AntiVir Solution Pro and AntiMalware Doctor

Hello, I seemed to have been infected by not one but two malware softwares. I tried to follow the "Antivir Solution Pro" guide but when I tried to install hijack this it gave me a "Security Warning" and I was unable to open the program. Any help would be greatly appreciated. Thanks.

I was able to tun HiJackThis in safemode and here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:02:51 PM, on 7/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jerome\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Street-Ads Browser Enhancer ssxip - {F78BD1E4-092F-4473-8B3F-1592BF1AC8CC} - C:\WINDOWS\system32\ssxip.dll
O2 - BHO: Sky-Banners Browser Enhancer wsxip - {FEFA441B-C1B5-48FE-96AB-A8763765B998} - C:\WINDOWS\system32\wsxip.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\Jerome\LOCALS~1\Temp\geurge.exe
O4 - HKLM\..\Run: [sta] rundll32 "wsxip.dll",,Run
O4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\jsxip.exe
O4 - HKLM\..\Run: [xrxrycun] C:\Documents and Settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Jerome\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [setupupdate70700.exe] C:\Documents and Settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\setupupdate70700.exe
O4 - HKCU\..\Run: [Tqazipejoxired] rundll32.exe "C:\WINDOWS\pskbd2.dll",Startup
O4 - HKCU\..\Run: [xrxrycun] C:\Documents and Settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\DOCUME~1\Jerome\LOCALS~1\Temp\jliz7po.dll, RestoreWindows
O4 - HKCU\..\Run: [uiha98uiohf873yuiadnhgjesgregas] C:\DOCUME~1\Jerome\LOCALS~1\Temp\f3z6b9.exe
O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\DOCUME~1\Jerome\LOCALS~1\Temp\spoolsv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xusmi.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6838 bytes

Hi, Welcome to GeekPolice.net!

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Sneaky, did you want me to run this in safe mode or normal mode? Thanks.

Hi.

Please run it in Safe Mode.

Sneaky, I ran the combofix as instructed, but I was unable to download the "Microsoft Windows Recovery " because it said I wasn't connected to the internet (I'm using my laptop right now). I rebooted my comp into safe mode with networking so I figured that should have given me internet access but it didn't.

The combofix program proceeded and it came to a stop when it said "ComboFix has detected the presence of rootkit activity and needs to rebooted the machine."

Hi.

To fix the no internet connectivity do this in safe mode:

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

======

After you have done that, please run ComboFix again and install the recovery console.

Ok.

Combofix kept going after I hit the reboot button. Should I abort it now? It says completed stage 10. If so How do I go about aborting it. It appears to be in dos?

Thanks.

Hi.

Combofix kept going after I hit the reboot button. Should I abort it now? It says completed stage 10. If so How do I go about aborting it. It appears to be in dos?

That is fine, let it continue to run, when it is finished please post the log here.

Ok, here is the log from combofix.

ComboFix 10-07-24.06 - Jerome 07/26/2010 17:17:50.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.831 [GMT -7:00]
Running from: c:\documents and settings\Jerome\desktop\commy.exe
Command switches used :: /stepdel

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8
c:\documents and settings\Jerome\Application Data\Sky-Banners
c:\documents and settings\Jerome\Application Data\Street-Ads
c:\documents and settings\Jerome\Local Settings\Application Data\eskhopkwr
c:\documents and settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
c:\windows\$NtUninstallMTF1011$
c:\windows\system32\jsxip.exe
c:\windows\system32\msippsth.dll
c:\windows\uvixirakipejoxi.dll
c:\docume~1\Jerome\LOCALS~1\Temp\csrss.exe
c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\enemies-names.txt
c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\local.ini
c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\lsrslt.ini
c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\setupupdate70700.exe
c:\documents and settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\$NtUninstallMTF1011$\apUninstall.exe
c:\windows\pskbd2.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\r1ap0f9y.dll
c:\windows\system32\ssxip.dll
c:\windows\system32\wsXIp.dll

