Multiple Kazy/Trojan Heur Variants Found by F-Secure

Greetings all,
I went away on vacation for a couple of days, came back and found my desktop, which runs Windows XP, apparently riddled with viruses. I use F-secure (under the brand ShawSecure) which keeps running scans and trying to get rid of the code; on startup it informs me that I have several variants. I'm on a LAN with multiple roommates, but I've never had this kind of problem in the four months I've been living here.
Variants it's told me about:
Gen:Kazy 19492, 17055, 19434, 5700, 19604, 19465, 19579, 19452, 6354, 19572, 17672, 19478, 17672, 19452.
Trojan Heur. : 23153, 19603.
Possibly related, my Gmail has also recently been acting up. I use Firefox and every outgoing message was appended with a source code that started with smellsliketervana.com . I managed to stop it doing that by using IE to change my signature, but this would appear to only be a cosmetic fix - every time I try to make it stop sending with a signature, it reverts.
Any help would be greatly appreciated. Thank you very much.

Hi there IndigoViolent and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

• Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  
• Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  
• I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  
• Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Hi Gabethebabe:
Thanks for your help. I ran ComboFix but I'll be away from my computer for a few days so no particular rush.
ComboFix 11-09-01.03 - Megan 02/09/2011 1:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.446 [GMT -7:00]
Running from: c:\documents and settings\Megan\Desktop\ComboFix.exe
AV: Shaw Secure 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Shaw Secure 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gordon\Desktop\AV Care.lnk
c:\documents and settings\Gordon\Start Menu\Programs\AV Care
c:\documents and settings\Gordon\Start Menu\Programs\AV Care\AV Care.lnk
c:\documents and settings\Megan\Application Data\master
c:\documents and settings\Megan\Desktop\[Torrentsworld.net] - Supernatural S05E11 Sam, Interrupted HDTV XviD FQM.torrent
c:\documents and settings\Megan\Desktop\[Torrentsworld.net] - Supernatural S05E11 Sam, Interrupted HDTV XviD FQM.torrent
c:\documents and settings\Megan\My Documents\86d.pdf
c:\documents and settings\Megan\My Documents\86ed.pdf
c:\documents and settings\Megan\WINDOWS
c:\program files\AV Care
c:\program files\AV Care\avc.ico
c:\program files\FunWebProducts
c:\program files\Internet Explorer\SET52F.tmp
c:\program files\Internet Explorer\SET530.tmp
c:\program files\Internet Explorer\SET532.tmp
c:\program files\Internet Explorer\SET593.tmp
c:\program files\Internet Explorer\SET594.tmp
c:\program files\Internet Explorer\SET595.tmp
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
.
Infected copy of c:\windows\system32\clipsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe
.
Infected copy of c:\windows\system32\accwiz.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\accwiz.exe
.
Infected copy of c:\windows\system32\alg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe
.
Infected copy of c:\windows\system32\calc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\calc.exe
.
Infected copy of c:\windows\system32\charmap.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\charmap.exe
.
Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe
.
Infected copy of c:\windows\system32\cmd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmd.exe
.
Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe
.
Infected copy of c:\windows\system32\freecell.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\freecell.exe
.
Infected copy of c:\windows\system32\imapi.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe
.
Infected copy of c:\windows\system32\locator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe
.
Infected copy of c:\windows\system32\magnify.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\magnify.exe
.
Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe
.
Infected copy of c:\windows\system32\mobsync.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mobsync.exe
.
Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe
.
Infected copy of c:\windows\system32\mshearts.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshearts.exe
.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe
.
Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspaint.exe
.
Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe
.
Infected copy of c:\windows\system32\narrator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\narrator.exe
.
Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe
.
Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\notepad.exe
.
Infected copy of c:\windows\system32\odbcad32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\odbcad32.exe
.
Infected copy of c:\windows\system32\osk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\osk.exe
.
Infected copy of c:\windows\system32\rcimlby.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rcimlby.exe
.
