Need Help With Windows Police Pro

I got the Windows Police Pro virus recently. I tried doing my standard procedure for dealing with viruses (disconnect ethernet cord and run antivirus software in Safe Mode), but I'm running into some snags that I can't get around on my own.

First of all, I can't run any of my antivirus programs or Task Manager, because my computer claims that I do not have "appropriate permissions" and says I should talk to my administrator (I am the admin for the computer in question). System Restore has also been disabled under similar pretenses, something about "group policy" forbidding it. Originally I was able to run malwarebytes for a bit, but then it crashed. Hard. As in, not only can I not run it but I can't even delete the link from my desktop. Same goes for SUPER Anti Spyware. I managed to run the command line version of AVG 8.5 early on, it mentioned something called \\?\globalroot\Device\_max++>\26290FAC.x86.dll and claimed it got rid of Windows Police Pro, but it didn't.

I've tried a couple things suggested on these boards, but some of the solutions here are highly customized for the individual asking the question and other programs I've gotten run for a moment before crashing out and refusing to open. I now have a copy of HijackThis saved to my desktop as a screensaver which will neither run nor delete. I'm starting to get a little flustered here.

Sorry for the giant introduction, I just wanted to relay as much information as possible. Any help would be greatly appreciated.

Hi

No problem, a lot of detail is better than none.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following quotebox into the main textfield:
  
  
  

  :filefind
  scecli.dll
  netlogon.dll
  eventlog.dll

  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here's the log. Also, I have a couple of questions.

Is it alright if I run all of these programs in Safe Mode, or could I run into any problems with programs that want me to restart my computer?

Also, I'm not posting from my own computer--I run over to a friend's and use his. Is it okay if I turn my computer off whenever I leave it, or should I leave it on? I'm a little paranoid about things suddenly getting worse if I left it on and walked away, but I get the feeling some of these problems could reset themselves on reboot.

Anyhow, the log.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:59 on 11/09/2009 by HP_Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll --a--- 181248 bytes [12:58 27/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\dllcache\scecli.dll ------ 180224 bytes [21:00 09/08/2004] [21:00 09/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll ------ 180224 bytes [21:00 09/08/2004] [21:00 09/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\sp2qfe\netlogon.dll --a--- 408064 bytes [18:46 06/02/2009] [18:46 06/02/2009] 6C476D33D82F1054849790181E8F7772
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll --a--- 407040 bytes [12:58 27/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll ------ 407040 bytes [21:00 09/08/2004] [21:00 09/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [21:00 09/08/2004] [21:00 09/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll --a--- 56320 bytes [12:57 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll ------ 55808 bytes [21:00 09/08/2004] [21:00 09/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [21:00 09/08/2004] [21:00 09/08/2004] (Unable to calculate MD5)

-=End Of File=-

Hi

Just follow directions from me. If I think you will need to go in to Safe Mode, I will say. If we have to use Malwarebytes or other tools, they work best in Normal Mode, not Safe Mode.

However, if you cannot boot in to Normal Mode, or objects don't work (such as programs and Internet, then we will go in to Safe Mode).

==

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Things appear to have gone from bad to worse on my end.

I downloaded Avenger and put it on my flash drive, then put it on my computer in normal mode as you said. Here's where I encountered two problems--first, the virus is calling itself "Total Security" now instead of "Windows Police Pro", and second it kills any attempt to open a .exe and claims it's a virus. I was unable to either unzip or run Avenger in normal mode, so I had to do both in Safe Mode. When it asked me to reboot, however, I was sure to let it do so into normal mode. Then my computer rebooted twice--once when Avenger prompted me, and again when it was trying to start explorer (when it's that light blue background with the windows icon on it). I don't know if this is normal for Avenger, but I'm mentioning it anyway.

Here's where things get much worse. The Avenger text file showed up in all its glory for about ten seconds, before three things happened: it went away, Total Security started up again, and I got a bizarre message box saying that Windows could not locate the disk located in drive ?????????????????????_??? etc. etc., and asked if I should abort, retry, or ignore. The My Computer icon wouldn't load things properly in this state, so I couldn't reach C:\Avenger.

