My computer caught System Guard Virus - Please Help!!!!!!!!!!!!!!!!

I keep on getting messages from Antivirus software Alert - Threat: Win32/Nuqel.E and BankerFox.A I tried downloading an intivurus software from a legit company, but I can't install it. I can' open Control Panel. Please let me know how I an get rid of it.


Thanks!!!

RKill by Grinler
Link #1
Link #2
Link #3

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
  
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
  
• If the tool does not run from any of the links tell me about it.
  

This only kills the active infection, the actual infection will not be gone.

=============================

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Here the Log:
ComboFix 10-04-26.05 - ANNA 04/27/2010 20:28:31.1.2 - x86
Microsoft Windows Vista Ultimate 6.0.6000.0.1252.1.1033.18.1982.1416 [GMT -4:00]
Running from: c:\users\ANNA\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\users\ANNA\AppData\Local\yoyhvjutw
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500\desktop.ini
c:\program files\gamevance\gamevancelib32.dll
c:\program files\Gamevance\gvtl.dll
c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
c:\users\ANNA\AppData\Local\Microsoft\Windows\Temporary Internet Files\pse_350_enu.exe
c:\users\ANNA\AppData\Local\yoyhvjutw\mwuyrcxtssd.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 00:36 . 2010-04-28 00:37 -------- d-----w- c:\users\ANNA\AppData\Local\temp
2010-04-28 00:36 . 2010-04-28 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-20 01:01 . 2010-04-20 01:01 -------- d-----w- c:\users\ANNA\AppData\Local\Yahoo!
2010-04-05 22:38 . 2010-04-05 22:38 -------- d-----w- c:\programdata\McAfee
2010-04-04 15:47 . 2009-11-24 21:39 1093064 ----a-w- c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 00:28 . 2009-11-30 16:57 -------- d-----w- c:\program files\Gamevance
2010-04-28 00:23 . 2009-06-28 16:13 -------- d-----w- c:\users\ANNA\AppData\Roaming\ICQ
2010-04-25 18:20 . 2009-06-28 16:07 67400 ----a-w- c:\programdata\nvModes.dat
2010-04-25 17:47 . 2009-06-28 07:16 -------- d-----w- c:\users\ANNA\AppData\Roaming\Skype
2010-04-25 14:26 . 2009-06-28 07:19 -------- d-----w- c:\users\ANNA\AppData\Roaming\skypePM
2010-03-11 08:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 08:24 . 2009-11-14 18:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-02 23:04 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 08:21 . 2009-06-28 16:05 123968 ----a-w- c:\users\ANNA\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:54 . 2010-03-11 08:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51 . 2010-03-11 08:12 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30 . 2010-03-11 08:12 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 21:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F160E9-48B5-41C8-8093-CE70CEAE8F80}]
2009-06-29 07:18 753664 ----a-w- c:\windows\System32\wownetb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-06-29 1232896]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"Google Update"="c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-10 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-06-29 1006264]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-12-08 7975608]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-01-24 862208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Lanhtm"= {24A19C32-2C71-4DE7-8389-442D326AA4DD} - c:\windows\system32\svrsql.dll [2009-06-29 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-26 721904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000Core.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000UA.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://mail.ru
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_report
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\ANNA\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\ANNA\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-geenjgom - c:\users\ANNA\AppData\Local\yoyhvjutw\mwuyrcxtssd.exe
HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 20:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-27 20:40:13
ComboFix-quarantined-files.txt 2010-04-28 00:40

Pre-Run: 25,367,384,064 bytes free
Post-Run: 26,896,666,624 bytes free

- - End Of File - - 9FBCB7606BE68521E7D6E446BB947BC0

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the box below into it:
  

  http://www.GeekPolice.net/virus-spyware-malware-removal-f11/my-computer-caught-system-guard-virus-please-help-t21165.htm killall:: Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45F160E9-48B5-41C8-8093-CE70CEAE8F80}] collect:: c:\windows\System32\wownetb.dll DDS:: uInternet Settings,ProxyServer = http=127.0.0.1:5555 Reboot::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