Infected copy of c:\windows\system32\rsvp.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rsvp.exe
.
Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe
.
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe
.
Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe
.
Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sndrec32.exe
.
Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe
.
Infected copy of c:\windows\system32\sol.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sol.exe
.
Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe
.
Infected copy of c:\windows\system32\tourstart.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\tourstart.exe
.
Infected copy of c:\windows\system32\utilman.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\utilman.exe
.
Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe
.
Infected copy of c:\windows\system32\wiaacmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wiaacmgr.exe
.
Infected copy of c:\windows\system32\winmine.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winmine.exe
.
Infected copy of c:\windows\system32\wupdmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wupdmgr.exe
.
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe
.
Infected copy of c:\windows\system32\usmt\migwiz.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\migwiz.exe
.
Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wmiapsrv.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-01 22:31 . 2011-09-01 22:31 -------- d-----w- c:\program files\iPod
2011-09-01 22:31 . 2011-09-01 22:32 -------- d-----w- c:\program files\iTunes
2011-09-01 22:22 . 2011-09-01 22:23 -------- d-----w- c:\program files\Bonjour
2011-09-01 05:29 . 2011-09-01 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-09-01 05:18 . 2011-09-01 05:18 -------- d-----w- c:\program files\WinPcap
2011-09-01 05:14 . 2011-09-01 05:14 388096 ----a-r- c:\documents and settings\Megan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-01 05:14 . 2011-09-01 05:17 -------- d-----w- c:\program files\Trend Micro
2011-08-31 05:53 . 2011-09-02 08:43 120832 ----a-w- c:\windows\system32\msdtc.exe
2011-08-31 05:53 . 2011-09-02 08:43 147968 ----a-w- c:\windows\system32\clipsrv.exe
2011-08-31 05:53 . 2011-09-02 08:43 159232 ----a-w- c:\windows\system32\alg.exe
2011-08-30 18:45 . 2011-09-02 08:45 147456 ----a-w- c:\windows\system32\mnmsrvc.exe
2011-08-28 04:38 . 2011-08-28 05:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-08-28 02:40 . 2011-09-02 08:43 120320 ----a-w- c:\windows\system32\cisvc.exe
2011-08-24 20:58 . 2011-08-24 20:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ahead
2011-08-11 21:12 . 2011-08-11 21:12 -------- d-----w- c:\documents and settings\Megan\Local Settings\Application Data\PCHealth
2011-08-11 04:11 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 04:11 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-02 08:49 . 2007-04-28 03:04 150528 ----a-w- c:\windows\system32\rcimlby.exe
2011-09-02 08:48 . 2007-04-28 03:04 461824 ----a-w- c:\windows\system32\tourstart.exe
2011-09-02 08:48 . 2007-04-28 03:04 164864 ----a-w- c:\windows\system32\utilman.exe
2011-09-02 08:48 . 2007-04-28 03:04 330240 ----a-w- c:\windows\system32\osk.exe
2011-09-02 08:48 . 2007-04-28 03:04 183808 ----a-w- c:\windows\system32\notepad.exe
2011-09-02 08:48 . 2007-04-28 03:04 258048 ----a-w- c:\windows\system32\mobsync.exe
2011-09-02 08:48 . 2007-04-28 03:04 503808 ----a-w- c:\windows\system32\cmd.exe
2011-09-02 08:48 . 2007-04-28 03:04 168448 ----a-w- c:\windows\system32\narrator.exe
2011-09-02 08:48 . 2007-04-28 03:04 187392 ----a-w- c:\windows\system32\magnify.exe
2011-09-02 08:45 . 2007-04-28 03:04 265216 ----a-w- c:\windows\system32\imapi.exe
2011-09-02 08:43 . 2011-08-31 05:00 404480 ----a-w- c:\windows\system32\vssvc.exe
2011-09-02 08:43 . 2011-08-31 05:53 210432 ----a-w- c:\windows\system32\scardsvr.exe
2011-09-02 08:43 . 2007-04-28 03:04 204288 ----a-w- c:\windows\system32\smlogsvc.exe
2011-09-02 08:43 . 2007-04-28 03:04 189952 ----a-w- c:\windows\system32\locator.exe
2011-09-02 08:43 . 2007-04-28 03:04 225792 ----a-w- c:\windows\system32\netdde.exe
2011-09-02 00:33 . 2007-04-28 03:08 278528 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-19 05:05 . 2009-02-02 23:11 42672 ----a-w- c:\windows\system32\drivers\fsbts.sys
2011-07-15 13:29 . 2007-04-28 03:04 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 18:20 . 2011-07-12 18:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 18:20 . 2011-07-12 18:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02 . 2007-04-28 03:04 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 01:37 . 2011-07-06 01:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-06 01:37 . 2011-07-06 01:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2007-04-28 03:31 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2007-04-28 03:04 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2007-04-28 03:04 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2007-04-28 03:04 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2007-04-28 03:04 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-04-28 03:04 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-01 02:08 . 2011-05-03 01:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Megan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Megan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Megan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Megan\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-20 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-25 185632]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-04 187496]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"D-Link RangeBooster G WUA-2340"="c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2008-09-24 1667072]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
