a-w- c:\program files\uninstall.dat
2007-10-19 00:35 . 2006-12-04 01:58 88 -csh--r- c:\windows\system32\874376E414.sys
2007-10-19 00:36 . 2006-12-04 01:58 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-24 181488]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-21 788880]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [3/19/2008 11:56 AM 93712]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/3/2009 7:52 PM 64288]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/21/2008 4:00 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [3/21/2008 4:00 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [3/19/2008 11:56 AM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/4/2008 12:27 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [3/21/2008 4:00 PM 66576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 11:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 11:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/15/2008 12:50 PM 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/25/2009 6:49 PM 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/30/2008 4:56 PM 88816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-atoysvfixkzwnqr - c:\windows\system32\atoysvfixkzwnqr.exe
AddRemove-cont_adsoftinc - c:\windows\system32\cont_adsoftinc-remove.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-12-05 23:00
ComboFix-quarantined-files.txt 2009-12-06 04:00
ComboFix2.txt 2008-11-23 15:35

Pre-Run: 216,634,572,800 bytes free
Post-Run: 216,602,234,880 bytes free

- - End Of File - - AE4BDEAB7342375E6524B2E6BD0E2428

Hello.
Nice work, this malware was quite stubborn, suprising to see Combofix failed to delete that str.sys, and the avenger easily trashed it.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Great. Here it is, computer is already a lot faster.

3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Bonjour
BUM
CA Desktop DNA Migrator
CA Internet Security Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Conexant D850 56K V.9x DFVc Modem
Cucusoft DVD to iPod Converter 7.27
Dell CinePlayer
Dell Driver Reset Tool
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
FlipShare
getPlus(R)_ocx
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
KODAK Gallery Upload Software
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
NetWaiting
OverDrive Media Console
QuickTime
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Unity Web Player
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WildTangent Web Driver
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Seems much better. Is there anything else that I need to do?

Nope, that should do it.

You guys are awesome. Thanks.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.