Will it be better to try this on the safe mode or try to just boot in the normal mode? My computer didn't give me the blue screen of death last night...
If I get the blue screen I will go back to safe mode...

abu_jaaneb,

It would be best to work in Normal mode if possible. If you can't, then try in safe mode.

Hi TomK

I really appreciate your time and patience in helping me fix my machine.

I was finally able to run combo fix in normal mode. however I have to go and change the settings in the Msconfig to avoid certain programs from loading to avoid getting the blue screen of death and also to make sure that my antivirus wasn't loading up automatically.

However I tried to install Malware Antispyware to scan for malware but the exe isn't being recognized yet so there needs to be some more fixing done...
Let me know how should i proceed next.

Here is the log from the ComboFix:

ComboFix 09-10-21.02 - Tanmay 10/22/2009 23:35.1.1 - NTFSx86
Running from: c:\documents and settings\Tanmay\Desktop\Worksnow.com
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 3945 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\59792234
c:\documents and settings\All Users\Application Data\59792234\59792234.bat
c:\documents and settings\All Users\Application Data\59792234\59792234.exe
c:\documents and settings\Tanmay\Start Menu\Programs\Security Tool.lnk
c:\windows\ayixesabejuko.dll
c:\windows\svohost.exe
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\1.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\7j8ai0m2.dat
c:\windows\system32\certstore.dat
c:\windows\system32\clrviddc.dll
c:\windows\system32\divosewo.exe
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\vsfocewuujyice.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\hiyusago.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\isapeep.sys
c:\windows\system32\jurunute.dll
c:\windows\system32\lahozunu.dll
c:\windows\system32\merisemo.exe
c:\windows\system32\nuar.old
c:\windows\system32\onhelp.htm
c:\windows\system32\pepurudo.exe
c:\windows\system32\qt49je97wy.dll
c:\windows\system32\rutihuku.dll
c:\windows\system32\skynet.dat
c:\windows\system32\vatotosa.dll
c:\windows\system32\vsfocebkldpjyp.dll
c:\windows\system32\vsfocefoayvttd.dat
c:\windows\system32\vsfocehqfpuoij.dll
c:\windows\system32\vsfocemixsnbae.dat
c:\windows\system32\vsfoceudovistj.dll
c:\windows\system32\vsfoceyfyntlge.dll
c:\windows\system32\wisezeki.dll
c:\windows\system32\wispex.html
c:\windows\system32\zawetuba.exe
c:\windows\system32\zotizewi.dll
c:\windows\Temp\3588597118.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfocemoynbaqc
-------\Legacy_vsfocemoynbaqc
-------\Legacy_6TO4
-------\Legacy_ADMIN
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_MDTDISK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_admin
-------\Service_mdtdisk
-------\Legacy_isapeep
-------\Legacy_WDefend
-------\Service_isapeep
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 04:00 . 2009-10-23 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 00:10 . 2009-10-23 04:13 -------- d-----w- C:\Worksnow
2009-10-21 04:14 . 2009-10-21 04:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 22:30 . 2009-10-19 22:30 565248 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 22:29 . 2009-10-19 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\97519031
2009-10-17 03:51 . 2009-10-19 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\12404516
2009-10-13 19:59 . 2009-10-13 19:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-13 18:23 . 2009-10-19 22:31 58 ----a-w- c:\windows\wp4.dat
2009-10-13 18:23 . 2009-10-19 22:31 2 ----a-w- c:\windows\wp3.dat
2009-10-13 18:20 . 2009-10-21 23:10 0 ----a-r- c:\windows\Ffodapele.bin
2009-10-13 18:20 . 2009-10-19 22:28 120 ----a-w- c:\windows\Nhoqocuwuse.dat
2009-10-13 18:20 . 2009-10-13 18:20 -------- d-----w- c:\documents and settings\Tanmay\Local Settings\Application Data\{2A6E4549-807F-46B9-A667-861177E7C0F7}
2009-10-13 18:20 . 2009-10-19 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\83602120
2009-10-13 18:14 . 2009-10-13 18:13 93136 --sh--w- c:\windows\system32\TerNk.exe
2009-09-27 13:38 . 2009-09-26 22:28 34736 --sh--w- c:\windows\system32\360me.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 00:10 . 2008-01-10 00:26 -------- d-----w- c:\program files\TomTom HOME 2
2009-10-20 04:30 . 2005-07-28 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 13:25 . 2005-03-09 01:08 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2005-03-15 04:38 . 2005-03-15 04:38 56 --sh--r- c:\windows\system32\A9A30DBFE3.sys
2009-07-17 03:50 . 2009-07-17 03:50 24576 --sha-w- c:\windows\system32\daweyege.exe
2009-07-22 23:59 . 2009-07-22 23:59 39424 --sha-w- c:\windows\system32\fodedozu.dll
2009-07-13 18:19 . 2009-07-13 18:19 191496 --sha-w- c:\windows\system32\ginekufu.exe
2009-07-19 22:28 . 2009-07-19 22:28 1051170 --sha-w- c:\windows\system32\hovufuka.exe
2009-07-22 23:59 . 2009-07-22 23:59 54272 --sha-w- c:\windows\system32\jinuriwa.dll
2006-07-27 03:08 . 2005-03-15 04:38 11792 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-22 23:59 . 2009-07-22 23:59 1050146 --sha-w- c:\windows\system32\mewisale.exe
2009-07-17 03:50 . 2009-07-17 03:50 1079842 --sha-w- c:\windows\system32\moriyava.exe
2009-07-19 22:28 . 2009-07-19 22:28 1051170 --sha-w- c:\windows\system32\payiziha.exe
2009-07-19 22:28 . 2009-07-19 22:28 91136 --sha-w- c:\windows\system32\wuzijopu.dll
2009-07-23 00:00 . 2009-07-23 00:00 54272 --sha-w- c:\windows\system32\yufarapu.dll
2009-07-19 22:28 . 2009-07-19 22:28 27648 --sha-w- c:\windows\system32\zodabuma.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc410af1-c141-4282-bc29-23e490b100f4}]
2009-07-23 00:00 54272 --sha-w- c:\windows\system32\yufarapu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli atcinle.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WDefend"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"Spooler"=2 (0x2)
"sofatnet"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RSVP"=3 (0x3)
"RegSrvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"ose"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nla"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NBService"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1c9e7f7e27eacd1"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EvtEng"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"BtwSrv"=2 (0x2)
"BthServ"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"admin"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\moriyava.exe"=
"c:\\Program Files\\Network Associates\\VirusScan\\shstat.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Windows Desktop Search\\WindowsSearch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"17174:TCP"= 17174:TCP:BitComet 17174 TCP
"17174:UDP"= 17174:UDP:BitComet 17174 UDP
"19671:TCP"= 19671:TCP:BitComet 19671 TCP
"19671:UDP"= 19671:UDP:BitComet 19671 UDP
"64346:TCP"= 64346:TCP:BitComet 64346 TCP
"64346:UDP"= 64346:UDP:BitComet 64346 UDP