c:\documents and settings\Megan\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Megan\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 498688]
.
c:\documents and settings\Gordon\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-3-9 233472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Megan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [02/02/2009 4:11 PM 42672]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [02/02/2009 3:54 PM 82120]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [30/04/2007 10:35 AM 51840]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [02/02/2009 3:53 PM 68064]
R2 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [04/12/2009 5:04 PM 475136]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 11:19 AM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [31/08/2011 10:17 PM 439632]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 7:56 PM 431384]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [04/12/2009 5:04 PM 386784]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [02/02/2009 3:53 PM 148648]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [02/02/2009 3:53 PM 61088]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [04/12/2009 5:04 PM 57440]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [30/04/2007 10:35 AM 24971]
S0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [30/04/2007 10:35 AM 85888]
S0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [30/04/2007 10:36 AM 61184]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [30/04/2007 10:36 AM 89610]
S0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\sisraid1.sys [30/04/2007 10:36 AM 45568]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [30/04/2007 10:36 AM 77056]
S2 gupdate1c9d98c28cb7fa6;Google Update Service (gupdate1c9d98c28cb7fa6);c:\program files\Google\Update\GoogleUpdate.exe [20/05/2009 1:47 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/05/2009 1:47 PM 133104]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [02/02/2009 3:53 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [02/02/2009 3:53 PM 25184]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34]
.
2011-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-20 20:46]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 20:46]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 20:46]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
TCP: DhcpNameServer = 192.168.254.254 192.168.254.254
FF - ProfilePath - c:\documents and settings\Megan\Application Data\Mozilla\Firefox\Profiles\x0fuw9qz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AV Care - c:\program files\AV Care\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 01:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2473693306-2600650905-4282620119-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=
.
[HKEY_USERS\S-1-5-21-2473693306-2600650905-4282620119-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:81,e0,db,fc,79,31,d4,45,dd,13,59,b9,3e,6b,06,2e,aa,e3,ad,4d,b4,89,0a,
11,51,29,ba,a6,fb,db,fe,07,fc,0c,9c,90,43,73,3b,18,00,23,7a,a4,b1,8a,a8,14,\
"??"=hex:ac,2a,f2,3f,1b,2e,30,ef,0e,88,c5,82,9e,3e,b5,bc
.
[HKEY_USERS\S-1-5-21-2473693306-2600650905-4282620119-1009\Software\SecuROM\License information*]
"datasecu"=hex:d1,a2,44,93,8c,f6,9e,57,ba,65,e8,42,ca,1a,dc,b9,9d,d4,8b,ba,ea,
53,01,5f,4c,fc,d2,d5,43,38,43,c9,a3,ed,87,ab,38,c8,a3,c8,cc,ed,1b,fc,5d,fc,\
"rkeysecu"=hex:19,e3,b2,71,9f,04,7b,d4,7e,96,77,02,c8,74,ed,ba
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1112)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
.
- - - - - - - > 'explorer.exe'(6020)
c:\windows\system32\WININET.dll
c:\documents and settings\Megan\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\shaw secure\scanner-interface\fsgkiapi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\FSGK32.EXE
c:\program files\Shaw Secure\Common\FSHDLL32.EXE
c:\program files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
c:\program files\Nero\Nero 7\Nero BackItUp\NBService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Shaw Secure\FWES\Program\fsdfwd.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\Anti-Virus\fsav32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-09-02 01:53:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-02 08:53
.
Pre-Run: 51,910,955,008 bytes free
Post-Run: 52,635,893,760 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5ECC797225C32EFB7FD4D2607D8B10AC

