BankerFox.A and Win32/Nuqel.E

My machine is showing warnings for BankerFox.A and Win32/Nuqel.E. I'm getting lots of porn website popups and it's interfering with my attempts at opening and installing various programs. I just keep clicking no, no, no. I was just able to install HijackThis and with quick fingers was able to create the log below. I had to email it to another machine because the virus wouldn't let me open Wordpad. Seems like it blocks whatever program I try to open to fight the virus. It's like it knows.....

grateful for any help,

carol

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:09 PM, on 10/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\qldlfa\qfjqsysguard.exe
C:\PROGRA~1\AOL9~1.1\waol.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\PROGRA~1\AOL9~1.1\shellmon.exe
C:\Program Files\Common Files\aol\1215882299\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.britishislesonline.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [system tool] C:\Program Files\qldlfa\qfjqsysguard.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AOL9~1.1\AOL.EXE" -b
O4 - .DEFAULT User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/html - {abe6f82e-ec14-4ada-be8f-957df04c422d} - C:\WINDOWS\system32\dsound3dd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

--
End of file - 5709 bytes

Welcome to GeekPolice. We are here to save you money. Our expertise here can help you get rid of threats.

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a Tech Staff member, administrator, or moderator. Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.

As this topic is for you only, I just need to issue a warning to outside readers:
Warning: Instructions issued in this topic are for this user only. We are not responsible for damages, so if you need help; please register for this site, and start a new topic requesting help.

---

Please download ComboFix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.

Dear DMJ,
I'm not able to install commy.exe. I went through Start>Run and pasted your command "%userprofile%\desktop\commy.exe" /stepdel. It starts to run but is interrupted and I get the message that rund1132.exe is infected or commy.exe is infected. I tried a number of times.

I'm also not able to generate a list of programs. When I paste in
C:\Qoobox\Add-Remove Programs.txt
it says Windows cannot find 'C:\Qoobox\Add-Remove"

I did a search for a file called Add-Remove including system files and came up with nothing.

Any more suggestions?
carol

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Dear DMJ (my hero)

It tried to stop me from running Malwarebytes but after a few tries I got it started. Now things seem to be humming along nicely. Log from Malwarebytes is below. Do you think the nightmare is over?

And do you think we need to change passwords that have been entered on this machine recently?

thanks a gazillion,
carol

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/21/2009 9:56:13 AM
mbam-log-2009-10-21 (09-56-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 182570
Time elapsed: 1 hour(s), 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f5f14e7a-f59d-45a0-bdc5-a9f5454f0bcf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f5f14e7a-f59d-45a0-bdc5-a9f5454f0bcf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f5f14e7a-f59d-45a0-bdc5-a9f5454f0bcf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD416C0E-9E17-4469-9735-821DC16B1F6D}\RP1069\A0303496.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD416C0E-9E17-4469-9735-821DC16B1F6D}\RP1070\A0304497.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD416C0E-9E17-4469-9735-821DC16B1F6D}\RP1071\A0304512.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD416C0E-9E17-4469-9735-821DC16B1F6D}\RP1075\A0304868.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD416C0E-9E17-4469-9735-821DC16B1F6D}\RP1075\A0305866.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\qldlfa\qfjqsysguard.exe (Fake.SystemTool) -> Delete on reboot.

Please download ComboFix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.

Good morning,

Still no viral activity on my machine. Yay! Below are my ComboFix log and Add-Remove Programs file.

Just let me know if you think I should do anything else.