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-04 152576]
R4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe [2004-08-04 14336]
R4 gupdate1c9e7f7e27eacd1;Google Update Service (gupdate1c9e7f7e27eacd1);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 133104]
R4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-08-04 94720]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-06-09 58464]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E9163A-80DB-FA8A-8D41-1998E47B9051}]
c:\windows\system32:kb11.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-15 05:18]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 05:13]

2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{CDA0483C-E30C-4C1E-A4B6-A3BDC4B3BD15}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.x-rates.com/d/INR/USD/graph120.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: &Google Search
IE: &Translate English Word
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links
IE: Cached Snapshot of Page
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Similar Pages
IE: Translate into English
IE: Translate Page into English
Trusted Zone: musicmatch.com\online
DPF: {E93E9DF0-3E59-4331-A269-F1E077C66F00} - hxxp://cnn-5.vo.llnwd.net/c1/static/client/browserplayer/gtplugin.cab
FF - ProfilePath - c:\documents and settings\Tanmay\Application Data\Mozilla\Firefox\Profiles\x2c99rg3.Tanmay\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdap.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzango.dll
FF - HiddenExtension: XULRunner: {2A6E4549-807F-46B9-A667-861177E7C0F7} - c:\documents and settings\Tanmay\Local Settings\Application Data\{2A6E4549-807F-46B9-A667-861177E7C0F7}
FF - HiddenExtension: XULRunner: {32FC8113-D674-49A7-9C25-41A0C02CEBAD} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{32FC8113-D674-49A7-9C25-41A0C02CEBAD}\
.
- - - - ORPHANS REMOVED - - - -