PS, should I re-enable Shaw Secure at this time?

Holy crap, 42 system executables were infected.

Lets keep your AV off for a moment and do this:

Please download Malwarebytes' Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:

• If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
  
• Click OK to either and let MBAM proceed with the disinfection process.
  
• If asked to restart the computer, please do so immediately.

Post the contents of the MBAM log in your next reply, please.

Hi Gabethebabe,
Sorry it took a while to get back to you; had a personal emergency. Here's the log from the MBAM scan.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7666

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/09/2011 6:24:34 PM
mbam-log-2011-09-06 (18-24-34).txt

Scan type: Quick scan
Objects scanned: 212465
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\utilman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

Please download aswMBR by Alwil Software from here and save it to your desktop.

• Double click aswMBR.exe to run the tool
  
• Click the Scan button to start the scan
  
• Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  
• Once the scan finishes click Save log to save the log to your desktop
  
• Copy and paste the contents of this log (aswMBR.txt) into your next reply.

====================

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the following text into the main textfield:

:filefind
utilman.exe

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop (SystemLook.txt.)

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 23:26:47
-----------------------------
23:26:47.750 OS Version: Windows 5.1.2600 Service Pack 3
23:26:47.750 Number of processors: 2 586 0x4B02
23:26:47.750 ComputerName: E-M42 UserName: Megan
23:26:48.093 Initialize success
23:40:27.812 AVAST engine defs: 11090601
23:46:42.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000065
23:46:42.843 Disk 0 Vendor: WDC_WD1600AAJS-00RYA0 12.01B01 Size: 152627MB BusType: 3
23:46:44.890 Disk 0 MBR read successfully
23:46:44.890 Disk 0 MBR scan
23:46:44.968 Disk 0 Windows XP default MBR code
23:46:44.968 Disk 0 scanning sectors +312576705
23:46:45.031 Disk 0 scanning C:\WINDOWS\system32\drivers
23:46:58.062 Service scanning
23:46:59.343 Modules scanning
23:47:05.484 Disk 0 trace - called modules:
23:47:05.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
23:47:05.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861fd638]
23:47:05.500 3 CLASSPNP.SYS[f7517fd7] -> nt!IofCallDriver -> \Device\00000066[0x8628c520]
23:47:05.515 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000065[0x86212030]
23:47:06.765 AVAST engine scan C:\WINDOWS
23:47:11.484 File: C:\WINDOWS\Alcmtr.exe **INFECTED** Win32:Expiro-Y
23:47:11.765 File: C:\WINDOWS\alcwzrd.exe **INFECTED** Win32:Expiro-Y
23:47:12.562 File: C:\WINDOWS\hh.exe **INFECTED** Win32:Expiro-Y
23:47:12.671 File: C:\WINDOWS\HideWin.exe **INFECTED** Win32:Expiro-Y
23:47:12.968 File: C:\WINDOWS\iwexec.exe **INFECTED** Win32:Expiro-Y
23:47:13.765 File: C:\WINDOWS\MicCal.exe **INFECTED** Win32:Expiro-Y
23:47:14.078 File: C:\WINDOWS\notepad.exe **INFECTED** Win32:Expiro-Y
23:47:14.578 File: C:\WINDOWS\PEV.exe **INFECTED** Win32:Expiro-Y
23:47:14.718 File: C:\WINDOWS\regedit.exe **INFECTED** Win32:Expiro-Y
23:47:15.062 File: C:\WINDOWS\RtlUpd.exe **INFECTED** Win32:Expiro-Y
23:47:15.140 File: C:\WINDOWS\sed.exe **INFECTED** Win32:Expiro-Y
23:47:15.484 File: C:\WINDOWS\SkyTel.exe **INFECTED** Win32:Expiro-Y
23:47:15.546 File: C:\WINDOWS\slrundll.exe **INFECTED** Win32:Expiro-Y
23:47:15.640 File: C:\WINDOWS\SoundMan.exe **INFECTED** Win32:Vitro
23:47:18.062 AVAST engine scan C:\WINDOWS\system32
23:47:18.593 File: C:\WINDOWS\system32\accwiz.exe **INFECTED** Win32:Expiro-Y
23:47:18.937 File: C:\WINDOWS\system32\actmovie.exe **INFECTED** Win32:Expiro-Y
23:47:19.671 File: C:\WINDOWS\system32\alg.exe **INFECTED** Win32:Expiro-Y
23:47:23.968 File: C:\WINDOWS\system32\calc.exe **INFECTED** Win32:Expiro-Y
23:47:25.281 File: C:\WINDOWS\system32\charmap.exe **INFECTED** Win32:Expiro-Y
23:47:25.625 File: C:\WINDOWS\system32\cisvc.exe **INFECTED** Win32:Expiro-Y
23:47:25.921 File: C:\WINDOWS\system32\cleanmgr.exe **INFECTED** Win32:Expiro-Y