Thoroughly disheartened, I fell back to Safe Mode, where things are still working, I'm relieved to say. I could reach C:\Avenger, but the .txt wasn't there. The backup was, however, and it contained Avenger.txt as well as eventlog.dll, but the blasted thing is password protected for some reason so I can't actually open Avenger.txt to show you. I put the backup on my flash drive and brought it here, so if you can tell me the password I can open it up, or I can send the backup to you in some way. Or we can just try something else, it's your call.

To summarize, for all the things I did I have nothing to show you for it. Sorry.

Hi

Please re-run SystemLook, and paste the code in to the box and press Look:



Post that log in your next reply.

==
!! NOTE: THIS INSTRUCTION IS FOR GreenOnions only. Do not follow it if you are not this user. !!

Please download Malwarebytes Anti-Malware from here. Save to the Desktop, and RENAME to iexplore.exe, then click the Save button.

Double Click iexplore.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Wow, two fast replies! Thanks, guys. I'll try combofix and then systemloox/malwarebytes.

Question: I already have Malwarebytes on my computer, only it doesn't run because of the "appropriate permissions" thing. Should I try to delete the old one first with Add/Remove programs, should I download the new Malwarebytes and just save it over the old Malwarebytes, or should I save the new program into a different folder?

Hi

Uninstall the old Malwarebytes and install the new one as noted above, please. Malware is blocking Malwarebytes from running so it has to be renamed.

OKAY. Finally got back after wrestling with this for a while.

First off, I couldn't follow those instructions to use Combofix (which is just as well, since that suggestion seems to have been removed). AVG wouldn't run in normal mode, I couldn't deactivate resident shield in safe mode, and attempting to run Combofix anyway gave me a prompt along the lines of "AVG is running and you could cause major system damage if you run Combofix while that's true". So, no Combofix.

I DID, however, run systemlook and reinstall malwarebytes as iexplore.exe. Here're systemlook's results:


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:03 on 12/09/2009 by HP_Administrator (Administrator - Elevation successful)

========== Filefind ==========

Searching for "C:\WINDOWS\system32\eventlog.dll"
No files found.

Searching for "c:\windows\ServicePackFiles\i386\eventlog.dll"
No files found.

-=End Of File=-


Once I got Malwarebytes running in safe mode (normal mode wouldn't let me do ANYTHING), it managed to do a full scan and found a TON of infections, seen here.


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/12/2009 4:08:15 PM
mbam-log-2009-09-12 (16-08-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 295821
Time elapsed: 52 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 12
Registry Data Items Infected: 10
Folders Infected: 5
Files Infected: 80

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1b6f4516-ea24-430f-8767-29aef2db712e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1b6f4516-ea24-430f-8767-29aef2db712e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vuhikamog (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gevodimoye (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13535004 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\11245154\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11245154\11245154.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11245154\pc11245154ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\lriaxaso.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\4XMJSHUV\firewall[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHIJSLQ3\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\windows Police Pro.exe (Antivirus2009) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jagepeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jeyiniyo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\korumore.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nevorefa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nudeleze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olgdjlba.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\toronitu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrvkklvdtlk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwkkylmhote.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisahiri.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1968292036.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7D8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACed47.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13535004\13535004 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcm80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcp80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcr80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\wispex.html (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\pix.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w11.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.jpg (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmnlcsmpeho.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtxejpaumul.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwpbmjnwbng.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


After that, I was able to run my computer in normal mode without getting assailed by Total Security or having my .exe files killed. Task Manager's back up, too.

Just to be thorough, I ran another Malwarebytes scan in normal mode and found 19 results:


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2

9/12/2009 5:08:08 PM
mbam-log-2009-09-12 (17-08-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297790
Time elapsed: 53 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gevodimoye (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.


Problem is, every time I scan, bisenova.dll, tajf83ikdmf.dll, and sumopuwu.dll survive the reboot deletion (though sumopuwu.dll didn't show up the last time I scanned), and bring with them a small entourage of malware:


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2

9/12/2009 5:18:06 PM
mbam-log-2009-09-12 (17-18-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 23844
Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.


