12 replies to this topic

[fustercluck]

Defender say that it finds :

TrojanWin32/Vundo.gen!g

Then tries to remove:

Rundll32.exe"C:/windows/system32/motipewo.dll"
Rundll32.exe"C:/windows/system32/takadute.dll"

Tells me to reboot:

Then after reboot it pops up that it cannot find motipewo.dll and takadute.dll.

Then when Defender run again later it finds the trojan again.

Here is the Hijack this log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:19 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2503d190-a5d5-4187-9b36-c780b73e7e43} - C:\WINDOWS\system32\yiwazisa.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [weduperadi] Rundll32.exe "C:\WINDOWS\system32\takadute.dll",s
O4 - HKLM\..\Run: [CPMc74bebcf] Rundll32.exe "c:\windows\system32\motipewo.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKUS\S-1-5-19\..\Run: [weduperadi] Rundll32.exe "C:\WINDOWS\system32\takadute.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [weduperadi] Rundll32.exe "C:\WINDOWS\system32\takadute.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://dalbey.on.in...ICWMInstall.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://sslvpn.demo....l.com/XTSAC.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberr...teLoaderUSB.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146535247014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146535597530
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sslvpn.demo....l.com/msrdp.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://sslvpn.demo....acheCleaner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tolukoho.dll c:\windows\system32\motipewo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\motipewo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\motipewo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11626 bytes

[Gary R]

Looking over your log, back as soon as possible.

[Gary R]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hi fustercluck

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with it till you're given the all clear.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

If you can do these things, everything should go smoothly.

• If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
• If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Before we start removing your infection, we need to disable Windows Defender, as it will try to interfere with what we're doing.

To disable Windows Defender Real-time Protection

• Open Windows Defender.
• Click on Tools > General Settings.
• Scroll down to Real-time Protection Options.
• Uncheck Turn on Real Time Protection (recommended).
• Close Windows Defender.

Do not re-enable it until I ask you to.

Next

Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2
Link 3

IMPORTANT !!! ComboFix.exe must be run from your Desktop

• Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  
• Double click on ComboFix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
• If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

Next

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:

• Combofix log
• New HJT log

Please post each log separately to prevent them being cut off by the forum post size limiter.

[fustercluck]

combofix log

ComboFix 09-03-06.02 - Tom 2009-03-10 9:08:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.481 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\zap4A7.tmp
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\aguwomem.ini
c:\windows\system32\ajewunis.ini
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\eyijarur.ini
c:\windows\system32\gezazomi.dll
c:\windows\system32\mtjbyv.dll
c:\windows\system32\rurajiye.dll
c:\windows\system32\tolukoho.dll
c:\windows\system32\urojikem.ini
c:\windows\system32\uwudagug.ini
c:\windows\system32\wmedia106.exe
c:\windows\system32\yavaneyu.dll
c:\windows\system32\yiwazisa.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-09 21:20 . 2009-03-09 21:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 20:43 . 2009-03-09 20:43 30,880 --a------ c:\windows\system32\drivers\nopyhfdy.sys
2009-03-09 20:40 . 2009-03-09 20:40 30,880 --a------ c:\windows\system32\drivers\hecuqtot.sys
2009-03-09 20:39 . 2009-03-09 20:39 30,880 --a------ c:\windows\system32\drivers\nfdvkolr.sys
2009-03-09 20:38 . 2009-03-09 20:38 30,880 --a------ c:\windows\system32\drivers\abbedfrp.sys
2009-03-09 08:35 . 2009-03-09 08:35 2,713 ---hs---- c:\windows\system32\sohojire.dll
2009-03-09 08:34 . 2009-03-09 08:34 2,713 ---hs---- c:\windows\system32\zavituwe.dll
2009-03-09 08:34 . 2009-03-09 08:34 2,713 ---hs---- c:\windows\system32\temekatu.dll
2009-03-08 04:35 . 2009-03-08 04:35 30,880 --a------ c:\windows\system32\drivers\liimqxsk.sys
2009-03-08 04:35 . 2009-03-08 04:35 30,880 --a------ c:\windows\system32\drivers\agfzkpem.sys
2009-03-08 04:34 . 2009-03-08 04:35 30,880 --a------ c:\windows\system32\drivers\yjpedgdw.sys
2009-02-16 14:56 . 2009-02-16 14:56 <DIR> d-------- c:\documents and settings\Tom\Application Data\magicJackOutlookAddIn
2009-02-13 13:36 . 2009-02-13 13:36 <DIR> d-------- c:\program files\Microsoft Research
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\program files\InterCall Web Meeting
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\program files\Common Files\ICWM
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\documents and settings\Tom\Application Data\Web Meeting