23:47:26.187 File: C:\WINDOWS\system32\clipsrv.exe **INFECTED** Win32:Expiro-Y
23:47:26.296 File: C:\WINDOWS\system32\cmd.exe **INFECTED** Win32:Expiro-Y
23:47:43.906 File: C:\WINDOWS\system32\dllhost.exe **INFECTED** Win32:Expiro-Y
23:47:44.093 File: C:\WINDOWS\system32\dmadmin.exe **INFECTED** Win32:Expiro-Y
23:47:53.515 File: C:\WINDOWS\system32\freecell.exe **INFECTED** Win32:Expiro-Y
23:48:00.015 File: C:\WINDOWS\system32\imapi.exe **INFECTED** Win32:Expiro-Y
23:48:08.140 File: C:\WINDOWS\system32\locator.exe **INFECTED** Win32:Expiro-Y
23:48:09.093 File: C:\WINDOWS\system32\magnify.exe **INFECTED** Win32:Expiro-Y
23:48:13.296 File: C:\WINDOWS\system32\mnmsrvc.exe **INFECTED** Win32:Expiro-Y
23:48:13.453 File: C:\WINDOWS\system32\mobsync.exe **INFECTED** Win32:Expiro-Y
23:48:16.093 File: C:\WINDOWS\system32\msdtc.exe **INFECTED** Win32:Expiro-Y
23:48:17.843 File: C:\WINDOWS\system32\mshearts.exe **INFECTED** Win32:Expiro-Y
23:48:18.843 File: C:\WINDOWS\system32\msiexec.exe **INFECTED** Win32:Expiro-Y
23:48:20.390 File: C:\WINDOWS\system32\mspaint.exe **INFECTED** Win32:Expiro-Y
23:48:22.484 File: C:\WINDOWS\system32\mstsc.exe **INFECTED** Win32:Expiro-Y
23:48:26.765 File: C:\WINDOWS\system32\narrator.exe **INFECTED** Win32:Expiro-Y
23:48:27.406 File: C:\WINDOWS\system32\netdde.exe **INFECTED** Win32:Expiro-Y
23:48:29.031 File: C:\WINDOWS\system32\notepad.exe **INFECTED** Win32:Expiro-Y
23:48:33.281 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Expiro-Y
23:48:35.656 File: C:\WINDOWS\system32\odbcad32.exe **INFECTED** Win32:Expiro-Y
23:48:37.515 File: C:\WINDOWS\system32\osk.exe **INFECTED** Win32:Expiro-Y
23:48:45.343 File: C:\WINDOWS\system32\rcimlby.exe **INFECTED** Win32:Expiro-Y
23:48:48.796 File: C:\WINDOWS\system32\scardsvr.exe **INFECTED** Win32:Expiro-Y
23:49:01.093 File: C:\WINDOWS\system32\smlogsvc.exe **INFECTED** Win32:Expiro-Y
23:49:01.281 File: C:\WINDOWS\system32\sndrec32.exe **INFECTED** Win32:Expiro-Y
23:49:01.328 File: C:\WINDOWS\system32\sndvol32.exe **INFECTED** Win32:Expiro-Y
23:49:01.531 File: C:\WINDOWS\system32\sol.exe **INFECTED** Win32:Expiro-Y
23:49:01.750 File: C:\WINDOWS\system32\spider.exe **INFECTED** Win32:Expiro-Y
23:49:06.750 File: C:\WINDOWS\system32\tourstart.exe **INFECTED** Win32:Expiro-Y
23:49:11.343 File: C:\WINDOWS\system32\vssvc.exe **INFECTED** Win32:Expiro-Y
23:49:12.593 File: C:\WINDOWS\system32\wiaacmgr.exe **INFECTED** Win32:Expiro-Y
23:49:14.515 File: C:\WINDOWS\system32\winmine.exe **INFECTED** Win32:Expiro-Y
23:49:22.593 File: C:\WINDOWS\system32\wupdmgr.exe **INFECTED** Win32:Expiro-Y
23:49:29.500 AVAST engine scan C:\WINDOWS\system32\drivers
23:49:47.640 AVAST engine scan C:\Documents and Settings\Megan
23:51:46.750 File: C:\Documents and Settings\Megan\Application Data\U3\0000060432031953\cleanup.exe **INFECTED** Win32:Expiro-Y
23:51:47.093 File: C:\Documents and Settings\Megan\Application Data\U3\0000060432031953\Launchpad Removal.exe **INFECTED** Win32:Expiro-Y
23:51:48.218 File: C:\Documents and Settings\Megan\Application Data\U3\temp\cleanup.exe **INFECTED** Win32:Expiro-Y
23:52:02.453 File: C:\Documents and Settings\Megan\Desktop\Q837009(2).exe **INFECTED** Win32:Expiro-Y
23:52:13.828 File: C:\Documents and Settings\Megan\Desktop\Recovered Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
23:55:34.781 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
23:55:38.843 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Flash drive Dec 08\Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
23:55:41.687 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Flash drive Dec 08\IEP Home\IEP Program.EXE **INFECTED** Win32:Expiro-Y
23:55:45.984 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\IEP Home\IEP Program.EXE **INFECTED** Win32:Expiro-Y
00:01:02.578 AVAST engine scan C:\Documents and Settings\All Users
00:05:04.578 File: C:\Documents and Settings\All Users\Application Data\PlayFirst\Games\dinerdashhometownhero\UNWISE.EXE **INFECTED** Win32:Expiro-Y
00:16:32.187 Scan finished successfully
00:21:15.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Megan\Desktop\MBR.dat"
00:21:15.312 The log file has been saved successfully to "C:\Documents and Settings\Megan\Desktop\aswMBR.txt"