Normal mode is working again though, so I'm fairly excited. I'm grateful for all the help, and I eagerly await the next step you suggest.

Also, while I'm here, I have a few questions to ask that have been nagging me.

There are a bunch of new folders that have shown up in C:\ that I'd like to know if I should/shouldn't get rid of.

C:\1aa9a6127fb447cef54cbc (I've had this a while, I looked it up and it's supposedly just shoddy cleanup from a windows update. I'd like to know if I can delete it, though.)

C:\32788R22FWJFW (This folder is about 6 megs big and chock full of odd files and folders, it was made today so I'm kind of distrusting of it)

C:\Avenger (once this whole thing's settled, I can delete this, right?)

C:\Qoobox (has a single empty folder in it called "quarantine")


There are also some miscelaneous files here:

C:\Avenger.txt (I can see it now!)

C:\Bug.txt (no idea what this is)

C:\Cleanup.bat (no idea what program this is for, it was made today)

C:\Cleanup.exe (ditto)

C:\zip.exe (also made today, also don't know what it's for)


Thanks again for all the help.

Hi

Sorry about the deletion of the ComboFix instructions. After ComboFix runs, and I can see the files, then I will decide if those files are deletable.

Please download ComboFix from Here or Here to your Desktop.

**Note:
In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

Please do not rename Combofix to other names, but only to the one indicated.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

Double click on combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name
Combofix.exe to iexplore.exe instead, or winlogon.exe.
This is because it also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Okay, I'll give this a try. Is it okay if I put Combo-Fix on my flash drive, then move it to my computer from there? I'll follow all the renaming instructions to the letter, just to my flash drive first instead of directly to my desktop.

Also, will I need to do any fancy renaming to HijackThis, or should it run normally now?

Hi

HijackThis will not be able to handle the remaining infections. And yes, go ahead with the movement of ComboFix. ComboFix will still run once transferred. :smile2:

ComboFix is giving me some trouble. When I try to run it, a progress bar appears over the Combo-Fix icon on my desktop and fills up. Then my desktop icons flicker a couple of times, the progress bar goes away, and nothing happens. I even check the task manager, nothing combofix-ish seems to be running.

It started to run yesterday when I tried it before malwarebytes was up and running again, but as I said it warned me about AVG, which I couldn't turn off, so I didn't run it. Now AVG's active scanner is off, but ComboFix won't run. I renamed it as you told me to (Combo-Fix, that punctuation and capitalization), but is there anything else I could have done wrong?

Hi

I am going to paste here a download link for eventlog.dll:
http://rapidshare.com/files/279594809/eventlog.dll.html

Please download it to your Desktop. Then, right click on it and click cut, then paste it in to the following folder: C:\Windows\System32

Please reboot your system, and try ComboFix again. If it does not work, delete the old ComboFix and download another copy, except when saving the file, rename it to WinInit.com then click the save button. Run it as noted above, please.

In your next reply, please include the ComboFix log, or tell me if you encountered any problems.

Alright. Put eventlog back on my machine and it starts up much faster now. Got ComboFix working as WinInit.com,and here are the results it gave.


