trojan horge sheur2.gas

my computer seems to be totally taken over.  It will not let me access internet explorer at all.  It will also not let me update or install any virus scans.  I am currently running AVG.  AVG picks up on the virus but it just comes right back.  HELP...my computer is useless untill I get it fixed.
I am on my work computer to post this.

[Malware Removal Specialist]

Can you get into your Control Panel?

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
  
• Also if this is found and you disable it.
• Now reboot and see if you can run the other scans that would not run.

.
Then work through the instructions here http://www.computerhope.com/forum/index.php/topic,46313.0.html

I can't seem to get it turned on now???  If I can get it started in safe mode could I try these steps from there?

[Malware Removal Specialist]

Yes it's worth a try.

That seemed to work.  I have now been able to download Avira Antivirus.  I had AVG but per thissites recommendation I changed to the other freeware since I only had the unsupported version 7.5

I tried to run the computer in regular mode but warnings come up so fast that I cannot close them fast enough to do anything else.  I am currently in safe mode running a full system scan.

what steps should I take next?  One site I had visited earlier said to run anti-malware...is this recommended?

[Malware Removal Specialist]

Then work through as much of the instructions that you can here http://www.computerhope.com/forum/index.php/topic,46313.0.html

I had to run malware 1st because the superspyware wouldn't run

After running malware I was able to run the superspyware.  Should I run the malware again.  I am now actually able to use the computer in normal mode. 
I am now moving on to step 5

The other problem I am having is that no pictures show up on any webpage.  I have to right click download pictures on every single picture???


Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3

12/22/2008 2:17:50 PM
mbam-log-2008-12-22 (14-17-50).txt

Scan type: Quick Scan
Objects scanned: 50808
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 28
Registry Values Infected: 7
Registry Data Items Infected: 4
Folders Infected: 5
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hedagako.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{649a7765-b602-4855-a5cf-fb202b718247} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{649a7765-b602-4855-a5cf-fb202b718247} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\temusorupu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm47e538f0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\hedagako.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hedagako.dll  -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\hedagako.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hedagako.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lovojefu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2008 at 03:09 PM

Application Version : 4.23.1006

Core Rules Database Version : 3681
Trace Rules Database Version: 1659

Scan type       : Complete Scan
Total Scan Time : 00:44:01

Memory items scanned      : 434
Memory threats detected   : 0
Registry items scanned    : 5363
Registry threats detected : 8
File items scanned        : 61208
File threats detected     : 1

Rogue.Component/Trace
   HKLM\Software\Microsoft\44D619E2
   HKLM\Software\Microsoft\44D619E2#44d619e2
   HKLM\Software\Microsoft\44D619E2#Version
   HKLM\Software\Microsoft\44D619E2#44d6b462
   HKLM\Software\Microsoft\44D619E2#44d6dd87
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\Software\Microsoft\CS41275
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\Software\Microsoft\FIAS4018

Trojan.Fake-Alert/Trace
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\SOFTWARE\Microsoft\fias4013

Rootkit.TDSServ-Trace
   C:\WINDOWS\SYSTEM32\TDSSLRVD.DAT

[Malware Removal Specialist]

No you don't need to run MBAM again.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:50 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\eMachines Bay  Reader\shwiconem.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay  Reader\shwiconem.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204750832468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204750898859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs:  c:\windows\system32\yivimefe.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvWomLf - tuvWomLf.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9383 bytes

[Malware Removal Specialist]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O4 - HKUS\S-1-5-19\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'LOCAL SERVICE')
• O4 - HKUS\S-1-5-20\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'NETWORK SERVICE')
• O20 - AppInit_DLLs: c:\windows\system32\yivimefe.dll
• O20 - Winlogon Notify: tuvWomLf - tuvWomLf.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

here is the log from the combofix:
ComboFix 08-12-21.04 - Owner 2008-12-22 19:45:17.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1569 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\ayarahej.ini
c:\windows\system32\ehukakum.ini
c:\windows\system32\RBaHOqss.ini
c:\windows\system32\RBaHOqss.ini2
c:\windows\system32\talthjsd.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


(((((((((((((((((((((((((   Files Created from 2008-11-23 to 2008-12-23  )))))))))))))))))))))))))))))))
.