SystemLook 30.07.11 by jpshortstuff
Log created at 00:22 on 07/09/2011 by Megan
Administrator - Elevation successful

========== filefind ==========

Searching for "utilman.exe"
C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\utilman.exe --a---- 164864 bytes [02:33 01/05/2007] [02:47 07/09/2011] 6BAC1C0B87017CE1D911B9525AFDDAD9
C:\WINDOWS\$NtServicePackUninstall$\utilman.exe --a--c- 164864 bytes [05:05 06/09/2008] [02:53 07/09/2011] E3A470195C6A71B24128DEB49143FF3F
C:\WINDOWS\$NtUninstallKB925720$\utilman.exe --a--c- 164864 bytes [02:33 01/05/2007] [02:56 07/09/2011] 1463E8F450A9745ED66C9AC877242969
C:\WINDOWS\ServicePackFiles\i386\utilman.exe --a---- 164864 bytes [17:38 27/08/2008] [03:09 07/09/2011] A768718514A11D36827BFBB2B38B9200
C:\WINDOWS\system32\dllcache\utilman.exe --a--c- 50176 bytes [03:04 28/04/2007] [00:12 14/04/2008] 0845E936C85AD45B452CBC86A316CF2A

-= EOF =-

Your computer is infected with a nasty infection that has spread widely over your computer. Even worse: this infection is capable of stealing personal data.

I recommend these first steps:

• Use the infected computer as few as possible until it is cleaned. Only use it to communicate with me. Even better: use a clean computer to do that and keep the infected computer disconnected from network and internet. Every connection can cause new malicious activity from the malware.
  
• Realize what information is used on the infected computer, assume it is in hackers possession and take countermeasures. Disabling a creditcard and requesting a new one can avoid theft of money. E-mail addresses related to financial accounts can be changed. Make sure stolen data cannot be used to your disadvantage.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon and other relevant online activities which require a username and password). Don´t do this from the infected computer, as the new data may be passed to the hacker.

To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do

Many experts in the security community believe that once infected with this kind of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

• Here at GeekPolice
  
• The Ultimate Geek TaskForce

However, if you do not have the resources to reinstall your computer's OS, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I (or any other malware fighter) cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful (it might lead to an unbootable computer).

====================

A lot of material to read. In the mean time I will consult with my colleagues to see what they know about this virus.

So, I consulted my more experienced colleagues and they agree with me: your system is cooked. It will take a great effort to clean it and it might not get clean, it might be unstable or you will find some applications missing or stop working.

As last effort, I recommend you to download Expiro Remover by AVG from here and run it. It will be useful for our website to know what this tool can do, I don´t think we ever ran across a machine that was that much infected by this virus. If it produces some output (like a log), please post it back here.

When you go and save your data, be aware that you should not make backups of executable files. This virus searches executable files on all drives and infects them. Your music, documents, videos, photos should be unaffected.

Be very aware of the info stealing character of this virus. Whatever you did on your computer that required passwords or personal info is now compromised.

Hi Gabethebabe,
The computer is my personal PC and is not used for anything related to work; I do some freelance proofreading but I erase all my clients' files as soon as I'm done with them, and none of them are sensitive in any case. I use my comp for downloading music and movies, playing games and surfing the Internet as well as word processing and storing photos. I also use it to shop online and do some online banking; those passwords have all been changed and I will be getting a new credit card soon.

============ Remover for Win32/Expiro ===============
Version: 1.2.0.711
Date: 08.09.2011 20:40
Scanning memory ...;
Remover will finish the work after reboot.;

Is that all that was produced? Has the tool finished doing its job and no other log was generated?

Could you repeat the aswMBR scan and post the log?

Sorry, I looked in the wrong place for the log. Here it is.
ver for Win32/Expiro version 1.2.0.711

C:\Documents and Settings\Megan\Application Data\SecuROM\UserData\õóÿýïÇïÀÁôññõó Can't open
C:\Documents and Settings\Megan\Application Data\SecuROM\UserData\õóÿýïÇïÀÁûõ õó Can't open
C:\Documents and Settings\Megan\My Documents\Downloads\Luke Doucet - Broken (And Other Rogue States)\10 - Luke Doucet - If I Drop Names Of Exotic Towns That You'll Never See, In The Songs That I Write, It's That That's All I Have When I Miss My Girl & You're T Can't open
C:\rmexpiro.log Can't open
C:\System Volume Information\_restore{0BF40708-FD84-4D53-BC03-A9F29180F178}\RP1169\change.log Can't open