BHO-{e5a95014-3840-e07f-6ce1-c267a836c272} - c:\windows\ayixesabejuko.dll
HKLM-Run-Knoyucinepu - c:\windows\ayixesabejuko.dll
HKLM-Run-denotatav - c:\windows\system32\wisezeki.dll
HKLM-Run-litasusepa - lahozunu.dll
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
SharedTaskScheduler-{e7ab1a21-57a5-4119-9187-978b35244390} - c:\windows\system32\wisezeki.dll
SSODL-loverefah-{e7ab1a21-57a5-4119-9187-978b35244390} - c:\windows\system32\wisezeki.dll
AddRemove-DVD Shrink_is1 - c:\program files\DVD Shrink\unins000.exe
AddRemove-InterActual Player - c:\program files\InterActual\InterActual Player\inuninst.exe
AddRemove-Yahoo! Photos Easy Upload Tool - c:\program files\Yahoo!\Common\ydropper_uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\atcinle.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\atcinle.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\worksnow32340w\CF8777.exe
c:\windows\system32\rundll32.exe
c:\worksnow32340w\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 04:49

Pre-Run: 1,492,307,968 bytes free
Post-Run: 1,835,356,160 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A92CA72EE02660F1ADDA67A5B29233EB

This post has been edited by abu_jaaneb: Oct 22 2009, 11:20 PM

abu_jaaneb,

You have quite a variety of infections onboard and some have been there fore months.

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  File::
  c:\windows\system32\360me.exe
  c:\windows\system32\TerNk.exe
  c:\windows\Nhoqocuwuse.dat
  c:\windows\Ffodapele.bin
  c:\windows\wp3.dat
  c:\windows\wp4.dat
  c:\windows\system32\A9A30DBFE3.sys
  c:\windows\system32\daweyege.exe
  c:\windows\system32\fodedozu.dll
  c:\windows\system32\ginekufu.exe
  c:\windows\system32\hovufuka.exe
  c:\windows\system32\jinuriwa.dll
  c:\windows\system32\mewisale.exe
  c:\windows\system32\moriyava.exe
  c:\windows\system32\payiziha.exe
  c:\windows\system32\wuzijopu.dll
  c:\windows\system32\yufarapu.dll
  c:\windows\system32\zodabuma.exe
  c:\windows\system32\sofatnet.exe
  c:\windows\system32:kb11.exe
  
  Folder::
  c:\documents and settings\All Users\Application Data\97519031
  c:\documents and settings\All Users\Application Data\12404516
  c:\documents and settings\Tanmay\Local Settings\Application Data\{2A6E4549-807F-46B9-A667-861177E7C0F7}
  c:\documents and settings\All Users\Application Data\83602120
  c:\windows\system32\config\systemprofile\Local Settings\Application Data\{32FC8113-D674-49A7-9C25-41A0C02CEBAD}
  
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc410af1-c141-4282-bc29-23e490b100f4}]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
  "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
  [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E9163A-80DB-FA8A-8D41-1998E47B9051}]
  
  Driver::
  sofatnet
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

TomK,

I guessed that the machine is badly infected. I will like to reformat it and start over and keep it cleaner going forward. I had a good run with it for last 4 year without any infections or hiccups.

However,

1) I have some data in the machine that I would like to backup and hence would like to clean it up the best I can so that I don't copy over any of the malaware and infect any other machine or same machine back

2)I had copied some data my external HDD from the c: drive and would appreciate if you can help me scan it as well - we can deal with it after we are all done with my machine. let me know.

I had changed my passwords sometime back but don't know how long I had that trojan on my computer. I would like to the know, at the end of clean up how to detect these trojan and secret infection and safeguard my computer going forward after the reformat.

Thanks very much for your help.

I will run through the steps you have suggest and post the log sometime later today.

TomK,

I ran both the Gooredfix and Combofix as per the directions. The Logs are pasted below.