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 16:13 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-09 23:49 --------- d-----w c:\program files\DYMO Label
2009-03-08 11:20 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-25 03:49 --------- d-----w c:\documents and settings\Tom\Application Data\U3
2009-02-24 15:45 --------- d-----w c:\documents and settings\Tom\Application Data\AdobeUM
2009-02-20 16:10 --------- d-----w c:\documents and settings\Tom\Application Data\mjusbsp
2009-02-17 22:40 --------- d-----w c:\documents and settings\Tom\Application Data\ArcSoft
2009-02-09 21:23 --------- d-----w c:\program files\Java
2009-02-03 17:13 --------- d-----w c:\program files\Hide Your IP Address
2009-01-30 22:19 --------- d-----w c:\program files\Classified Ad Posting Utility
2009-01-30 22:18 737,280 ----a-w c:\windows\iun6002.exe
2009-01-29 18:53 --------- d-----w c:\documents and settings\Tom\Application Data\1&1
2009-01-29 18:52 --------- d-----w c:\program files\1&1
2009-01-23 19:36 --------- d-----w c:\program files\PostEverywhere
2009-01-20 01:54 --------- d-----w c:\program files\Citrix
2009-01-14 21:29 37,027 ----a-w c:\windows\atmoUn.exe
2009-01-14 21:29 --------- d-----w c:\program files\Viewpoint
2009-01-14 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-26 15:46 3,260 ----a-w c:\program files\Common Files\cfgbak.tgb
2007-01-30 22:38 92,064 ----a-w c:\documents and settings\Tom\mqdmmdm.sys
2007-01-30 22:38 9,232 ----a-w c:\documents and settings\Tom\mqdmmdfl.sys
2007-01-30 22:38 79,328 ----a-w c:\documents and settings\Tom\mqdmserd.sys
2007-01-30 22:38 66,656 ----a-w c:\documents and settings\Tom\mqdmbus.sys
2007-01-30 22:38 6,208 ----a-w c:\documents and settings\Tom\mqdmcmnt.sys
2007-01-30 22:38 5,936 ----a-w c:\documents and settings\Tom\mqdmwhnt.sys
2007-01-30 22:38 4,048 ----a-w c:\documents and settings\Tom\mqdmcr.sys
2007-01-30 22:38 25,600 ----a-w c:\documents and settings\Tom\usbsermptxp.sys
2007-01-30 22:38 22,768 ----a-w c:\documents and settings\Tom\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-02-12 2200576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 148888]
"NGServer"="c:\program files\Symantec\Ghost\ngserver.exe" [2003-10-03 693416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-08 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-09 110592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-11-07 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
--a------ 2008-11-20 11:06 178688 c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-10-18 12:08 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-12-17 11:36 50520 c:\documents and settings\Tom\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-01 11:01 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
--a------ 2007-02-10 17:04 3371008 c:\program files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoExplosionCalCheck]
--a------ 2006-05-10 13:32 69632 c:\program files\Nova Development\Photo Explosion Deluxe 3.0\CalCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-27 14:39 1179648 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-08 11:02 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 02:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"bmwebcfg"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SolarWinds\\2002 Standard Edition\\TFTP-Server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\Tom\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2007-02-24 13184]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-10-01 64888]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-08-23 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilDrv10910.sys [2009-03-08 101936]
S1 abbedfrp;abbedfrp;c:\windows\system32\drivers\abbedfrp.sys [2009-03-09 30880]
S1 agfzkpem;agfzkpem;c:\windows\system32\drivers\agfzkpem.sys [2009-03-08 30880]
S1 cdahoczz;cdahoczz;\??\c:\windows\system32\drivers\cdahoczz.sys --> c:\windows\system32\drivers\cdahoczz.sys [?]
S1 dbuiwzep;dbuiwzep;\??\c:\windows\system32\drivers\dbuiwzep.sys --> c:\windows\system32\drivers\dbuiwzep.sys [?]
S1 hecuqtot;hecuqtot;c:\windows\system32\drivers\hecuqtot.sys [2009-03-09 30880]
S1 rfmgoffk;rfmgoffk;\??\c:\windows\system32\drivers\rfmgoffk.sys --> c:\windows\system32\drivers\rfmgoffk.sys [?]
S1 wtbphjqy;wtbphjqy;\??\c:\windows\system32\drivers\wtbphjqy.sys --> c:\windows\system32\drivers\wtbphjqy.sys [?]
S1 yhytaecl;yhytaecl;\??\c:\windows\system32\drivers\yhytaecl.sys --> c:\windows\system32\drivers\yhytaecl.sys [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-10-18 109080]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37900684-f122-11da-9dd1-0007e959a92f}]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2eb9bea-cf9a-11dc-985a-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8640332-e130-11dd-987d-0007e959a92f}]
\Shell\AutoRun\command - H:\autorun.exe
\Shell\phone\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-06 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []

