Windows knows I plugged in a USB device but drive wont show

I have tried both my flash drive and my SD card reader and I can not view either.

Windows XP Home with SP3 shows the device in my device manager as a mass storage device but all of a sudden it sopped creating a new F drive when I plug it in.

It always worked before and then over the past couple of weeks I have been fighting off viruses - I dont know how much that has to do with it, but I am out of ideas on my end!

I thought I should post my Hijack This log as well:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:21 PM, on 5/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Arthur.VANDELAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Winzip\winzip32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\ARTHUR~1.VAN\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arthur.VANDELAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\lxkad.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\lxkad.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1.000\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\lxkad.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227222424972
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9cf6055108bf0) (gupdate1c9cf6055108bf0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5583 bytes

Hey Fenway0077, I'm starting to get the same problem over here near Foxboro. My problem is occurring on Windows 7 (7000)

its obnoxious because i'd like to be able to transfer data from my micro sd card to my computer and vice versa...

If anyone knows what to do it would be greatly appreciated!

Fenway0077 - Your machine is severely infected, I'm suprised your still able to boot. I'm moving this topic anyhow, wrong section.

Will post you some instructions in my next post.

OaklandCD - I'd put that down to drivers. I have Win7 (7057) and have no internet connection on that, but I do on XP.

ok, thanks belahzur, i look forward to your help - thanks!

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
  O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
  O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
  O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\ARTHUR~1.VAN\protect.dll,_IWMPEvents@16
  O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\lxkad.exe (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\lxkad.exe (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1.000\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\lxkad.exe (User 'Default user')
  O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
  O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
  O4 - Startup: ChkDisk.lnk = ?
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

=======
Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Thanks Belahzur, This problem just started today as I was trying to use my usb to retrive some files before I installed my new Win 7 RC (7100)

Thanks, the antivirus software is still running, I will post when its complete!

Message too long for one post -

1st Half -



Avira AntiVir Personal
Report file date: Friday, May 08, 2009 19:28

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VANDELAY

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 18:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 18:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: Friday, May 08, 2009 19:28

Starting search for hidden objects.
c:\windows\system32\ovfsthaffqptalhutliltvqpbhsnvxvkgrjuna.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4a6ac1b5.qua' ( QUARANTINE )
c:\windows\system32\ovfsthewgmsvntjtywdjmasmcvuqtmndhysthm.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4b1f23e6.qua' ( QUARANTINE )
c:\windows\system32\ovfsthlpgcemywtdexplotljmkqijfxpwsdaoe.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4b12cb86.qua' ( QUARANTINE )
c:\windows\system32\ovfsthmmwqfrnypyenkpkbpjqjqqpxreorvxxx.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4b10f3a6.qua' ( QUARANTINE )
c:\windows\system32\ovfsthxuylrwovmwqywpvgkttedfxmyseppwkw.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4b169846.qua' ( QUARANTINE )
c:\windows\system32\drivers\ovfsthxvnspibmusiesbxmiqxumxviyjktqeee.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4b144066.qua' ( QUARANTINE )
c:\documents and settings\arthur.vandelay\local settings\temp\ovfsthx000
[INFO] The file is not visible.
[NOTE] A backup was created as '4bea6806.qua' ( QUARANTINE )
\systemroot\system32\drivers\ovfsthxvnspibmusiesbxmiqxumxviyjktqeee.sys
[INFO] The registry entry is invisible.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] Error in ARK library
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthmpmfhxrbfoobwwquucknyowctabuyuvh
[INFO] The registry entry is invisible.
'43133' objects were checked, '9' hidden objects were found.

The scan of running processes will be started
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

2nd Half -

31 processes with 31 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '46' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Common Files\InterVideo\DVD6\InterActual\iauninst.exe
[WARNING] The file could not be opened!
C:\Program Files\Common Files\SYSTEM\Mapi\1033\SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
C:\Program Files\InstallShield Installation Information\{01083175-01CC-42AA-9090-81DD0F88F28F}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{E8569164-0F7D-46E1-8577-0B5820B43135}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{E9EEA523-4540-4A23-A0EE-5C21DE90ACA9}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\CoverDesigner\CoverDes.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\AudioPluginMgr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\CDCopy.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdr100.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdr50s.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\CDROM.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdu920.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cr2200cs.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Drweb32.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\DVDREALLOC.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Dws114x.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Equalize.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\FATImporter.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GENCUSH.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Generatr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenFAT.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\geniso.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenPCHy.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenUDF.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\image.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ImageGen.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ims.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ISOFS.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\KARAOKE.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\MMC.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\MPGEnc.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeHDBlkAccess.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeMP3Dmo.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeMP3Hlp.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroAPI.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroCmd.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroCom.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroDB.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroErr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroMediaCon.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroNet.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroscsi.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neRSDB.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NetRecorder.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeVCDEngine.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\newtrf.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NRESTORE.EXE
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\READHD16.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ReadHD32.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ro1420c.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\UDFImporter.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VCDMenu.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VMPEGEnc.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VMPEGEncNDX.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\WNASPI32.DLL
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\BackItUp.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\NBJ.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\NBR.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero StartSmart\NeroStartSmart.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\CDSpeed.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\DriveSpeed.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\hwinfo.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\InfoTool.exe
[WARNING] The file could not be opened!
C:\SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
Begin scan in 'E:\'