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Service_6to4
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-26 12:35 . 2010-07-26 12:35 8192 ----a-w- c:\windows\system32\xusmi.dll
2010-07-26 12:35 . 2010-07-27 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-25 11:56 . 2010-07-25 11:57 967 ----a-w- c:\windows\ScUnin.pif
2010-07-25 11:56 . 2010-07-25 11:57 94208 ----a-w- c:\windows\ScUnin.exe
2010-07-25 11:56 . 2010-07-25 11:57 33193 ----a-w- c:\windows\scunin.dat
2010-07-25 11:56 . 2010-07-26 11:11 -------- d-----w- c:\program files\Starcraft
2010-07-18 00:49 . 2010-07-18 00:49 -------- d-----w- c:\program files\iPod
2010-07-18 00:49 . 2010-07-18 00:49 -------- d-----w- c:\program files\iTunes
2010-07-18 00:49 . 2010-07-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-18 00:47 . 2010-07-18 00:48 -------- d-----w- c:\program files\QuickTime
2010-07-18 00:46 . 2010-07-18 00:46 -------- d-----w- c:\program files\Bonjour
2010-07-18 00:44 . 2010-07-18 00:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\documents and settings\Jerome\Application Data\acccore
2010-07-04 00:48 . 2010-07-04 00:53 -------- d-----w- c:\documents and settings\Jerome\Local Settings\Application Data\AIM
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\documents and settings\Jerome\Local Settings\Application Data\AOL
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\program files\AIM
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-04 00:48 . 2010-07-04 00:48 -------- d-----w- c:\program files\Common Files\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 00:07 . 2010-01-22 10:06 -------- d-----w- c:\documents and settings\Jerome\Application Data\U3
2010-07-26 22:53 . 2010-01-06 03:31 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000002-80651102}.dat
2010-07-26 22:53 . 2010-01-06 03:31 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000002-80651102}.dat
2010-07-26 22:52 . 2010-04-28 20:28 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-26 22:38 . 2010-01-11 09:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-26 13:29 . 2010-03-10 21:48 -------- d-----w- c:\documents and settings\Jerome\Application Data\uTorrent
2010-07-24 14:18 . 2010-01-30 10:13 -------- d-----w- c:\documents and settings\Jerome\Application Data\mIRC
2010-07-24 06:07 . 2010-01-30 10:13 -------- d-----w- c:\program files\mIRC
2010-07-22 05:05 . 2010-02-15 07:29 -------- d-----w- c:\program files\Full Tilt Poker
2010-07-18 00:49 . 2010-03-09 22:41 -------- d-----w- c:\program files\Common Files\Apple
2010-06-14 14:31 . 2010-01-05 22:39 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 05:16 . 2010-06-04 05:16 -------- d-----w- c:\documents and settings\Jerome\Application Data\Ahead
2010-06-04 05:16 . 2010-06-04 05:16 -------- d-----w- c:\program files\Nero
2010-06-04 05:16 . 2010-06-04 05:16 -------- d-----w- c:\program files\Common Files\Ahead
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 21:45 . 2010-04-28 21:45 36864 ----a-w- c:\documents and settings\Jerome\Application Data\Autodesk\AutoCAD 2011\R18.1\enu\ContextualTabSelectorRules.dll
2010-04-28 21:37 . 2010-01-06 00:24 49480 ----a-w- c:\documents and settings\Jerome\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"cdloader"="c:\documents and settings\Jerome\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-03 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
2007-11-01 04:18 204800 ----a-w- c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-20 03:16 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 09:12 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-21 05:45 39424 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\jerome_rozario@hotmail.com\\day of defeat\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Jerome\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 9:42 PM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/12/2010 6:33 PM 135664]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [8/22/2007 5:19 PM 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-13 01:33]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-13 01:33]

2010-07-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-06 06:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\xusmi.dll
FF - ProfilePath - c:\documents and settings\Jerome\Application Data\Mozilla\Firefox\Profiles\lcca5obi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
.scr=AutoCADscriptFile
.
- - - - ORPHANS REMOVED - - - -

BHO-{FEFA441B-C1B5-48FE-96AB-A8763765B998} - c:\windows\system32\wsxip.dll
HKCU-Run-setupupdate70700.exe - c:\documents and settings\Jerome\Application Data\C522B6C80ECACD946BBA4DE815F41EE8\setupupdate70700.exe
HKCU-Run-Tqazipejoxired - c:\windows\pskbd2.dll
HKCU-Run-xrxrycun - c:\documents and settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
HKLM-Run-sta - wsxip.dll
HKLM-Run-MChk - c:\windows\system32\jsxip.exe
HKLM-Run-xrxrycun - c:\documents and settings\Jerome\Local Settings\Application Data\eskhopkwr\kosewpetssd.exe
MSConfigStartUp-ATICustomerCare - c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1716)
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
.
Completion time: 2010-07-26 17:29:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 00:29

Pre-Run: 546,942,517,248 bytes free
Post-Run: 547,690,647,552 bytes free

- - End Of File - - 61F2E266BD8D4872D28D00E51278D29D

I rebooted the system and let it start in normal mode. Everything seems to be fine as both malware programs appear to have been removed.

Thanks for all the help.

Hi.

I still see some malware, but I need to ask a colleague for a second opinion about it.

Hi.

LSP-Check

1. Please download LSPFix from here.
   
2. Run the LSPFix.exe that you have just finished downloading.
   
3. Write down all files that are in the left column (example: mswsock.dll, winrnr.dll, rsvpsp.dll) and then post them in your next reply, along with whether or not you see the phrase "No problems found".
   

Sneakyone wrote:

Hi.

I still see some malware, but I need to ask a colleague for a second opinion about it.

Yes, even though it appears the programs are gone. I can't use my internet now... I can access the net with my laptop but not my computer.

Hi.

Are you able to transfer LSPfix to the infected machine with a USB drive?