2009-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-03-10 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\program files\SmartDraw 7\Messages\SDNotify.exe [2005-08-23 11:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2503d190-a5d5-4187-9b36-c780b73e7e43} - c:\windows\system32\yiwazisa.dll
BHO-{9255b10a-fec0-4435-abf6-5e64bc8971b7} - c:\windows\system32\mtjbyv.dll
ShellIconOverlayIdentifiers-{3FB11025-10BB-F31B-5817-947DC6173EB1} - c:\windows\system32\lmmofres.dIl
HKLM-Run-weduperadi - c:\windows\system32\takadute.dll
MSConfigStartUp-CPMc74bebcf - c:\windows\system32\motipewo.dll
MSConfigStartUp-PCTV4Me - c:\program files\PCTV4Me\pctv4me.exe
MSConfigStartUp-weduperadi - c:\windows\system32\takadute.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
LSP: bmnet.dll
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://dalbey.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - hxxp://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://sslvpn.demo.sonicwall.com/MLWebCacheCleaner.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 09:15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\00000678.exe 57448 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng7.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-03-10 9:21:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 16:21:20

Pre-Run: 18,803,101,696 bytes free
Post-Run: 20,260,294,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

276 --- E O F --- 2009-03-10 16:17:52

[fustercluck]

New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:17 AM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://dalbey.on.in...ICWMInstall.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://sslvpn.demo....l.com/XTSAC.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberr...teLoaderUSB.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146535247014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146535597530
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sslvpn.demo....l.com/msrdp.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://sslvpn.demo....acheCleaner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10040 bytes

[Gary R]

OK, still work to do.

First

• Click Start > Run type Notepad click OK.
• This will open an empty Notepad file.
• Copy/Paste the contents of the box below into Notepad.

File::
c:\windows\TEMP\00000678.exe
c:\windows\system32\drivers\nopyhfdy.sys
c:\windows\system32\drivers\hecuqtot.sys
c:\windows\system32\drivers\nfdvkolr.sys
c:\windows\system32\drivers\abbedfrp.sys
c:\windows\system32\sohojire.dll
c:\windows\system32\zavituwe.dll
c:\windows\system32\temekatu.dll
c:\windows\system32\drivers\liimqxsk.sys
c:\windows\system32\drivers\agfzkpem.sys
c:\windows\system32\drivers\yjpedgdw.sys
c:\windows\system32\drivers\cdahoczz.sys
c:\windows\system32\drivers\dbuiwzep.sys
c:\windows\system32\drivers\rfmgoffk.sys
c:\windows\system32\drivers\wtbphjqy.sys
c:\windows\system32\drivers\yhytaecl.sys

Driver::
abbedfrp
agfzkpem
cdahoczz
dbuiwzep
hecuqtot
rfmgoffk
wtbphjqy
yhytaecl

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37900684-f122-11da-9dd1-0007e959a92f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2eb9bea-cf9a-11dc-985a-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8640332-e130-11dd-987d-0007e959a92f}]

• Click Format and ensure Wordwrap is unchecked.
• Save as CFScript.txt to your Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

• Click Start > Run and type cleanmgr then click OK.
• This will bring up the Disk Cleanup window.
• Check the following entries.
  
  • Temporary Internet Files.
  • Recycle Bin.
  • Temporary Files.
• Click OK.
• When a prompt pops up click Yes.