Beginning disinfection:
C:\Program Files\Common Files\SYSTEM\Mapi\1033\SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4a77e48a.qua'!
C:\SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4a77e48b.qua'!


End of the scan: Friday, May 08, 2009 22:02
Used time: 2:33:14 Hour(s)

The scan has been done completely.

8098 Scanned directories
392899 Files were scanned
5 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
9 Files were moved to quarantine
0 Files were renamed
65 Files cannot be scanned
392829 Files not concerned
3057 Archives were scanned
66 Warnings
11 Notes
43133 Objects were scanned with rootkit scan
9 Hidden objects were found

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthmpmfhxrbfoobwwquucknyowctabuyuvh" found!
ImagePath: \systemroot\system32\drivers\ovfsthxvnspibmusiesbxmiqxumxviyjktqeee.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
ovfsthmpmfhxrbfoobwwquucknyowctabuyuvh

Files to delete:
C:\WINDOWS\system32\drivers\ovfsthxvnspibmusiesbxmiqxumxviyjktqeee.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ovfsthmpmfhxrbfoobwwquucknyowctabuyuvh" deleted successfully.
File "C:\WINDOWS\system32\drivers\ovfsthxvnspibmusiesbxmiqxumxviyjktqeee.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.36
Database version: 2063
Windows 5.1.2600 Service Pack 3

5/9/2009 11:17:23 AM
mbam-log-2009-05-09 (11-17-23).txt

Scan type: Quick Scan
Objects scanned: 135745
Time elapsed: 19 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthlpgcemywtdexplotljmkqijfxpwsdaoe.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthmmwqfrnypyenkpkbpjqjqqpxreorvxxx.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur.VANDELAY\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur.VANDELAY\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

Hello.
Database version: 2063

Please update MBAM first, the latest database is 2099. The update button is in the update tab.
Once updated, run another scan and remove anything found.

Malwarebytes' Anti-Malware 1.36
Database version: 2099
Windows 5.1.2600 Service Pack 3

5/9/2009 11:47:29 AM
mbam-log-2009-05-09 (11-47-29).txt

Scan type: Quick Scan
Objects scanned: 138255
Time elapsed: 14 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\beziseno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Arthur at 11:54:49.41 on Sat 05/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.367.116 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Arthur.VANDELAY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Arthur.VANDELAY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\arthur.vandelay\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227222424972
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\arthur~1.van\applic~1\mozilla\firefox\profiles\0mjyd55f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\arthur.vandelay\application data\mozilla\firefox\profiles\0mjyd55f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\arthur.vandelay\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-8 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-8 55640]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-9-26 66048]
S2 gupdate1c9cf6055108bf0;Google Update Service (gupdate1c9cf6055108bf0);c:\program files\google\update\GoogleUpdate.exe [2009-5-7 133104]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-11-20 13532]