2008-12-22 15:37 . 2008-12-22 15:37   <DIR>   d--------   c:\program files\Trend Micro
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 14:07 . 2008-12-22 14:07   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-22 14:06 . 2008-12-22 14:06   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-22 13:56 . 2008-12-22 13:56   <DIR>   d--------   c:\program files\CCleaner
2008-12-22 13:49 . 2008-12-22 13:49   8,192   --a------   c:\documents and settings\Jamie
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\program files\Avira
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 10:11 . 2008-12-22 11:22   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:11 . 2008-12-22 10:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:11 . 2008-12-03 19:53   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:11 . 2008-12-03 19:53   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-21 22:21 . 2008-11-10 05:43   410,984   --a------   c:\windows\system32\deploytk.dll
2008-12-21 20:15 . 2008-12-21 21:30   <DIR>   d--------   c:\windows\system32\cap2
2008-12-21 20:15 . 2008-12-21 20:16   <DIR>   d--------   c:\windows\system32\ain
2008-12-21 20:15 . 2008-12-21 20:15   <DIR>   d--------   c:\temp\REX81
2008-12-21 20:15 . 2008-12-22 19:45   <DIR>   d--------   C:\Temp
2008-12-21 19:54 . 2008-12-21 19:54   <DIR>   d--------   c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 03:48   ---------   d-----w   c:\documents and settings\Owner\Application Data\LimeWire
2008-12-22 23:33   ---------   d-----w   c:\program files\Java
2008-12-22 21:50   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg7
2008-12-22 21:49   ---------   d-----w   c:\documents and settings\Owner\Application Data\AVG7
2008-10-28 04:51   ---------   d-----w   c:\documents and settings\All Users\Application Data\EPSON
2008-10-28 04:29   ---------   d-----w   c:\program files\Google
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft.NET
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft ActiveSync
2008-10-28 03:56   ---------   d-----w   c:\documents and settings\Owner\Application Data\Leadertech
2008-10-28 03:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-28 03:54   ---------   d-----w   c:\program files\Smart Panel
2008-10-28 03:54   ---------   d-----w   c:\program files\ABBYY FineReader 5.0 Sprint
2008-10-28 03:53   ---------   d-----w   c:\program files\EPSON
2008-10-25 08:06   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 22:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 22:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 22:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 22:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 22:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 22:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 22:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 22:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 22:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 22:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-03 10:02   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-07-15 06:25   19,288   ----a-w   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-09-22 05:07   8,192   --sha-w   c:\windows\system32\ludoyuja.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunKistEM"="c:\program files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 135168]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-12-06 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CPU Meter.lnk - c:\windows\system32\taskmgr.exe [2004-08-10 135680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-09 24652]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 ati1ttxxx;ati1ttxxx;c:\windows\system32\drivers\ati1ttxxx.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc9d051-ee45-11dc-adfb-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\akqxrtmb.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 16:12]

2008-12-20 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 16:12]

2008-12-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 19:47:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-22 19:50:04 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-23 03:50:00

Pre-Run: 423,415,984,128 bytes free
Post-Run: 423,377,719,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

209   --- E O F ---   2008-12-18 20:41:32




Is this the last step?  If so Thank you Thank you Thank you!
Lastly...how do I get pictures to upload properly.  On the web and in e-mail I just get boxes with shapes and I have to right clip and select open picture on each and everyone now

[Malware Removal Specialist]

Is this the last step?  If so Thank you Thank you Thank you!
Lastly...how do I get pictures to upload properly.  On the web and in e-mail I just get boxes with shapes and I have to right clip and select open picture on each and everyone now

We will fix the images after this next log. I want to be sure the malware is gone first or it could just cause problems.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

File::
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\Tasks\akqxrtmb.job
C:\WINDOWS\system32\dulupuhu.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Is there anyway to get the log again?
I forgot to turn the virus scan off again.  The program stopped midway.  I then turned off virus scan and restarted.  I copied the log but internet wouldn't work so I had to reboot...not thinking that it would earase the log. Sorry.  What should I do now?

[Malware Removal Specialist]

Go to Start > Run then type c:\combofix.txt and click OK. It should pop up.

ComboFix 08-12-21.04 - Owner 2008-12-22 20:35:56.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1599 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-11-23 to 2008-12-23  )))))))))))))))))))))))))))))))
.