However, when I booted my computer to run these yesterday, I had another program poped up disabling me from using windows - it was 'Security tool' and kept on giving me virus alert message and was doing fake scans. I was somehow able to fix it by using task manager to disable it before it could load the next time and I deleted some funny folders with wired name exe's and bat files. It did not pop up the last two times i booted. I have also modifed the startup by using msconfig not to load any applications that are either not useful or I don't know what they are for. I thought I should let you know.

**********************************
GooredFix by jpshortstuff (24.09.09.1)
Log created at 18:40 on 23/10/2009 (Tanmay)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2A6E4549-807F-46B9-A667-861177E7C0F7} -> Success!
Deleting C:\Documents and Settings\Tanmay\Local Settings\Application Data\{2A6E4549-807F-46B9-A667-861177E7C0F7} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{32FC8113-D674-49A7-9C25-41A0C02CEBAD} -> Success!
Deleting C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{32FC8113-D674-49A7-9C25-41A0C02CEBAD} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:38 15/03/2005]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [22:49 21/01/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

********************************************************************************
***********************

ComboFix 09-10-22.01 - Tanmay 10/23/2009 18:50.2.1 - NTFSx86
Running from: c:\documents and settings\Tanmay\Desktop\Worksnow.com
Command switches used :: c:\docume~1\Tanmay\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
"c:\windows\Ffodapele.bin"
"c:\windows\Nhoqocuwuse.dat"
"c:\windows\system32:kb11.exe"
"c:\windows\system32\360me.exe"
"c:\windows\system32\A9A30DBFE3.sys"
"c:\windows\system32\daweyege.exe"
"c:\windows\system32\fodedozu.dll"
"c:\windows\system32\ginekufu.exe"
"c:\windows\system32\hovufuka.exe"
"c:\windows\system32\jinuriwa.dll"
"c:\windows\system32\mewisale.exe"
"c:\windows\system32\moriyava.exe"
"c:\windows\system32\payiziha.exe"
"c:\windows\system32\sofatnet.exe"
"c:\windows\system32\TerNk.exe"
"c:\windows\system32\wuzijopu.dll"
"c:\windows\system32\yufarapu.dll"
"c:\windows\system32\zodabuma.exe"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tanmay\Desktop\Security Tool.lnk
c:\documents and settings\Tanmay\Start Menu\Programs\Security Tool.lnk
c:\windows\Ffodapele.bin
c:\windows\Install.txt
c:\windows\Nhoqocuwuse.dat
c:\windows\system32\360me.exe
c:\windows\system32\A9A30DBFE3.sys
c:\windows\system32\daweyege.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\fodedozu.dll
c:\windows\system32\ginekufu.exe
c:\windows\system32\gulobimu.dll
c:\windows\system32\hovufuka.exe
c:\windows\system32\Install.txt
c:\windows\system32\jinuriwa.dll
c:\windows\system32\mewisale.exe
c:\windows\system32\moriyava.exe
c:\windows\system32\payiziha.exe
c:\windows\system32\TerNk.exe
c:\windows\system32\wuzijopu.dll
c:\windows\system32\yufarapu.dll
c:\windows\system32\zodabuma.exe
c:\windows\TEMP\mta13187.dll
c:\windows\wp3.dat
c:\windows\wp4.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-24 00:07 . 2009-10-24 00:07 -------- d-----w- c:\windows\LastGood
2009-10-23 04:14 . 2009-10-23 04:49 -------- d-----w- C:\Worksnow32340W
2009-10-23 04:00 . 2009-10-23 05:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 00:10 . 2009-10-23 04:13 -------- d-----w- C:\Worksnow
2009-10-21 04:14 . 2009-10-21 04:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 22:30 . 2009-10-19 22:30 565248 ----a-w- c:\windows\system32\plugie.dll
2009-10-13 19:59 . 2009-10-13 19:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 23:35 . 2005-05-08 03:51 -------- d--h--r- c:\documents and settings\Tanmay\Application Data\yahoo!
2009-10-23 22:20 . 2008-12-24 17:34 -------- d-----w- c:\program files\Brother
2009-10-23 05:24 . 2005-09-10 19:54 -------- d-----w- c:\program files\MathType
2009-10-23 05:23 . 2005-03-13 19:43 -------- d-----w- c:\program files\Google
2009-10-23 05:12 . 2005-03-01 11:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-23 05:11 . 2008-12-28 04:18 -------- d-----w- c:\program files\AVS4YOU
2009-10-23 05:11 . 2008-12-28 04:18 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-23 00:10 . 2008-01-10 00:26 -------- d-----w- c:\program files\TomTom HOME 2
2009-10-20 04:30 . 2005-07-28 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 13:25 . 2005-03-09 01:08 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:11 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-07-27 03:08 . 2005-03-15 04:38 11792 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-23 22:30 . 2009-07-23 22:30 1051682 --sha-w- c:\windows\system32\wejiwulo.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_04.44.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 11:00 . 2004-08-04 11:00 61440 c:\windows\system32\lsm32.sys
+ 2004-08-04 11:00 . 2004-08-04 11:00 94720 c:\windows\system32\FastNetSrv.exe
- 2009-10-23 04:45 . 2009-10-23 04:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-23 04:45 . 2009-10-24 00:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-26 04:11 . 2009-10-24 00:14 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-26 04:11 . 2009-10-23 04:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-03-08 23:20 . 2009-10-24 00:14 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-03-08 23:20 . 2009-10-23 04:44 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 11:00 . 2004-08-04 11:00 46080 c:\windows\system32\BtwSrv.dll
+ 2004-08-04 11:00 . 2004-08-04 11:00 132608 c:\windows\system32\wmdtc.exe
+ 2004-08-04 11:00 . 2004-08-04 11:00 132608 c:\windows\system32\opeia.exe
- 2005-03-08 23:20 . 2009-10-23 04:44 212992 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-03-08 23:20 . 2009-10-24 00:14 212992 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-24 00:04 . 2009-07-03 17:09 1208832 c:\windows\temp\x1c86027.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"denotatav"="c:\windows\system32\badaliyo.dll" [BU]
"litasusepa"="lahozunu.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli atcinle.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WDefend"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1c9e7f7e27eacd1"=2 (0x2)
"Bonjour Service"=2 (0x2)
"admin"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Network Associates\\VirusScan\\shstat.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Windows Desktop Search\\WindowsSearch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"17174:TCP"= 17174:TCP:BitComet 17174 TCP
"17174:UDP"= 17174:UDP:BitComet 17174 UDP
"19671:TCP"= 19671:TCP:BitComet 19671 TCP
"19671:UDP"= 19671:UDP:BitComet 19671 UDP
"64346:TCP"= 64346:TCP:BitComet 64346 TCP
"64346:UDP"= 64346:UDP:BitComet 64346 UDP