ComboFix 09-09-12.A0 - HP_Administrator 09/13/2009 14:41.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.546 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\WinInit.com.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Installer\3e496f.msp
c:\windows\kb913800.exe
c:\windows\system32\41.exe
c:\windows\system32\drivers\2f76ae7a.sys
c:\windows\system32\drivers\hjgruibabanvxo.sys
c:\windows\system32\hjgruiawuwcdiy.dat
c:\windows\system32\hjgruibdecyext.dll
c:\windows\system32\hjgruibfnndrtc.dat
c:\windows\system32\hjgruibjtpexju.dll
c:\windows\system32\hjgruiboxvkyxj.dll
c:\windows\system32\hjgruibyprkltp.dll
c:\windows\system32\hjgruicnvtntkj.dll
c:\windows\system32\hjgruidibcrdpp.dat
c:\windows\system32\hjgruidtibciqx.dat
c:\windows\system32\hjgruiemddkpks.dat
c:\windows\system32\hjgruieqrxuwpc.dll
c:\windows\system32\hjgruifthieiey.dat
c:\windows\system32\hjgruifvrtcgif.dll
c:\windows\system32\hjgruigxuwpite.dat
c:\windows\system32\hjgruihwmcmdts.dat
c:\windows\system32\hjgruihxvrtfge.dat
c:\windows\system32\hjgruiivpucrlr.dll
c:\windows\system32\hjgruijismnwxb.dll
c:\windows\system32\hjgruimpftkpig.dll
c:\windows\system32\hjgruimstiwwoi.dll
c:\windows\system32\hjgruincbvttnq.dll
c:\windows\system32\hjgruioqxymycd.dll
c:\windows\system32\hjgruipdmexbyf.dll
c:\windows\system32\hjgruiphpfvrtf.dll
c:\windows\system32\hjgruipowidecb.dll
c:\windows\system32\hjgruiputoibiq.dat
c:\windows\system32\hjgruipymexjdi.dat
c:\windows\system32\hjgruiqbwtvxiq.dll
c:\windows\system32\hjgruiqhpylkdm.dll
c:\windows\system32\hjgruiqltupqjy.dat
c:\windows\system32\hjgruiqxnbmnri.dat
c:\windows\system32\hjgruirwetbqvn.dll
c:\windows\system32\hjgruirxeixnst.dll
c:\windows\system32\hjgruirxhtanei.dat
c:\windows\system32\hjgruisajqpjul.dll
c:\windows\system32\hjgruisirqogwt.dll
c:\windows\system32\hjgruitagbpetd.dll
c:\windows\system32\hjgruiufygyqob.dll
c:\windows\system32\hjgruiviwwoism.dll
c:\windows\system32\hjgruivtepuyav.dat
c:\windows\system32\hjgruivxsiwkcb.dat
c:\windows\system32\hjgruiwbvttbqp.dll
c:\windows\system32\hjgruiwkbwucbl.dat
c:\windows\system32\hjgruixegoidip.dat
c:\windows\system32\hjgruixobcqhti.dll
c:\windows\system32\hjgruiyxcdbxpp.dll
c:\windows\system32\lufuyuko.exe
c:\windows\system32\ps2.bat
c:\windows\system32\sumopuwu.dll
c:\windows\system32\wovageku.dll
D:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hjgruisxrkmuyy
-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_hjgruisxrkmuyy
-------\Service_sys
-------\Service_2f76ae7a