Then

Please do a scan with ESET Online Scanner
Note: The scan will only work with Internet Explorer

• Check the box "Yes, I accept the Terms of Use" and click Start
• Accept the ActiveX by clicking the yellow bar at the top.
• Install the software when prompted.
• Read the Welcome notice and then click Start to download the necessary components.
• When download is complete, make sure Remove found threats stays Unchecked.
• Click Start to begin the scan.
• After the scan completes, the Details tab in the Results window will display what was found.
• A file will also be saved at: C:/program files/esetonlinescanner/log.txt
• Please post me the content of that file.

Finally

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:

• Latest Combofix log
• E-Set log
• New HJT log

Please post each log separately to prevent them being cut off by the forum post size limiter.

[fustercluck]

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:44 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} (ICWMInstallObj Class) - https://dalbey.on.in...ICWMInstall.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://sslvpn.demo....l.com/XTSAC.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberr...teLoaderUSB.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146535247014
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146535597530
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://sslvpn.demo....l.com/msrdp.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://sslvpn.demo....acheCleaner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RDI Document Conversion Helper (RDIConverterPrintHelper) - Web Meeting - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10126 bytes

[fustercluck]

New Combo Fix log

ComboFix 09-03-06.02 - Tom 2009-03-10 10:24:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.443 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\abbedfrp.sys
c:\windows\system32\drivers\agfzkpem.sys
c:\windows\system32\drivers\cdahoczz.sys
c:\windows\system32\drivers\dbuiwzep.sys
c:\windows\system32\drivers\hecuqtot.sys
c:\windows\system32\drivers\liimqxsk.sys
c:\windows\system32\drivers\nfdvkolr.sys
c:\windows\system32\drivers\nopyhfdy.sys
c:\windows\system32\drivers\rfmgoffk.sys
c:\windows\system32\drivers\wtbphjqy.sys
c:\windows\system32\drivers\yhytaecl.sys
c:\windows\system32\drivers\yjpedgdw.sys
c:\windows\system32\sohojire.dll
c:\windows\system32\temekatu.dll
c:\windows\system32\zavituwe.dll
c:\windows\TEMP\00000678.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\abbedfrp.sys
c:\windows\system32\drivers\agfzkpem.sys
c:\windows\system32\drivers\hecuqtot.sys
c:\windows\system32\drivers\liimqxsk.sys
c:\windows\system32\drivers\nfdvkolr.sys
c:\windows\system32\drivers\nopyhfdy.sys
c:\windows\system32\drivers\yjpedgdw.sys
c:\windows\system32\sohojire.dll
c:\windows\system32\temekatu.dll
c:\windows\system32\zavituwe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_abbedfrp
-------\Service_agfzkpem
-------\Service_cdahoczz
-------\Service_dbuiwzep
-------\Service_hecuqtot
-------\Service_rfmgoffk
-------\Service_wtbphjqy
-------\Service_yhytaecl


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-09 21:20 . 2009-03-09 21:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 14:56 . 2009-02-16 14:56 <DIR> d-------- c:\documents and settings\Tom\Application Data\magicJackOutlookAddIn
2009-02-13 13:36 . 2009-02-13 13:36 <DIR> d-------- c:\program files\Microsoft Research
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\program files\InterCall Web Meeting
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\program files\Common Files\ICWM
2009-02-10 19:03 . 2009-02-10 19:03 <DIR> d-------- c:\documents and settings\Tom\Application Data\Web Meeting