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-04 152576]
R4 gupdate1c9e7f7e27eacd1;Google Update Service (gupdate1c9e7f7e27eacd1);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 133104]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-06-09 58464]
S2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe [2004-08-04 14336]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-08-04 94720]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-15 05:18]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 05:13]

2009-10-24 c:\windows\Tasks\User_Feed_Synchronization-{CDA0483C-E30C-4C1E-A4B6-A3BDC4B3BD15}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.x-rates.com/d/INR/USD/graph120.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search
IE: &Google Search
IE: &Translate English Word
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Similar Pages
IE: Translate into English
IE: Translate Page into English
Trusted Zone: musicmatch.com\online
DPF: {E93E9DF0-3E59-4331-A269-F1E077C66F00} - hxxp://cnn-5.vo.llnwd.net/c1/static/client/browserplayer/gtplugin.cab
FF - ProfilePath - c:\documents and settings\Tanmay\Application Data\Mozilla\Firefox\Profiles\x2c99rg3.Tanmay\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdap.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzango.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-85722731 - c:\documents and settings\All Users\Application Data\85722731\85722731.exe
SharedTaskScheduler-{0a27c192-1b1a-4d43-8e33-6ab2edae8eb0} - c:\windows\system32\badaliyo.dll
SSODL-geyadisuv-{0a27c192-1b1a-4d43-8e33-6ab2edae8eb0} - c:\windows\system32\badaliyo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 19:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\atcinle.dll
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wmdtc.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\worksnow20470w\CF2352.exe
c:\windows\system32\lsm32.sys
c:\worksnow20470w\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 19:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 00:20
ComboFix2.txt 2009-10-23 04:49

Pre-Run: 2,058,829,824 bytes free
Post-Run: 1,809,448,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 81CEE6455C3E017805963F92B01A6148

Hello Tomk,

We seem to be making progress. I tried to re-install Malware Antispyware after the above steps and was able to do it successfully.
I performed a full scan and it detect 100 infections that I removed via MBAM. Here is a log file from Malware Antispyware:

Please let me know what are the next steps. What would be best way to scan my external harddrive ??

