TROJ/RUSTOK-N...GOT ME TOO (HJT LOG INCLUDED)

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\iifCVmkh.dll,#1
  O4 - HKLM\..\Run: [97D.tmp] C:\Windows\temp\97D.tmp
  O17 - HKLM\System\CCS\Services\Tcpip\..\{83AD3E58-C09B-4D0A-96A5-3F9DB1B42D06}: NameServer = 85.255.112.86;85.255.112.189
  O17 - HKLM\System\CCS\Services\Tcpip\..\{946929A1-ADDF-4C10-B5AB-CF0157D7A869}: NameServer = 85.255.112.86;85.255.112.189
  O17 - HKLM\System\CCS\Services\Tcpip\..\{F30B99C5-05AE-40E9-820E-C331051DA836}: NameServer = 85.255.112.86;85.255.112.189
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdjac.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Now open a new notepad file.
Input this into the notepad file:

@echo off
sc stop "Windows Tribute Service"
sc stop "Viewpoint Manager Service"
sc delete "Windows Tribute Service"
sc delete "Viewpoint Manager Service"
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Delete this file in bold:
C:\Windows\system32\kdjac.exe

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

ok im trying it now

ran the HJT as instructed, then was asked to reboot, so i did. created and ran the bat......disappeared like expected but there were a bunch of "FAILED" messages i did see for a split second.

Tried to delete the kdjac, says Windows can't because it's still running in another program.....


UPDATE: went in safe mode w/ command prompt...deleted it that way...continuing process

Last edited by BIMRIB on 4th January 2009, 9:19 pm; edited 1 time in total (Reason for editing : update)

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 6.0.6001 Service Pack 1

1/4/2009 4:25:51 PM
mbam-log-2009-01-04 (16-25-51).txt

Scan type: Quick Scan
Objects scanned: 49300
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe

"%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{946929a1-addf-4c10-b5ab-

cf0157d7a869}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f30b99c5-05ae-40e9-820e-

c331051da836}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{946929a1-addf-4c10-b5ab-

cf0157d7a869}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f30b99c5-05ae-40e9-820e-

c331051da836}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{83ad3e58-c09b-4d0a-96a5-

3f9db1b42d06}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{946929a1-addf-4c10-b5ab-

cf0157d7a869}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f30b99c5-05ae-40e9-820e-

c331051da836}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.86;85.255.112.189 -> Quarantined and deleted

successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ssqQgHbB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Lets take a look around now.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Click No for Optional Scan.
  
• Save the report to your Desktop.
  
• Copy and paste the report back here.
  

DDS (Version 1.1.0) - NTFSx86
Run by Jaze at 16:55:40.97 on Sun 01/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3325.2330 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jaze\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080618
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080618
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: []
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: {fbfd382a-ac6e-4eb7-8944-f97d358b378d} - c:\windows\system32\iifCVmkh.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jaze\appdata\roaming\mozilla\firefox\profiles\eugj9yzn.default\
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20081213.001\IDSvix86.sys [2008-12-15 270384]
R3 RDID1005;EDIROL UA-5;c:\windows\system32\drivers\Rdwm1005.sys [2008-10-22 117632]
R4 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2008/12/21 09:45:29];c:\program files\cyberlink\powerdvd dx\000.fcl [2008-12-21 87536]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-12-14 1112560]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-12-14 309744]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-12-14 166384]
S4 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-9 24652]

