Trojan horse SHeur2.CFJO

My AVG picked this up earlier and I've been getting audio ads running in the background, with or without a browser running. Also google links seem to redirect me to a site named 7ball which also redirects me to random search sites. Please help. Here's the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:48 AM, on 1/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: absoƖute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: absoƖute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 8613 bytes

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

Cheetah Anti-Rogue v1.0.26
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Sun 01/10/2010 14:49:29.47


-- Known infection --



Extra message: Detection only.


EOF

Also just encountered this problem.

"Internet Explorer has encountered a problem with an add-on and needs to close.

The following add-on was running when this problem occurred:

Add-on Name: Flash10b.ocx
Company Name: Adobe Systems Incorporated
Description: Adobe Flash Player"

Not sure if this is related.

Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

MalwareBytes will not open when I double click it. I already have it installed on my machine. I don't get an error message and I see the process mbam.exe running in the processes tab. I also see a lot of dwwin.exe processes running that I don't recognize. Should I try to restart in safe mode?

Did this and got this error:

An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error code: 730 (0, 0)

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 23:35 on 10/01/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [04:20 04/12/2008] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [21:20 11/10/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [10:30 27/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 181248 bytes [12:00 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [04:20 04/12/2008] [12:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [21:20 11/10/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [10:29 27/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [12:00 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [04:20 04/12/2008] [12:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [21:20 11/10/2009] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [10:28 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 56320 bytes [12:00 04/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c 502272 bytes [04:20 04/12/2008] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 507904 bytes [21:20 11/10/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------ 507904 bytes [10:30 27/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe ------ 507904 bytes [12:00 04/08/2004] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "comres.dll"
C:\WINDOWS\$NtServicePackUninstall$\comres.dll -----c 792064 bytes [04:21 04/12/2008] [12:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\ServicePackFiles\i386\comres.dll ------ 792064 bytes [10:28 27/08/2008] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [12:00 04/08/2004] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D

Searching for "crypt32.dll"
C:\WINDOWS\$NtServicePackUninstall$\crypt32.dll -----c 597504 bytes [04:21 04/12/2008] [12:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\ServicePackFiles\i386\crypt32.dll ------ 599040 bytes [10:28 27/08/2008] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\crypt32.dll --a--- 599040 bytes [12:00 04/08/2004] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77

Searching for "gpedit.dll"
No files found.

Searching for "rundll32.exe"
C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c 33280 bytes [04:20 04/12/2008] [12:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe ------ 33280 bytes [10:30 27/08/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [12:00 04/08/2004] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6

Searching for "sfc.dll"
C:\WINDOWS\$NtServicePackUninstall$\sfc.dll -----c 5120 bytes [04:20 04/12/2008] [12:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 5120 bytes [21:20 11/10/2009] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\ServicePackFiles\i386\sfc.dll ------ 5120 bytes [10:30 27/08/2008] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\sfc.dll ------ 5120 bytes [12:00 04/08/2004] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 14336 bytes [04:20 04/12/2008] [12:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [21:20 11/10/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------ 14336 bytes [10:30 27/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [12:00 04/08/2004] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 4224 bytes [21:20 11/10/2009] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c 4224 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys ------ 4224 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\$NtServicePackUninstall$\wscntfy.exe -----c 13824 bytes [04:21 04/12/2008] [12:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a--- 13824 bytes [21:20 11/10/2009] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\ServicePackFiles\i386\wscntfy.exe ------ 13824 bytes [10:30 27/08/2008] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [12:00 04/08/2004] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [04:20 04/12/2008] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [10:27 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--- 95360 bytes [20:51 11/08/2007] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

Then try to run Malwarebytes again.

Did this and it still won't let me run Malwarebytes from mbam.exe. I get the same error when I try to run it from the random file extention.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/11 19:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED6CC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8E18000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTevpwmyxilr.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys
Address: 0xED8ED000 Size: 118784 File Visible: - Signed: -
Status: hȋdden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF8A94000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTdqvspxownr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTubpetyxtvn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTugavbwwbpq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTvnvjbivbyp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTwlnsdpqxmk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT6e60.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT7420.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\H8SRT7922.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\temp\H8SRT40d5.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\user@forums.rotoworld[1].txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\user@forums.rotoworld[1].txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\av-15327[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\7ZNXGH91\av-16805[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\av-6843[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\c=153%7Crand=224096364%7Cpv=y%7Cint=rotoworld%20%7Crt=ifr[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JET28O22\roto_mbrd;!category=roto;!category=noopapd;site=roto;sect=mbrd;dcopt=ist;sz=728x90;pos=1;tile=1;ord=99155[1]
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\LUI84A7O\r[9].js
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: services.exe (PID: 768) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: lsass.exe (PID: 780) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: Ati2evxx.exe (PID: 944) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: svchost.exe (PID: 960) Address: 0x008a0000 Size: 36864