Running the other scan again as we speak.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-09 20:52:14
-----------------------------
20:52:14.609 OS Version: Windows 5.1.2600 Service Pack 3
20:52:14.609 Number of processors: 2 586 0x4B02
20:52:14.609 ComputerName: E-M42 UserName: Megan
20:52:15.218 Initialize success
21:00:17.734 AVAST engine defs: 11090901
21:01:27.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000065
21:01:27.468 Disk 0 Vendor: WDC_WD1600AAJS-00RYA0 12.01B01 Size: 152627MB BusType: 3
21:01:29.500 Disk 0 MBR read successfully
21:01:29.500 Disk 0 MBR scan
21:01:29.531 Disk 0 Windows XP default MBR code
21:01:29.531 Disk 0 scanning sectors +312576705
21:01:29.609 Disk 0 scanning C:\WINDOWS\system32\drivers
21:01:41.984 Service scanning
21:01:43.015 Modules scanning
21:01:47.593 Disk 0 trace - called modules:
21:01:47.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
21:01:47.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862127a8]
21:01:47.609 3 CLASSPNP.SYS[f7507fd7] -> nt!IofCallDriver -> \Device\00000066[0x862872c8]
21:01:47.609 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000065[0x861a9030]
21:01:48.234 AVAST engine scan C:\WINDOWS
21:01:52.968 File: C:\WINDOWS\Alcmtr.exe **INFECTED** Win32:Expiro-Y
21:01:53.234 File: C:\WINDOWS\alcwzrd.exe **INFECTED** Win32:Expiro-Y
21:01:53.875 File: C:\WINDOWS\hh.exe **INFECTED** Win32:Expiro-Y
21:01:53.953 File: C:\WINDOWS\HideWin.exe **INFECTED** Win32:Expiro-Y
21:01:54.250 File: C:\WINDOWS\iwexec.exe **INFECTED** Win32:Expiro-Y
21:01:55.171 File: C:\WINDOWS\MicCal.exe **INFECTED** Win32:Expiro-Y
21:01:55.484 File: C:\WINDOWS\notepad.exe **INFECTED** Win32:Expiro-Y
21:01:55.984 File: C:\WINDOWS\PEV.exe **INFECTED** Win32:Expiro-Y
21:01:56.140 File: C:\WINDOWS\regedit.exe **INFECTED** Win32:Expiro-Y
21:01:56.500 File: C:\WINDOWS\RtlUpd.exe **INFECTED** Win32:Expiro-Y
21:01:56.593 File: C:\WINDOWS\sed.exe **INFECTED** Win32:Expiro-Y
21:01:56.937 File: C:\WINDOWS\SkyTel.exe **INFECTED** Win32:Expiro-Y
21:01:57.000 File: C:\WINDOWS\slrundll.exe **INFECTED** Win32:Expiro-Y
21:01:57.109 File: C:\WINDOWS\SoundMan.exe **INFECTED** Win32:Vitro
21:01:59.218 AVAST engine scan C:\WINDOWS\system32
21:01:59.718 File: C:\WINDOWS\system32\accwiz.exe **INFECTED** Win32:Expiro-Y
21:02:00.031 File: C:\WINDOWS\system32\actmovie.exe **INFECTED** Win32:Expiro-Y
21:02:00.812 File: C:\WINDOWS\system32\alg.exe **INFECTED** Win32:Expiro-Y
21:02:04.703 File: C:\WINDOWS\system32\calc.exe **INFECTED** Win32:Expiro-Y
21:02:05.843 File: C:\WINDOWS\system32\charmap.exe **INFECTED** Win32:Expiro-Y
21:02:06.109 File: C:\WINDOWS\system32\cisvc.exe **INFECTED** Win32:Expiro-Y
21:02:06.359 File: C:\WINDOWS\system32\cleanmgr.exe **INFECTED** Win32:Expiro-Y
21:02:06.578 File: C:\WINDOWS\system32\clipsrv.exe **INFECTED** Win32:Expiro-Y
21:02:06.718 File: C:\WINDOWS\system32\cmd.exe **INFECTED** Win32:Expiro-Y
21:02:21.718 File: C:\WINDOWS\system32\dllhost.exe **INFECTED** Win32:Expiro-Y
21:02:21.828 File: C:\WINDOWS\system32\dmadmin.exe **INFECTED** Win32:Expiro-Y
21:02:29.562 File: C:\WINDOWS\system32\freecell.exe **INFECTED** Win32:Expiro-Y
21:02:35.343 File: C:\WINDOWS\system32\imapi.exe **INFECTED** Win32:Expiro-Y
21:02:42.531 File: C:\WINDOWS\system32\locator.exe **INFECTED** Win32:Expiro-Y
21:02:43.359 File: C:\WINDOWS\system32\magnify.exe **INFECTED** Win32:Expiro-Y
21:02:47.031 File: C:\WINDOWS\system32\mnmsrvc.exe **INFECTED** Win32:Expiro-Y
21:02:47.140 File: C:\WINDOWS\system32\mobsync.exe **INFECTED** Win32:Expiro-Y
21:02:49.468 File: C:\WINDOWS\system32\msdtc.exe **INFECTED** Win32:Expiro-Y