((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 18:32 . 2009-09-13 18:15 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-13 18:32 . 2009-09-13 18:15 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-12 19:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 19:14 . 2009-09-12 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 19:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 17:21 . 2009-09-12 17:21 574 ----a-w- C:\cleanup.bat
2009-09-12 17:21 . 2009-09-12 17:21 135168 ----a-w- C:\zip.exe
2009-09-09 22:41 . 2009-09-12 18:59 1559 ----a-w- c:\windows\system32\olgdjlba.dat
2009-09-09 22:37 . 2009-09-09 22:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Viewpoint
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\program files\MSBuild
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 23:05 . 2009-08-21 23:06 -------- d-----w- C:\1aa9a6127fb447cef54cbc
2009-08-21 23:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 23:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 23:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 23:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 23:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 23:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 23:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 23:01 . 2009-08-21 23:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-19 15:47 . 2009-08-19 15:47 -------- d-----w- c:\program files\iTunes
2009-08-15 02:30 . 2009-08-15 02:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-08-14 23:02 . 2009-08-14 23:02 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 18:45 . 2009-06-12 18:44 49664 --sha-w- c:\windows\system32\zudeyuwi.dll
2009-08-31 18:09 . 2008-09-02 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-23 22:45 . 2006-08-24 23:51 -------- d-----w- c:\program files\AIM
2009-08-23 03:04 . 2008-09-02 01:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 03:04 . 2008-09-02 01:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 03:04 . 2008-09-02 01:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 04:11 . 2006-03-12 06:48 63696 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 22:12 . 2006-09-23 05:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2009-08-19 15:47 . 2006-07-03 20:49 -------- d-----w- c:\program files\iPod
2009-08-19 15:47 . 2007-11-28 06:24 -------- d-----w- c:\program files\Common Files\Apple
2009-08-14 05:38 . 2006-09-29 01:46 4620 ----a-w- c:\windows\XChange.dat
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-08-12 19:52 . 2008-09-02 01:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 18:46 . 2009-08-12 18:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-08-12 18:46 . 2009-08-12 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 09:11 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-09 21:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 22:45 . 2009-07-11 22:45 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-07-11 22:45 . 2009-07-11 22:45 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-26 15:59 . 2004-08-09 21:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-09 21:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-09 21:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-09 21:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-09 21:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-09 21:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-09 21:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-09 21:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-09 21:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-09 21:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-09 21:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-09 21:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-09 21:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-09 21:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-09 21:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-09 21:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-09 21:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-09 21:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-09 21:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-12 18:45 . 2009-06-12 18:45 49664 --sha-w- c:\windows\system32\jehodini.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f74c0501-f644-4968-91f9-6939587f6aa4}]
2009-06-12 18:45 49664 --sha-w- c:\windows\system32\jehodini.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-09-21 43520]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 517632]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-04 7307264]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2007-01-04 112336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-01-11 15961088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-12 36903]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 03:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2008 9:38 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/1/2008 9:38 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/1/2008 9:38 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:59 PM 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/1/2008 9:38 PM 908056]
S2 giyqy;giyqy;c:\windows\system32\drivers\irxffg.sys --> c:\windows\system32\drivers\irxffg.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-09-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-09-02 21:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.insightbb.com/default.aspx
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D51} - file://e:\html\search\ses_ocx\sessearch.ocx
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\xaasg3ln.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.insightbb.com/default.aspx
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DISCover - c:\program files\DISC\DISCover.exe
HKLM-Run-DiscUpdateManager - c:\program files\DISC\DiscUpdateMgr.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-gevodimoye - wovageku.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 15:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1012)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-09-13 15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 19:07

Pre-Run: 24,405,716,992 bytes free
Post-Run: 27,025,350,656 bytes free

321 --- E O F --- 2009-09-08 02:19


Should I run malwarebytes again, or are there any more steps I should take before that?

Hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\olgdjlba.dat
c:\windows\system32\zudeyuwi.dll
c:\windows\system32\jehodini.dll

Suspect::
C:\1aa9a6127fb447cef54cbc

Driver::
hjgruisxrkmuyy

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Okay, here's the new ComboFix