=============== Created Last 30 ================

2009-01-04 16:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 16:20 --d----- c:\users\jaze\appdata\roaming\Malwarebytes
2009-01-04 16:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 16:19 --d----- c:\programdata\Malwarebytes
2009-01-04 16:19 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 16:19 --d----- c:\progra~2\Malwarebytes
2009-01-04 12:23 --d----- C:\ComboFix
2009-01-04 11:26 --d----- c:\program files\Trend Micro
2008-12-21 12:21 856,064 a------- c:\windows\system32\mpgfiltr.ax
2008-12-21 12:21 421,888 a------- c:\windows\system32\RealMediaSplitter.ax
2008-12-21 12:21 208,896 a------- c:\windows\system32\VideoEdit.ocx
2008-12-21 12:21 139,264 a------- c:\windows\system32\viscomqtde.dll
2008-12-21 12:21 81,920 a------- c:\windows\system32\viscomwave.dll
2008-12-21 12:21 --d----- c:\program files\Agogo iPod Video Converter
2008-12-21 09:45 --d----- c:\programdata\CyberLink
2008-12-20 03:53 a-d----- c:\programdata\TEMP
2008-12-19 03:31 --d----- c:\users\jaze\appdata\roaming\cmw
2008-12-19 03:30 --d----- c:\program files\winpwn-2.5
2008-12-19 03:19 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-19 03:19 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-19 03:19 --d----- c:\program files\iPod
2008-12-19 03:19 --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 03:19 --d----- c:\program files\iTunes
2008-12-19 03:19 --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 03:18 --d----- c:\program files\Bonjour
2008-12-15 02:30 86,016 a------- c:\windows\system32\MA_CMIDN.DLL
2008-12-15 02:30 22,208 a------- c:\windows\system32\drivers\USBMN1X1.SYS
2008-12-15 02:30 21,888 a------- c:\windows\system32\drivers\MA_CMIDI.SYS
2008-12-15 02:30 13,504 a------- c:\windows\system32\drivers\USB11LDR.SYS
2008-12-15 02:30 --d----- c:\program files\M-Audio
2008-12-06 11:35 256 a------- c:\windows\system32\pool.bin
2008-12-06 11:15 --d----- c:\users\jaze\appdata\roaming\Research In Motion
2008-12-06 04:45 26,496 a------- c:\windows\system32\drivers\RimSerial.sys
2008-12-06 04:44 --d----- c:\program files\common files\Research In Motion
2008-12-06 04:44 --d----- c:\program files\Research In Motion

==================== Find3M ====================

2009-01-04 16:09 4,128 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-19 03:18 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-19 03:18 86,016 a------- c:\windows\inf\infstor.dat
2008-12-19 03:18 51,200 a------- c:\windows\inf\infpub.dat
2008-11-07 14:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-10-30 06:36 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-10-27 23:40 724,992 a------- c:\windows\iun6002.exe
2008-10-27 15:47 179,441 a------- c:\windows\hpwins14.dat
2008-10-22 19:04 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:55:55.34 ===============

I also have the "Attach.txt"

Don't need attach.txt, so you can delete that if you want to.

Also, delete the combofix folder:
C:\ComboFix

Looks good, lets just find this leftover.

Download the Registry Search Tool from HERE

Unzip to your Desktop and right click on regsrch.vbs > Run as administrator.
(if you have script protection, please allow this to run)

In the dialog that opens, enter the following:
iifCVmkh.dll

Press 'OK'

The search will run for a while then alert you when it is finished.
Press 'OK' and copy the contents of the WordPad window and post in this thread.

i do have SOME experience in virus removal...i was able get rid of the dll file but not the program that kept trying to access it so until today, i kept gettin a error that the .dll couldn't be found and i thought i was at least safe since it wasn't running completely....oh well, let me finish the steps

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "iifCVmkh.dll" 1/4/2009 5:33:07 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBFD382A-AC6E-4EB7-8944-F97D358B378D}\InprocServer32]
@="C:\\Windows\\system32\\iifCVmkh.dll"

FYI, i dont see the iifCVmkh.dll file anywhere in the system32 folder

Hello.
That's because the file isn't actually present, just a registry leftover.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBFD382A-AC6E-4EB7-8944-F97D358B378D}]
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

What problems remain?

not a single problem remains that i can see, can't believe you've been able to help. i'm going to reread this entire thread so I can learn a little more. i can work well around viruses and what not, but until recently i've tried to steer as clear as i can from any registry editing unless the scripts are beyond obvious.

Can't thank you enough Belahzur...i hope somewhere you're getting paid for this kind of tech support.

No, sorry. I offer my time and services here for free.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa by right clicking > Run as administraor.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Btw, if you can think of any viruses that specifically slow down internet connections, kinda point me in the right direction of research.

Please delete DDS too.
Internet speed - Are you using Firefox or Internet Explorer?

I'm using Firefox....and I ran JavaRa but it never opened its log file. i tried to manually make the program do it, and it still did nothing....i searched JavaRa.log and it found nothing, but it did say it deleted jre.1.6.0.05

Okay, doesn't matter about JavaRa if it did it's job.
I'm gonna post some prevention tips, and even though you use Firefox already, I'll provide some good add-ons for it.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.