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 17:31 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-09 23:49 --------- d-----w c:\program files\DYMO Label
2009-03-08 11:20 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-25 03:49 --------- d-----w c:\documents and settings\Tom\Application Data\U3
2009-02-24 15:45 --------- d-----w c:\documents and settings\Tom\Application Data\AdobeUM
2009-02-20 16:10 --------- d-----w c:\documents and settings\Tom\Application Data\mjusbsp
2009-02-17 22:40 --------- d-----w c:\documents and settings\Tom\Application Data\ArcSoft
2009-02-09 21:23 --------- d-----w c:\program files\Java
2009-02-03 17:13 --------- d-----w c:\program files\Hide Your IP Address
2009-01-30 22:19 --------- d-----w c:\program files\Classified Ad Posting Utility
2009-01-30 22:18 737,280 ----a-w c:\windows\iun6002.exe
2009-01-29 18:53 --------- d-----w c:\documents and settings\Tom\Application Data\1&1
2009-01-29 18:52 --------- d-----w c:\program files\1&1
2009-01-23 19:36 --------- d-----w c:\program files\PostEverywhere
2009-01-20 01:54 --------- d-----w c:\program files\Citrix
2009-01-14 21:29 37,027 ----a-w c:\windows\atmoUn.exe
2009-01-14 21:29 --------- d-----w c:\program files\Viewpoint
2009-01-14 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-26 15:46 3,260 ----a-w c:\program files\Common Files\cfgbak.tgb
2007-01-30 22:38 92,064 ----a-w c:\documents and settings\Tom\mqdmmdm.sys
2007-01-30 22:38 9,232 ----a-w c:\documents and settings\Tom\mqdmmdfl.sys
2007-01-30 22:38 79,328 ----a-w c:\documents and settings\Tom\mqdmserd.sys
2007-01-30 22:38 66,656 ----a-w c:\documents and settings\Tom\mqdmbus.sys
2007-01-30 22:38 6,208 ----a-w c:\documents and settings\Tom\mqdmcmnt.sys
2007-01-30 22:38 5,936 ----a-w c:\documents and settings\Tom\mqdmwhnt.sys
2007-01-30 22:38 4,048 ----a-w c:\documents and settings\Tom\mqdmcr.sys
2007-01-30 22:38 25,600 ----a-w c:\documents and settings\Tom\usbsermptxp.sys
2007-01-30 22:38 22,768 ----a-w c:\documents and settings\Tom\usbsermpt.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-10_ 9.20.22.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-10 16:17:15 224,657 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-10 17:30:15 224,659 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-10 17:29:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_220.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-02-12 2200576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 148888]
"NGServer"="c:\program files\Symantec\Ghost\ngserver.exe" [2003-10-03 693416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-08 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-09 110592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-11-07 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
--a------ 2008-11-20 11:06 178688 c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-10-18 12:08 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-12-17 11:36 50520 c:\documents and settings\Tom\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-01 11:01 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
--a------ 2007-02-10 17:04 3371008 c:\program files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoExplosionCalCheck]
--a------ 2006-05-10 13:32 69632 c:\program files\Nova Development\Photo Explosion Deluxe 3.0\CalCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-27 14:39 1179648 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-08 11:02 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 02:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"bmwebcfg"=2 (0x2)
"ACDaemon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SolarWinds\\2002 Standard Edition\\TFTP-Server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\Tom\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2007-02-24 13184]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-10-01 64888]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-08-23 2368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilDrv10910.sys [2009-03-08 101936]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-10-18 109080]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-06 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []

2009-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-03-10 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\program files\SmartDraw 7\Messages\SDNotify.exe [2005-08-23 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
LSP: bmnet.dll
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://dalbey.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - hxxp://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://sslvpn.demo.sonicwall.com/MLWebCacheCleaner.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 10:30:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng7.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-03-10 10:35:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 17:35:39
ComboFix2.txt 2009-03-10 16:21:33

Pre-Run: 20,211,118,080 bytes free
Post-Run: 20,248,375,296 bytes free

253 --- E O F --- 2009-03-10 16:17:52

[fustercluck]

E-set log # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3924 (20090310) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=67774f707964254cabfa53953d07d33a # end=finished # remove_checked=false # unwanted_checked=false # utc_time=2009-03-10 08:00:17 # local_time=2009-03-10 01:00:17 (-0800, Pacific Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=874031 # found=0 # scan_time=8294

[Gary R]

Latest logs look good. Time for a little tidying up, then I'll make a few recommendations about security.

First

Let's clear out Combofix and the files/folders it created

• Click Start > Run
• Copy/Paste ComboFix /u into the Run box.
• Click OK
• Combofix will now delete its files and folders and also perform the following function.
  
• Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.

IMPORTANT

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Re-enable Windows Defender.

To re-enable Windows Defender Real-time Protection

• Open Windows Defender.
• Click on Tools > General Settings.
• Scroll down to Real-time Protection Options.
• Check Turn on Real Time Protection (recommended).
• Close Windows Defender.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?

• If you are let me know about them.
• If not it's time to make your computer more secure.

Before I make any recommendations, I'd like to give a simplified overview of how your defensive systems work and what you can do to protect yourself better in future.

The average home computer has approximately 64,000 ports through which it can communicate. By default these ports are open and can be used by any programme which cares to access them, either from within the computer or from without. If you were to go online with a computer in this condition you would quickly be attacked and your computer would be infected.