=============== Created Last 30 ================

2009-05-09 10:10 --d----- c:\program files\Avenger
2009-05-08 19:24 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-08 19:24 --d----- c:\docume~1\alluse~1.win\applic~1\Avira
2009-05-08 19:22 --d----- c:\program files\Avira
2009-05-08 18:36 --d----- c:\program files\Trend Micro
2009-05-07 11:28 202 a------- C:\43214354.bat
2009-05-02 18:45 --d----- c:\docume~1\arthur~1.van\applic~1\Blitware
2009-05-01 19:22 a-dshr-- C:\cmdcons
2009-05-01 19:19 161,792 a------- c:\windows\SWREG.exe
2009-05-01 19:19 98,816 a------- c:\windows\sed.exe
2009-05-01 13:36 --d----- c:\docume~1\arthur~1.van\applic~1\Malwarebytes
2009-05-01 13:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 13:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 13:35 --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-05-01 13:35 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-01 01:25 65,954 a------- c:\windows\Prairie Wind.bmp
2009-05-01 01:25 65,832 a------- c:\windows\Santa Fe Stucco.bmp
2009-05-01 01:25 26,680 a------- c:\windows\River Sumida.bmp
2009-05-01 01:25 26,582 a------- c:\windows\Greenstone.bmp
2009-05-01 01:25 17,362 a------- c:\windows\Rhododendron.bmp
2009-05-01 01:25 17,336 a------- c:\windows\Gone Fishing.bmp
2009-05-01 01:25 17,062 a------- c:\windows\Coffee Bean.bmp
2009-05-01 01:25 16,730 a------- c:\windows\FeatherTexture.bmp
2009-05-01 01:25 9,522 a------- c:\windows\Zapotec.bmp
2009-05-01 01:25 65,978 a------- c:\windows\Soap Bubbles.bmp
2009-05-01 01:25 1,272 a------- c:\windows\Blue Lace 16.bmp
2009-05-01 00:09 10,520 a------- c:\windows\system32\avgrsstx.dll.old
2009-05-01 00:07 --d----- c:\program files\AVG
2009-04-30 23:34 --d----- c:\program files\XP Security Console
2009-04-30 22:42 --d----- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2009-04-30 13:34 16 a------- c:\windows\system32\coh.cache
2009-04-30 13:29 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-30 13:29 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-30 13:04 --d----- c:\program files\Norton Internet Security
2009-04-30 11:46 5,369 ---sh--- c:\windows\system32\rutobuki.exe
2009-04-30 11:45 5,369 ---sh--- c:\windows\system32\buhiwuna.dll
2009-04-16 23:44 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:43 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:43 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 23:43 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:43 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:43 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:43 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:43 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:43 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:42 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 23:42 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 23:42 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-30 14:12 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-30 14:12 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-29 10:26 2,068 a------- c:\windows\system32\d3d9caps.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-02-16 00:08 243 ---sh--- c:\program files\desktop.ini
2002-09-11 10:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
2001-05-20 21:10 23,357 ac--h--- c:\program files\folder.htt

============= FINISH: 11:55:51.75 ===============

Hello.
Still a bit of work to do.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\43214354.bat
  c:\windows\system32\rutobuki.exe
  c:\windows\system32\buhiwuna.dll
  
  :reg
  [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== FILES ==========
C:\43214354.bat moved successfully.
c:\windows\system32\rutobuki.exe moved successfully.
LoadLibrary failed for c:\windows\system32\buhiwuna.dll
c:\windows\system32\buhiwuna.dll NOT unregistered.
c:\windows\system32\buhiwuna.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_121223

Okay, that should do it for the malware, now we need to remove Norton.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

ABBYY FineReader 5.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.1
AOL Instant Messenger
AppCore
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
ccCommon
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Dell AIO Printer A920
Google Earth Plugin
Google Gmail Notifier
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
ImTOO MOV Converter
iTunes
LimeWire 4.18.3
LiveUpdate Notice (Symantec Corporation)
Logitech MouseWare 9.79.1
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.10)
MSRedist
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PowerDVD
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
TBS WMP Plug-in
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WG111v2 Configuration Utility
Winamp (remove only)
Windows XP Service Pack 3

Hello.
I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• LimeWire 4.18.3
  
• Viewpoint Media Player
  

Completely Uninstall Norton software using:

• SymNRT.exe
  

Instructions

1. Please download and save SymNRT.exe to your desktop.
   
2. Close all programs and double click on the tool.
   
3. Follow the on-screen instructions.
   
4. Restart the computer if asked.
   
5. Then delete the SymNRT.exe tool from your desktop.
   
6. Open the Program Files folder on your local disk ( normally C: )
   
7. Find and delete the following folders (if present):
   [list]
   
8. Norton AntiVirus
   
9. Norton Internet Security
   
10. Norton SystemWorks
    
11. Norton Personal Firewall
    

Let me know how the machine is running after you have done this.

I did everything you asked, I removed both programs and ran the symnrt.exe and then removed the folders.

I am sure i'll need a little time to play around with it to see how it feels -

I still cant view anything I plug into a usb port though, i never had a problem with it before so my gut tells me perhaps the malware had an effect on it ?

I tried two devices, a flash drive and an SD card reader, when i plug them in the "safely remove hardware" icon comes up in the task bar, acknowledging I plugged it in, but when I got to My Computer I can not see the F drive that used to appear.

Any thoughts?

Thank you so much!

scratch that! it came back! Thanks so much!!

Oh well, I won't ask why. It's not broken, so I won't fix it.

Good work.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Thanks! I will do as you recommend. I already was using firefox and installed the add-ons you gave me, but I cant use IE to go to the microsoft update page becase as soon as I open it it just closes right down, but I did turn on automatic updates

Thanks!