********************************************************************************
****************************

Malwarebytes' Anti-Malware 1.41
Database version: 3025
Windows 5.1.2600 Service Pack 2

10/24/2009 12:23:36 PM
mbam-log-2009-10-24 (12-23-32).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 291157
Time elapsed: 1 hour(s), 23 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 13
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 69

Memory Processes Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\atcinle.dll (Trojan.Hiloti) -> No action taken.
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\fastnetsrv (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{25ecc7c8-331f-4758-8371-1d34c1e6a983} (Rogue.SafetyCenter) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\denotatav (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\litasusepa (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: atcinle.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\atcinle.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> No action taken.
C:\Program Files\Mozilla Firefox\plugins\npzango.dll (Adware.Zango) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\59792234\59792234.exe.vir (Rogue.SecurityTool) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\svohost.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\1.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\daweyege.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\divosewo.exe.vir (Rogue.SecurityTool) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fodedozu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ginekufu.exe.vir (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gulobimu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hiyusago.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\isapeep.sys.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jurunute.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lahozunu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\merisemo.exe.vir (Rogue.SecurityTool) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pepurudo.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qt49je97wy.dll.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rutihuku.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vatotosa.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfocebkldpjyp.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfocehqfpuoij.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfoceudovistj.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfoceyfyntlge.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisezeki.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zawetuba.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zotizewi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\smss.exe.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\vsfocewuujyice.sys.vir (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000017.exe (Rogue.SecurityTool) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000038.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000040.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000041.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000042.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000043.exe (Rogue.SecurityTool) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000044.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000045.exe (Rogue.SecurityTool) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000046.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000047.exe (Rogue.SecurityTool) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000049.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000050.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000051.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000064.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000065.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000066.old (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000067.dll (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000068.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001066.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001067.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0001071.old (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001072.dll (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001073.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001079.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001098.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001224.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001225.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0001227.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\mdtdisk.sys (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\plugie.dll (Rogue.ASC-AntiSpyware) -> No action taken.
C:\WINDOWS\system32\wejiwulo.exe (Rogue.SecurityTool) -> No action taken.
C:\WINDOWS\temp\t4m0_480200275873.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\temp\t4m0_679090843209.bk.old (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\wmdtc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> No action taken.

abu_jaaneb,

Did you "Remove Selected" after running MalwareBytes'? If not, please re-run it and do so.

At this point, your best bet on your external hard drive is to run Malwarebytes on a full scan and be sure to select your external drive as being scanned.

Tomk,

Yes, I selected 'Remove all' upon the Scan Completion. I also cleared up the quarantined files by again selecting 'remove all' so that I can ensure that all of the infection is out of the machine.

Is it safer to use machine for a little while before I figure out and get all the softwares to reformat the machine ?

I would appreciate if you Can help check if there are more infections remaining or get it as cleaned as possible.

I will perform a full scan of my external HDD this evening and let you know if I run into problems there.

Thanks.

abu_jaaneb,

Let's see what Malwarebytes finds on the full scan, and then I'd like you to run DDS again and post me new logs.

TomK,

I have run the DDS scan on the laptop. Logs are attached.

My external HDD came clean in the MalwareBytes scan.

abu_jaaneb,

Your Java is out of date and you have other old versions still on your computer, those old versions are now a security vulnerability:

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer - Version 6 update 16

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Tomk,

Just to keep you informed, i did tried to run the scan for last two night but for some reason a Windows update keeps popping up and shut down my computer automatically. I have disabled automatic update and now running the scan again. For one - this scan does takes a lot of time..I will post the log as soon as I get done.

Thanks..

abu_jaaneb,

Good move.

Due to inactivity this topic will be closed.
If you need help please start a new thread.