ComboFix 09-09-12.A0 - HP_Administrator 09/13/2009 16:51.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.498 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\WinInit.com.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\jehodini.dll"
"c:\windows\system32\olgdjlba.dat"
"c:\windows\system32\zudeyuwi.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jehodini.dll
c:\windows\system32\olgdjlba.dat
c:\windows\system32\zudeyuwi.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 18:32 . 2009-09-13 18:15 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-13 18:32 . 2009-09-13 18:15 55808 ------w- c:\windows\system32\eventlog.dll
2009-09-12 19:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 19:14 . 2009-09-12 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 19:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 17:21 . 2009-09-12 17:21 574 ----a-w- C:\cleanup.bat
2009-09-12 17:21 . 2009-09-12 17:21 135168 ----a-w- C:\zip.exe
2009-09-09 22:37 . 2009-09-09 22:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Viewpoint
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\program files\MSBuild
2009-08-21 23:06 . 2009-08-21 23:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 23:05 . 2009-08-21 23:06 -------- d-----w- C:\1aa9a6127fb447cef54cbc
2009-08-21 23:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 23:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 23:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 23:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-21 23:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 23:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 23:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 23:01 . 2009-08-21 23:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-19 15:47 . 2009-08-19 15:47 -------- d-----w- c:\program files\iTunes
2009-08-15 02:30 . 2009-08-15 02:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-08-14 23:02 . 2009-08-14 23:02 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 18:09 . 2008-09-02 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-23 22:45 . 2006-08-24 23:51 -------- d-----w- c:\program files\AIM
2009-08-23 03:04 . 2008-09-02 01:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 03:04 . 2008-09-02 01:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 03:04 . 2008-09-02 01:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 04:11 . 2006-03-12 06:48 63696 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 22:12 . 2006-09-23 05:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2009-08-19 15:47 . 2006-07-03 20:49 -------- d-----w- c:\program files\iPod
2009-08-19 15:47 . 2007-11-28 06:24 -------- d-----w- c:\program files\Common Files\Apple
2009-08-14 05:38 . 2006-09-29 01:46 4620 ----a-w- c:\windows\XChange.dat
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-12 19:53 . 2009-08-12 19:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-08-12 19:52 . 2008-09-02 01:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 18:46 . 2009-08-12 18:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-08-12 18:46 . 2009-08-12 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 09:11 . 2004-08-09 21:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-09 21:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-09 21:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 22:45 . 2009-07-11 22:45 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-07-11 22:45 . 2009-07-11 22:45 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-26 15:59 . 2004-08-09 21:00 668160 ------w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-09 21:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-09 21:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-09 21:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-09 21:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-09 21:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-09 21:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-09 21:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-09 21:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-09 21:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-09 21:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-09 21:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-09 21:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-09 21:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-09 21:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-09 21:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-09 21:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-09 21:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-09 21:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2006-09-21 43520]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 517632]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-04 7307264]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2007-01-04 112336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-01-11 15961088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-12 36903]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 03:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2008 9:38 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/1/2008 9:38 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/1/2008 9:38 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:59 PM 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/1/2008 9:38 PM 908056]
S2 giyqy;giyqy;c:\windows\system32\drivers\irxffg.sys --> c:\windows\system32\drivers\irxffg.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-09-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-09-02 21:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.insightbb.com/default.aspx
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D51} - file://e:\html\search\ses_ocx\sessearch.ocx
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\xaasg3ln.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.insightbb.com/default.aspx
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{f74c0501-f644-4968-91f9-6939587f6aa4} - jehodini.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(976)
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-09-13 17:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 21:16
ComboFix2.txt 2009-09-13 19:07

Pre-Run: 27,015,659,520 bytes free
Post-Run: 26,934,808,576 bytes free

254 --- E O F --- 2009-09-13 21:14


I'd also like to mention something that's happened after startup since running ComboFix. Before I ran it, ad-watch told me about a registry modification pertaining to something called "wovageku.dll". That file was deleted by ComboFix (believe me, I am NOT complaining), but every time ComboFix has rebooted my computer I get a message box informing me that wovageku.dll could not be run because it could not be found. Is that going to go away eventually?

Also, ad-watch keeps shutting down for some reason after booting briefly. Is that worthy of concern?

Again, thank you so much for all the help you've given me.

Hi

Please disable Ad-Watch until after the fixes have been done, and your computer is declared clean.

==

Please re-open SystemLook and paste the following in to the box, and click Look:

:filefind
wovageku.dll
winlogon.exe
es.dll

Please post that log in your next reply.
==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove Selected, then post a log in your next reply.

==

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

==

Phew. Please include the following logs in your next reply:
(You may have to do two separate replies, because these logs can get long)
-SystemLook
-MBAM log
-ESET log

Also, please tell me how your computer is running and if you encountered any problems doing the above tasks.

Systemlook log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:02 on 13/09/2009 by HP_Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "wovageku.dll"
No files found.

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 502272 bytes [19:05 13/09/2009] [21:00 09/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe --a--- 507904 bytes [12:58 27/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe ------ 502272 bytes [21:00 09/08/2004] [21:00 09/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\system32\winlogon.exe ------ 502272 bytes [21:00 09/08/2004] [21:00 09/08/2004] 01C3346C241652F43AED8E2149881BFE