Object: hȋdden Module [Name: H8SRTwlnsdpqxmk.dll]
Process: svchost.exe (PID: 960) Address: 0x00940000 Size: 65536

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: svchost.exe (PID: 960) Address: 0x00cb0000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1084) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1180) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1496) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: Explorer.EXE (PID: 1544) Address: 0x00c40000 Size: 36864

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: Explorer.EXE (PID: 1544) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1620) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AAWService.exe (PID: 1856) Address: 0x00a10000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: ctfmon.exe (PID: 1932) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: spoolsv.exe (PID: 1972) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: svchost.exe (PID: 1508) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AppleMobileDeviceService.exe (PID: 1576) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: jqs.exe (PID: 168) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: pg_ctl.exe (PID: 1896) Address: 0x00b60000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: HPZipm12.exe (PID: 332) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SMAgent.exe (PID: 428) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 464) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: TomTomHOMEService.exe (PID: 484) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1264) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1536) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1424) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1660) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: postgres.exe (PID: 1684) Address: 0x01160000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: unsecapp.exe (PID: 224) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: alg.exe (PID: 2056) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: wmiprvse.exe (PID: 2152) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SynTPEnh.exe (PID: 2436) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: SMax4PNP.exe (PID: 2464) Address: 0x00bc0000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AGRSMMSG.exe (PID: 2676) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: HPWuSchd2.exe (PID: 2876) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: AAWTray.exe (PID: 2940) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: avgtray.exe (PID: 2952) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: jusched.exe (PID: 3016) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: GoogleToolbarNotifier.exe (PID: 3064) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: TomTomHOMERunner.exe (PID: 3072) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: wuauclt.exe (PID: 3152) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRT7922.tmpbwwbpq.dll]
Process: iexplore.exe (PID: 3892) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRT7420.tmptyxtvn.dll]
Process: iexplore.exe (PID: 3892) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: gtb6.tmp.exe (PID: 472) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTugavbwwbpq.dll]
Process: iexplore.exe (PID: 840) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: iexplore.exe (PID: 840) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3232) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3084) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2872) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3520) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3112) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1456) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3212) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 260) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3392) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3496) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2852) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4072) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3100) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2700) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2388) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3276) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1052) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2956) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2112) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3740) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2828) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 644) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1412) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1524) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2548) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1984) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1388) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2500) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 836) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 972) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: RootRepeal.exe (PID: 1376) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3216) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3008) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 2976) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 3264) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4436) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4644) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5144) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5328) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5732) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 5980) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 1420) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4260) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4468) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4884) Address: 0x10000000 Size: 36864

Object: hȋdden Module [Name: H8SRTugavbwwbpq.dll]
Process: Iexplore.exe (PID: 4712) Address: 0x00d70000 Size: 151552

Object: hȋdden Module [Name: H8SRTubpetyxtvn.dll]
Process: Iexplore.exe (PID: 4712) Address: 0x10000000 Size: 69632

Object: hȋdden Module [Name: H8SRTvnvjbivbyp.dll]
Process: dwwin.exe (PID: 4768) Address: 0x10000000 Size: 36864

hȋdden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys

==EOF==

Pretty bad rootkit infection there.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

==

Please open SystemLook.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
*H8SRT*

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Post both the SystemLook and ComboFix logs, please.

I downloaded ComboFix but because the trojan has done something to my AVG scanner it wont allow me to disable it. When I look at the AVG interface there are no active components. I tried uninstalling it altogether and got an error there too. Will booting in safe mode fix this?

Try to run it without disabling AVG.

ComboFix log:

ComboFix 10-01-11.03 - User 01/12/2010 1:50.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.23 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\$NtUninstallKB922582$
c:\windows\$NtUninstallKB922582$\fltlib.dll
c:\windows\$NtUninstallKB922582$\fltmc.exe
c:\windows\$NtUninstallKB922582$\fltmgr.sys
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.inf
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.txt
c:\windows\$NtUninstallKB922582$\spuninst\updspapi.dll
c:\windows\system32\drivers\H8SRTevpwmyxilr.sys
c:\windows\system32\H8SRTdqvspxownr.dat
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTubpetyxtvn.dll
c:\windows\system32\H8SRTugavbwwbpq.dll
c:\windows\system32\H8SRTvnvjbivbyp.dll
c:\windows\system32\H8SRTwlnsdpqxmk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-11 04:15 . 2010-01-11 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 88209]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-28 520024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 13:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 18:42 267064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-11 20:44 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/9/2009 2:35 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/15/2009 12:48 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/15/2009 12:48 AM 108552]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [8/11/2007 4:21 PM 26240]
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 07:36]