thanks again,

carol

ComboFix 09-10-20.03 - Laura 10/22/2009 8:44.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.292 [GMT -5:00]
Running from: c:\documents and settings\Laura\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Shared
c:\windows\Installer\12a9699.msp
c:\windows\Installer\170c15.msp
c:\windows\Installer\19f5ea7.msp
c:\windows\Installer\1c6614.msp
c:\windows\Installer\2385c.msp
c:\windows\Installer\26e7f.msp
c:\windows\Installer\27bae.msp
c:\windows\Installer\28061.msp
c:\windows\Installer\2b5c9.msp
c:\windows\Installer\3667fa.msp
c:\windows\Installer\4ac2a.msp
c:\windows\Installer\5f420.msi
c:\windows\Installer\5f871.msp
c:\windows\Installer\844525.msp
c:\windows\Installer\84453b.msp
c:\windows\Installer\8b004.msi
c:\windows\Installer\8ba07.msi
c:\windows\system32\lsp.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-21 13:48 . 2009-10-21 13:48 -------- d-----w- c:\documents and settings\Laura\Application Data\Malwarebytes
2009-10-21 13:45 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 13:45 . 2009-10-21 13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 13:45 . 2009-10-21 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 13:45 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 19:58 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-19 19:58 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-19 19:58 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-19 19:58 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-19 19:58 . 2009-10-19 19:58 -------- d-----w- c:\program files\Avira
2009-10-19 19:58 . 2009-10-19 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-19 18:27 . 2009-10-19 18:27 -------- d-----w- c:\program files\Tracker Software
2009-10-19 17:54 . 2009-10-19 17:54 -------- d-----w- c:\program files\Trend Micro
2009-10-19 15:32 . 2009-10-19 18:14 -------- d-----w- c:\documents and settings\Laura\Local Settings\Application Data\NOS
2009-10-17 22:06 . 2009-10-21 14:58 -------- d-----w- c:\program files\qldlfa
2009-10-17 16:34 . 2009-10-17 16:34 -------- d-----w- c:\documents and settings\Laura\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 17:53 . 2007-04-13 21:16 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-19 15:27 . 2006-07-04 12:21 -------- d-----w- c:\program files\Java
2009-09-25 05:56 . 2004-08-10 05:05 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-10 05:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2004-08-10 05:05 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-10 05:05 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 20:14 . 2007-01-02 15:18 1744 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:16 . 2004-08-10 05:05 247326 -c--a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11 . 2004-08-10 05:05 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-10 05:05 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 34832]
"Tweak UI"="TWEAKUI.CPL" - c:\windows\system32\TWEAKUI.CPL [2005-08-03 106544]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-06-18 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2006-7-5 315392]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^Laura^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Laura\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2009 2:58 PM 108289]
.
Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1035525444-725345543-1003Core.job
- c:\documents and settings\Laura\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 19:42]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1035525444-725345543-1003UA.job
- c:\documents and settings\Laura\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 19:42]

2009-10-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.geekpolice.net/
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Laura\Application Data\Mozilla\Firefox\Profiles\7dn3ut35.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.britishislesonline.com/cms/secureadmin/index.php?mod=store-viewproducts|http://www.britishislesonline.com/cms_home/
FF - plugin: c:\documents and settings\Laura\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{F5F14E7A-F59D-45a0-BDC5-A9F5454F0BCF} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 08:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\commy\CF16508.exe
c:\progra~1\AOL9~1.1\waol.exe
c:\progra~1\AOL9~1.1\shellmon.exe
c:\program files\Common Files\aol\1215882299\ee\aolsoftware.exe
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 8:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 13:52

Pre-Run: 625,807,360 bytes free
Post-Run: 683,855,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0C10DF4900A0871536DF2AD4FC76F056


Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Advanced Registry Optimizer
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Diskeeper Professional Edition
DVD Shrink 3.2
FormViewer
Google Chrome
GTK+ 2.8.18-1 runtime environment
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
InterActual Player
K-Lite Mega Codec Pack 1.52
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.14)
Nero 7 Demo
Norton Ghost
PDF-Viewer
PDFCreator
QuickBooks Pro 2002
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Spybot - Search & Destroy
The GIMP 2.2.11
Uninstall AOL Emergency Connect Utility 1.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinXP Manager
Zoboomafoo Animal Alphabet(TM)

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Dear DMJ

Below is my Malwarebytes log for today.

Another couple of pesky Trojans. Not sure how they got there. I've been deactivating Avira so it doesn't interfere with your directions, but I don't remember turning it back on for the rest of the day. Maybe I should have?

carol

Malwarebytes' Anti-Malware 1.41
Database version: 3019
Windows 5.1.2600 Service Pack 2

10/23/2009 12:23:21 PM
mbam-log-2009-10-23 (12-23-20).txt

Scan type: Quick Scan
Objects scanned: 117904
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f5f14e7a-f59d-45a0-bdc5-a9f5454f0bcf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f5f14e7a-f59d-45a0-bdc5-a9f5454f0bcf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No big deal. It will be fine.

Please run Trend Micro Housecall online scan.

• Click Scan now.
  
• Read and put a Check next to Yes I accept the terms of use.
  
• Click the Launching HouseCall>> button.
  
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
• Please be patient while it installs, updates, and scans your system.
  
• Once the scan is complete, it will take you to the summary page.
  
• Under Cleanup options, choose clean all detected infections automatically.
  
• Click the Clean now>> button.
  
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Good morning,

I ran Housecall yesterday. At the end there were a list of items like this...

MS08-074
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

In all there were 22 entries like the above, all identical except for the number on top. Do you need to see the other numbers?

Anything else I should do at this point?

thanks,
c

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

I ran the above which said it uninstalled ComboFix.

The machine seems to be running fine now.

Thank you so very much!

carol