1st Half

Avira AntiVir Personal
Report file date: Saturday, May 09, 2009 13:45

Scanning for 1385351 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VANDELAY

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.3.137 1810944 Bytes 4/30/2009 02:16:20
ANTIVIR3.VDF : 7.1.3.178 195584 Bytes 5/8/2009 02:16:21
Engineversion : 8.2.0.166
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/9/2009 02:16:34
AESCRIPT.DLL : 8.1.1.81 385401 Bytes 5/9/2009 02:16:33
AESCN.DLL : 8.1.1.10 127348 Bytes 5/9/2009 02:16:31
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/9/2009 02:16:31
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.128 1757559 Bytes 5/9/2009 02:16:28
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.42 348531 Bytes 5/9/2009 02:16:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/9/2009 02:16:22
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: Saturday, May 09, 2009 13:45

Starting search for hidden objects.
'42763' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
29 processes with 29 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '48' files ).

2nd half

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Common Files\InterVideo\DVD6\InterActual\iauninst.exe
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{01083175-01CC-42AA-9090-81DD0F88F28F}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{E8569164-0F7D-46E1-8577-0B5820B43135}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\InstallShield Installation Information\{E9EEA523-4540-4A23-A0EE-5C21DE90ACA9}\_setup.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\CoverDesigner\CoverDes.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\AudioPluginMgr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\CDCopy.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdr100.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdr50s.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\CDROM.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cdu920.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\cr2200cs.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Drweb32.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\DVDREALLOC.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Dws114x.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Equalize.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\FATImporter.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GENCUSH.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\Generatr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenFAT.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\geniso.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenPCHy.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\GenUDF.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\image.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ImageGen.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ims.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ISOFS.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\KARAOKE.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\MMC.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\MPGEnc.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeHDBlkAccess.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeMP3Dmo.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeMP3Hlp.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroAPI.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroCmd.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroCom.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroDB.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroErr.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroMediaCon.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeroNet.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neroscsi.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\neRSDB.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NetRecorder.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NeVCDEngine.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\newtrf.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\NRESTORE.EXE
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\READHD16.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ReadHD32.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\ro1420c.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\UDFImporter.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VCDMenu.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VMPEGEnc.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\VMPEGEncNDX.dll
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero\WNASPI32.DLL
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\BackItUp.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\NBJ.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero BackItUp\NBR.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero StartSmart\NeroStartSmart.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\CDSpeed.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\DriveSpeed.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\hwinfo.exe
[WARNING] The file could not be opened!
C:\Program Files\Nero 6.0 Suite\Nero Toolkit\InfoTool.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[1].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[2].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[2].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\pp.06[1].exe
[DETECTION] Contains recognition pattern of the WORM/Koobface.HW.3 worm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[1].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[2].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[2].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[1].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[2].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[2].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\nfr[1].exe
[DETECTION] Is the TR/Proxy.Agent.bmm Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[1].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[2].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[2].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[3].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[3].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[4].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[4].htm
[DETECTION] Is the TR/Dldr.Agent.bvpv Trojan
Begin scan in 'E:\'

Beginning disinfection:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[1].htm
[NOTE] The file was moved to '4a60e7c0.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\cd[2].htm
[NOTE] The file was moved to '4a60e7c1.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D2B89YV\pp.06[1].exe
[DETECTION] Contains recognition pattern of the WORM/Koobface.HW.3 worm
[NOTE] The file was moved to '4a33e7cd.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[1].htm
[NOTE] The file was moved to '4be1fa52.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0JY52H4L\cd[2].htm
[NOTE] The file was moved to '4be0f20a.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[1].htm
[NOTE] The file was moved to '4a60e7c2.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\cd[2].htm
[NOTE] The file was moved to '497fa8cb.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QP8T41UD\nfr[1].exe
[DETECTION] Is the TR/Proxy.Agent.bmm Trojan
[NOTE] The file was moved to '4a77e7c4.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[1].htm
[NOTE] The file was moved to '494281a3.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[2].htm
[NOTE] The file was moved to '494389eb.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[3].htm
[NOTE] The file was moved to '49cca003.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YHWXAVIX\cd[4].htm
[NOTE] The file was moved to '49cda84b.qua'!


End of the scan: Saturday, May 09, 2009 16:28
Used time: 2:42:19 Hour(s)

The scan has been done completely.

7870 Scanned directories
374855 Files were scanned
12 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
12 Files were moved to quarantine
0 Files were renamed
65 Files cannot be scanned
374778 Files not concerned
2606 Archives were scanned
65 Warnings
14 Notes
42763 Objects were scanned with rootkit scan
0 Hidden objects were found

Don't worry, just a bunch of temp files.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

thanks! When I saw it detected 12 things I started to think I was back to step 1!


Very much appreciated!