2010-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2010-01-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-11 01:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://fantasysports.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k17tjquc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://fantasysports.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 02:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\AGRSMMSG.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2010-01-12 02:27:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 07:27

Pre-Run: 2,422,988,800 bytes free
Post-Run: 2,862,596,096 bytes free

- - End Of File - - 8AD4CDBF2D4A1B791052EA937FF261D7




SystemLook log:

SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 02:32 on 12/01/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "*H8SRT*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRTevpwmyxilr.sys.vir --a--- 40960 bytes [05:15 10/01/2010] [05:15 10/01/2010] 317E6468C7CBC2119C95A195C81E4A6A
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTdqvspxownr.dat.vir --a--- 246 bytes [05:15 10/01/2010] [05:49 12/01/2010] 6F2195173CB3137BAE4E62E08E73F0C7
C:\Qoobox\Quarantine\C\WINDOWS\system32\h8srtkrl32mainweq.dll.vir --a--- 934 bytes [05:16 10/01/2010] [05:49 12/01/2010] D9B883A02FB5FF29660E1732E605150D
C:\Qoobox\Quarantine\C\WINDOWS\system32\h8srtshsyst.dll.vir --a--- 1572 bytes [08:39 10/01/2010] [00:20 12/01/2010] D6406AF9A943AD777EBB131A6B19A710
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTubpetyxtvn.dll.vir --a--- 36864 bytes [05:15 10/01/2010] [23:44 11/01/2010] 1B6B85526CDCCCC5037C98DC9134B999
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTugavbwwbpq.dll.vir --a--- 40960 bytes [05:15 10/01/2010] [23:44 11/01/2010] 9172D598AE27F4348C630EE33E5B3FD3
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTvnvjbivbyp.dll.vir --a--- 16896 bytes [05:15 10/01/2010] [05:15 10/01/2010] 881CE66F3FBC3AFD0D644BDAA81F65D5
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTwlnsdpqxmk.dll.vir --a--- 23552 bytes [05:15 10/01/2010] [05:15 10/01/2010] BEA4AE5AD13A542B8BDCD0189DE659FE
C:\Qoobox\Quarantine\Registry_backups\Service_H8SRTd.sys.reg.dat --a--- 1026 bytes [06:40 12/01/2010] [06:40 12/01/2010] 0122C48E4192509BF765B3B21B2DE070

-=End Of File=-

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

AVG picked these infections up when I came back from standby. Haven't run the ESET Scanner yet, will do so when I return home.

C:\System Volume Information\_restore{5D4D12C6-7242-44E9-B139-8F78E9065905}\RP704\A0063156.sys

All in process name: C:\WINDOWS\system32\svchost.exe

It looks as if it's the same file picked up 6 times. Says it cannot be healed because specified file cannot be found.

Says it cannot be healed because specified file cannot be found.

Exactly. We deleted it, remember? LOL

I think it is time to get rid of AVG. Do you have a paid subscription, or just the free version?

Just the free version of AVG. Here's the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fee07af5150db04f9f9b7b94007cb660
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-13 07:04:13
# local_time=2010-01-13 02:04:13 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1028 16777173 100 88 0 22664841 0 0
# compatibility_mode=8192 67108863 100 0 7212105 7212105 0 0
# scanned=60439
# found=3
# cleaned=3
# scan_time=5335
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTubpetyxtvn.dll.vir a variant of Win32/Kryptik.BSW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTugavbwwbpq.dll.vir a variant of Win32/Kryptik.BSW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTvnvjbivbyp.dll.vir a variant of Win32/Kryptik.BLL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

That would be ComboFix's quarantine.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

==

Completely Uninstall AVG software

Download and run avgremover.exe

For 32-Bit, Download: avgremover.exe.

==

Get a new antivirus:

• Avast!:
  this is an advanced malware removal antivirus program. The free version
  equips you with protection against viruses, spyware, trojans, rootkits,
  worms, and rogue software.
  
• Avira Antivir:
  this is an advanced malware removal antivirus program. The free version
  equips you with protection against viruses, spyware, trojans, rootkits,
  worms, and rogue software.
  
• Rising Antivirus: this is a lightweight, and great virus destroyer. It removes tough viruses, and even rootkits and trojans get destroyed.
  

Did all of the above and the computer is running in tip-top shape. Thank you for your hard work kind sir.