Ok. I was able to do the second step. Here's my log:
ComboFix 10-04-28.03 - ANNA 04/28/2010 23:59:03.2.2 - x86
Microsoft Windows Vista Ultimate 6.0.6000.0.1252.1.1033.18.1982.566 [GMT -4:00]
Running from: c:\users\ANNA\Desktop\ComboFix.exe
Command switches used :: c:\users\ANNA\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\System32\wownetb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\ANNA\AppData\Local\asam.exe
c:\users\ANNA\AppData\Local\qtbndweam
c:\users\ANNA\AppData\Local\qtbndweam\gusamjntssd.exe
c:\users\ANNA\AppData\Local\syssvc.exe
c:\windows\System32\wownetb.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 04:04 . 2010-04-29 04:06 -------- d-----w- c:\users\ANNA\AppData\Local\temp
2010-04-29 04:04 . 2010-04-29 04:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 04:04 . 2010-04-29 04:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 03:02 . 2010-04-29 03:02 -------- d-----w- c:\windows\Sun
2010-04-28 01:15 . 2010-04-28 01:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-28 00:22 . 2010-04-28 00:40 -------- d-----w- C:\commy
2010-04-20 01:01 . 2010-04-20 01:01 -------- d-----w- c:\users\ANNA\AppData\Local\Yahoo!
2010-04-05 22:38 . 2010-04-05 22:38 -------- d-----w- c:\programdata\McAfee
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 03:58 . 2009-06-28 07:16 -------- d-----w- c:\users\ANNA\AppData\Roaming\Skype
2010-04-29 00:01 . 2009-06-28 07:19 -------- d-----w- c:\users\ANNA\AppData\Roaming\skypePM
2010-04-28 01:15 . 2009-06-28 16:13 -------- d-----w- c:\users\ANNA\AppData\Roaming\ICQ
2010-04-28 00:28 . 2009-11-30 16:57 -------- d-----w- c:\program files\Gamevance
2010-04-25 18:20 . 2009-06-28 16:07 67400 ----a-w- c:\programdata\nvModes.dat
2010-03-11 08:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 08:24 . 2009-11-14 18:25 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-02 23:04 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 08:21 . 2009-06-28 16:05 123968 ----a-w- c:\users\ANNA\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:54 . 2010-03-11 08:12 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51 . 2010-03-11 08:12 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30 . 2010-03-11 08:12 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-06-29 1232896]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"Google Update"="c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-10 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-06-29 1006264]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-12-08 7975608]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-01-24 862208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Lanhtm"= {24A19C32-2C71-4DE7-8389-442D326AA4DD} - c:\windows\system32\svrsql.dll [2009-06-29 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-26 721904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000Core.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2144488369-2711709791-3128680860-1000UA.job
- c:\users\ANNA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-10 02:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://mail.ru
uInternet Settings,ProxyOverride =
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=106X1133&id=menu_ie_report
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\ANNA\AppData\Roaming\Mozilla\Firefox\Profiles\2ysnm7na.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\ANNA\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\ANNA\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eponqlcq - c:\users\ANNA\AppData\Local\qtbndweam\gusamjntssd.exe
HKCU-Run-asam - c:\users\ANNA\AppData\Local\asam.exe
HKLM-Run-asam - c:\users\ANNA\AppData\Local\asam.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-04-29 00:14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 04:14
ComboFix2.txt 2010-04-28 00:40

Pre-Run: 26,014,109,696 bytes free
Post-Run: 25,794,093,056 bytes free

- - End Of File - - 5AEBA19C6F68B54772ABE427AFE6F95C
Upload was successful

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the box below into it:
  

  killall:: Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "Lanhtm"=- File:: c:\windows\system32\svrsql.dll Reboot::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.