To prevent this you install a Firewall. A firewall will close all open ports and you then open the ones you need by setting "rules" for them according to the instructions supplied with the Firewall programme. Usually you will have ports open for your Internet Browser, your e-mail client, and the update functions for various programmes.

These "open" ports will not be fully accessible, in that they will only allow a communication if it was instigated from within your computer. Any unsolicited communications from outside are blocked.

However if you are tricked into starting the communication, then as far as your Firewall is concerned it is a legit transaction and it will open the port. So by clicking on malicious links, replying to unsolicited e-mails and attachments, and downloading from unsafe sources, you are effectively bypassing any protection your Firewall supplies.

At this point your Anti-Spyware and Anti-Virus programmes take over. The real-time-protection in these constantly scan the data stream in your open ports looking for things that match with items in the database they have within them. If they find something then they will alert you, or quarantine it, or delete it, according to the rules set within the programme.

However as you can see, if the database does not contain details of the infection that's attacking you, then your Anti-Virus or Anti-Spyware programmes will not protect you. There are new infections (or new variations of old infections) created every day, which is why it's vital to keep your programmes up to date. Even with a fully updated database though, you are still playing catchup, which is why your Firewall, Anti-Virus and Anti-Spyware programmes cannot ever give you 100% protection.

Adding more and more programmes will not give you more and more protection, it's up to you to take some responsibility for your online actions, and modify them to give your programmes the best chance of protecting you.

Be careful what you click on.

• Don't download anything from a site you do not know and trust. Remember, there's no such thing as a free lunch, if something seems too good to be true it is. Malware purveyors love to offer out freebies as bait knowing full well that one unguarded click is all it takes.
  
• Don't reply to unsolicited e-mails.
  
• Don't open e-mail attachments (even from friends) without checking with the source to ensure they actually sent them.
  
• Don't use P2P file sharing programmes. Even the ones that don't come bundled (and many do) are not safe. By using them you are effectively downloading from an unknown source, with all the dangers described above.

OK, so how do we set about protecting you.

You should definitely have one of each of the following programmes.

• Firewall
• Anti-Virus
• Anti-Spyware

You do not need more than one of each. More than one will cause conflicts, and will not improve your security.

If you don't already have them, then these are links to lists of free programmes.

• Firewalls
• Anti-Virus
• Anti-Spyware

You'll increase your chances of not getting infected if you don't land on an infected website in the first place.

There are a couple of ways to do this

• Block access to sites known to spread Malware.
• Give you clear indication of which they are, so that you can make choices.

To block access to known bad sites we use a Hosts file.

Download HostsXpert and unzip it to your computer, somewhere where you can find it.

• Double click on HostsXpert.exe to launch the programme.
• Check to see if top button on left hand side says Make Writable ?
  
  • If it does. click on it then proceed to next instruction.
  • If not, just proceed to next instruction
• Click on the Download button (lower left hand side)
  
  • Click on MVPs Hosts... button.
  • Click on Replace button.
  • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
• When finished.
  
  • Click on File Handling button.
  • Click on Make Read Only ? to secure it against infection.
• Exit the programme.

To give you an indication of which sites may contain bad links or suspect downloads I like to use Site Advisor.
This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit.

Remove known vulnerabilities

• Update your Java
  
  Older versions have vulnerabilities that malware can and are using to infect systems.
  
  

  Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.
  
  Download JavaRa by Prm753 and unzip it to your desktop.
  
  

• Double-click on JavaRa.exe to start the program.
• Click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted.
• When JavaRa is done, a notice will appear that a logfile has been produced.
• Click OK.
  
• The logfile will pop up.
• Please save it to a convenient location.

This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

Now download and install Java Runtime Environment (JRE) 6 Update 11.

• Update Windows and Internet Explorer It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

• Use a "secure" browser Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
  Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

• Do not use P2P file sharing programmes I'd like you to read the Guidelines for P2P Programs where it's explained why it's not a good idea to have them.
  
  My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs you have installed.

• Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

[/list] Here's links to a few articles which are worth reading

• The Spyware Warrior Guide to Getting help with Spyware
• Microsoft - Security at Home
• Simple and easy ways to keep your computer safe and secure on the Internet
• What to do if your Computer's running slowly

[fustercluck]

All seems to be working good now. Thanks for all your help.....

[Gary R]

You're welcome, glad we could help you. Keep safe. Gary

[Gary R]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.