Searching for "es.dll"
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll --a--- 243200 bytes [06:27 12/03/2006] [04:20 26/07/2005] 95F5FEA4C6DE2C3F28784D0DCC8F0DD3
C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll --a--- 253952 bytes [20:06 07/07/2008] [20:06 07/07/2008] A4AB3DCA4A383F0DF4988ABDEB84F9A4
C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll --a--- 253952 bytes [20:26 07/07/2008] [20:26 07/07/2008] D4991D98F2DB73C60D042F1AEF79EFAE
C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll --a--- 253952 bytes [20:23 07/07/2008] [20:23 07/07/2008] F17F6226BDC0CD5F0BEF0DAF84D29BEC
C:\WINDOWS\$NtUninstallKB902400$\es.dll --a--c 243200 bytes [06:27 12/03/2006] [21:00 09/08/2004] ACD36A2DD7D1E9D8A060AA651DC07E63
C:\WINDOWS\$NtUninstallKB950974$\es.dll -----c 243200 bytes [16:36 26/08/2008] [04:39 26/07/2005] 34BBD9ACC1538818F2C878898C64E793
C:\WINDOWS\ERDNT\cache\es.dll --a--- 253952 bytes [19:05 13/09/2009] [20:32 07/07/2008] 60D1A6342238378BFB7545C81EE3606C
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\es.dll --a--- 246272 bytes [12:57 27/08/2008] [00:11 14/04/2008] 19A799805B24990867B00C120D300C3A
C:\WINDOWS\system32\dllcache\es.dll ------ 253952 bytes [21:00 09/08/2004] [20:32 07/07/2008] 60D1A6342238378BFB7545C81EE3606C
C:\WINDOWS\system32\es.dll ------ 253952 bytes [21:00 09/08/2004] [20:32 07/07/2008] 60D1A6342238378BFB7545C81EE3606C

-=End Of File=-


MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2793
Windows 5.1.2600 Service Pack 2

9/13/2009 7:10:51 PM
mbam-log-2009-09-13 (19-10-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290533
Time elapsed: 1 hour(s), 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\cleanup.exe.vir (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiboxvkyxj.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruibyprkltp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruieqrxuwpc.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruifvrtcgif.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruipdmexbyf.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiphpfvrtf.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruipowidecb.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruirxeixnst.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruisajqpjul.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruibdecyext.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiviwwoism.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiwbvttbqp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiyxcdbxpp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jehodini.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lufuyuko.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sumopuwu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wovageku.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zudeyuwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruimstiwwoi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\2f76ae7a.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruibabanvxo.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000024.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000025.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


ESET log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruirwetbqvn.dll.vir Win32/Olmarik.KW trojan cleaned by deleting - quarantined

Hi

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Please post the MBAM log in your next reply.

does is matter that the actual fileisn't called combofix? I named it WinIni.com, should I still say ComboFix /u in the command prompt?

If it does not delete, then please delete the following:

winInit.com
C:\Qoobox

==

Post the MBAM log when ready.

FINALLY. Deleted ComboFix like you originally told me to, ran MBAM, found nothing.


Malwarebytes' Anti-Malware 1.41
Database version: 2793
Windows 5.1.2600 Service Pack 2

9/13/2009 10:55:30 PM
mbam-log-2009-09-13 (22-55-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 273394
Time elapsed: 58 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Are there any extra steps I should take, or is that it?

Hi

Your computer is clean.

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

I am overjoyed to say that I am posting this from my own computer.
Here we go:


Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 8.5


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Three questions:
1.) SUPER Anti Spyware got messed up by the virus originally. Should it run normally now, or should I just delete it, download a new copy and update it?

2.) I know it says AVG is working, but for some reason the e-mail scanner is inactive and I can't seem to reactivate it. The checkboxes for scanning incoming and outgoing messages are checked, but it still claims that it's inactive. What gives?

3.) What should I do about that Ad-Aware problem it mentioned?

I cannot possibly thank you enough for all the help you've given me--but I'll try anyway.

Hi

Uninstall SAS, then download and install a new one from here: http://www.SuperAntiSpyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

==
For Ad-Aware
Try to re-enable it. If it will not work, I suggest a reinstall. http://www.lavasoft.com/products/ad_aware_free.php

==

Try updating AVG. If it will not straighten up, I suggest a reinstall as well. http://free.avg.com

==

Adobe Acrobat Reader is out of date.

Please download the newest version from here: http://www.adobe.com/products/acrobat/readstep2.html

It's important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel > Software and open Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/