21:02:51.000 File: C:\WINDOWS\system32\mshearts.exe **INFECTED** Win32:Expiro-Y
21:02:51.906 File: C:\WINDOWS\system32\msiexec.exe **INFECTED** Win32:Expiro-Y
21:02:53.343 File: C:\WINDOWS\system32\mspaint.exe **INFECTED** Win32:Expiro-Y
21:02:55.125 File: C:\WINDOWS\system32\mstsc.exe **INFECTED** Win32:Expiro-Y
21:02:59.312 File: C:\WINDOWS\system32\narrator.exe **INFECTED** Win32:Expiro-Y
21:02:59.921 File: C:\WINDOWS\system32\netdde.exe **INFECTED** Win32:Expiro-Y
21:03:01.328 File: C:\WINDOWS\system32\notepad.exe **INFECTED** Win32:Expiro-Y
21:03:05.437 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Expiro-Y
21:03:07.562 File: C:\WINDOWS\system32\odbcad32.exe **INFECTED** Win32:Expiro-Y
21:03:09.359 File: C:\WINDOWS\system32\osk.exe **INFECTED** Win32:Expiro-Y
21:03:15.968 File: C:\WINDOWS\system32\rcimlby.exe **INFECTED** Win32:Expiro-Y
21:03:18.125 File: C:\WINDOWS\system32\rsvp.exe **INFECTED** Win32:Expiro-Y
21:03:19.484 File: C:\WINDOWS\system32\scardsvr.exe **INFECTED** Win32:Expiro-Y
21:03:20.484 File: C:\WINDOWS\system32\sessmgr.exe **INFECTED** Win32:Expiro-Y
21:03:31.234 File: C:\WINDOWS\system32\smlogsvc.exe **INFECTED** Win32:Expiro-Y
21:03:31.406 File: C:\WINDOWS\system32\sndrec32.exe **INFECTED** Win32:Expiro-Y
21:03:31.468 File: C:\WINDOWS\system32\sndvol32.exe **INFECTED** Win32:Expiro-Y
21:03:31.703 File: C:\WINDOWS\system32\sol.exe **INFECTED** Win32:Expiro-Y
21:03:31.937 File: C:\WINDOWS\system32\spider.exe **INFECTED** Win32:Expiro-Y
21:03:36.453 File: C:\WINDOWS\system32\tourstart.exe **INFECTED** Win32:Expiro-Y
21:03:41.000 File: C:\WINDOWS\system32\vssvc.exe **INFECTED** Win32:Expiro-Y
21:03:42.218 File: C:\WINDOWS\system32\wiaacmgr.exe **INFECTED** Win32:Expiro-Y
21:03:44.093 File: C:\WINDOWS\system32\winmine.exe **INFECTED** Win32:Expiro-Y
21:03:51.968 File: C:\WINDOWS\system32\wupdmgr.exe **INFECTED** Win32:Expiro-Y
21:03:58.468 AVAST engine scan C:\WINDOWS\system32\drivers
21:04:15.828 AVAST engine scan C:\Documents and Settings\Megan
21:06:13.984 File: C:\Documents and Settings\Megan\Application Data\U3\0000060432031953\cleanup.exe **INFECTED** Win32:Expiro-Y
21:06:14.312 File: C:\Documents and Settings\Megan\Application Data\U3\0000060432031953\Launchpad Removal.exe **INFECTED** Win32:Expiro-Y
21:06:15.421 File: C:\Documents and Settings\Megan\Application Data\U3\temp\cleanup.exe **INFECTED** Win32:Expiro-Y
21:06:29.000 File: C:\Documents and Settings\Megan\Desktop\Q837009(2).exe **INFECTED** Win32:Expiro-Y
21:06:39.687 File: C:\Documents and Settings\Megan\Desktop\Recovered Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
21:06:57.921 File: C:\Documents and Settings\Megan\Desktop\SystemLook.exe **INFECTED** Win32:Expiro-Y
21:09:54.421 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
21:09:58.171 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Flash drive Dec 08\Documents\IEP\IEP Program.EXE **INFECTED** Win32:Expiro-Y
21:10:01.312 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\Flash drive Dec 08\IEP Home\IEP Program.EXE **INFECTED** Win32:Expiro-Y
21:10:05.515 File: C:\Documents and Settings\Megan\My Documents\June Flash Drive Copy\IEP Home\IEP Program.EXE **INFECTED** Win32:Expiro-Y
21:14:55.796 AVAST engine scan C:\Documents and Settings\All Users
21:18:45.625 File: C:\Documents and Settings\All Users\Application Data\PlayFirst\Games\dinerdashhometownhero\UNWISE.EXE **INFECTED** Win32:Expiro-Y
21:29:53.968 Scan finished successfully
21:46:39.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Megan\Desktop\MBR.dat"
21:46:39.265 The log file has been saved successfully to "C:\Documents and Settings\Megan\Desktop\aswMBR2.txt"