2008-12-22 15:37 . 2008-12-22 15:37   <DIR>   d--------   c:\program files\Trend Micro
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 14:07 . 2008-12-22 14:07   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-22 14:06 . 2008-12-22 14:06   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-22 13:56 . 2008-12-22 13:56   <DIR>   d--------   c:\program files\CCleaner
2008-12-22 13:49 . 2008-12-22 13:49   8,192   --a------   c:\documents and settings\Jamie
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\program files\Avira
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 10:11 . 2008-12-22 11:22   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:11 . 2008-12-22 10:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:11 . 2008-12-03 19:53   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:11 . 2008-12-03 19:53   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-21 22:21 . 2008-11-10 05:43   410,984   --a------   c:\windows\system32\deploytk.dll
2008-12-21 20:15 . 2008-12-21 21:30   <DIR>   d--------   c:\windows\system32\cap2
2008-12-21 20:15 . 2008-12-21 20:16   <DIR>   d--------   c:\windows\system32\ain
2008-12-21 20:15 . 2008-12-21 20:15   <DIR>   d--------   c:\temp\REX81
2008-12-21 20:15 . 2008-12-22 19:45   <DIR>   d--------   C:\Temp
2008-12-21 19:54 . 2008-12-21 19:54   <DIR>   d--------   c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 03:48   ---------   d-----w   c:\documents and settings\Owner\Application Data\LimeWire
2008-12-22 23:33   ---------   d-----w   c:\program files\Java
2008-12-22 21:50   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg7
2008-12-22 21:49   ---------   d-----w   c:\documents and settings\Owner\Application Data\AVG7
2008-10-28 04:51   ---------   d-----w   c:\documents and settings\All Users\Application Data\EPSON
2008-10-28 04:29   ---------   d-----w   c:\program files\Google
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft.NET
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft ActiveSync
2008-10-28 03:56   ---------   d-----w   c:\documents and settings\Owner\Application Data\Leadertech
2008-10-28 03:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-28 03:54   ---------   d-----w   c:\program files\Smart Panel
2008-10-28 03:54   ---------   d-----w   c:\program files\ABBYY FineReader 5.0 Sprint
2008-10-28 03:53   ---------   d-----w   c:\program files\EPSON
2008-10-25 08:06   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 22:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 22:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 22:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 22:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 22:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 22:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 22:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 22:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 22:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 22:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-03 10:02   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-07-15 06:25   19,288   ----a-w   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-09-22 05:07   8,192   --sha-w   c:\windows\system32\ludoyuja.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-12-22_19.49.37.54   )))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunKistEM"="c:\program files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 135168]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-12-06 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CPU Meter.lnk - c:\windows\system32\taskmgr.exe [2004-08-10 135680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 ati1ttxxx;ati1ttxxx;c:\windows\system32\drivers\ati1ttxxx.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-09 24652]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc9d051-ee45-11dc-adfb-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\akqxrtmb.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 16:12]

2008-12-20 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 16:12]

2008-12-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 20:36:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-22 20:37:34
ComboFix-quarantined-files.txt  2008-12-23 04:37:32
ComboFix2.txt  2008-12-23 03:50:05

Pre-Run: 423,336,161,280 bytes free
Post-Run: 423,326,187,520 bytes free

167   --- E O F ---   2008-12-23 03:50:43

[Malware Removal Specialist]

Getting closer...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
c:\windows\Tasks\akqxrtmb.job

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

Below is the log.  When the computer rebooted this warning popped up:
Exception Processing Message c0000013 Parameters 75b6bf7c 475b6bf7c 75b6bf7c
and it has Cancel try againor continue as options



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\Tasks\akqxrtmb.job" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

[Malware Removal Specialist]

OK this should fix the images problem.

Reset Web Settings & Default Security Settings

Open Internet Explorer and go to Tools > Internet Options  then the Advanced tab and then the Reset button under Reset Internet Explorer Settings.

Restart Internet Explorer. Is it working correctly now?

----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Delete temporary files

Go to:

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

.
Click OK or Enter

----------

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

Yep.  Pics are showing.
I did this step
Click START then RUN

Now type Combofix /u in the runbox

Make sure there's a space between Combofix and /u
Then hit Enter.
.
.
The above procedure will:
Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.


But not sure where to find OTMoveit2.exe for the next step.  Doesn't it say that the first step deleted it?

[Malware Removal Specialist]

Sorry, here ya go.

Download OTMoveIt3 by OldTimer OTMoveIt3.exe and place it on your desktop.

1. Double click OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt3

hihosove.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
kukolare.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
ludoyuja.dll;C:\WINDOWS\system32;Trojan.Siggen.568;Deleted.;
miwajiho.dll.tmp;C:\WINDOWS\system32;Probably Trojan.Packed.412;Renamed.;
00068281.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
00072968.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.30;Deleted.;
00297046.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.;
02665515.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
02666750.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02666828.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02666921.FIL;C:\$VAULT$.AVG;Trojan.Click.19754;Deleted.;
02666953.FIL;C:\$VAULT$.AVG;Trojan.Click.23749;Deleted.;
02667000.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
03300937.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.4660;Deleted.;
03305218.FIL;C:\$VAULT$.AVG;Trojan.Siggen.568;Deleted.;
A0000008.dll;C:\System Volume Information\_restore{C4634337-28E5-40ED-A7C7-6667EC712853}\RP1;Trojan.Siggen.568;Deleted.;

[Malware Removal Specialist]

That found a few more infected entries.

How is the computer running now?

Let me know if you have any questions.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Wow!  You must never sleep!!  For that I am thankfull!
You have been such an incredable help and I learned along the way.  I am so glad I came upon this site!
I'm working on your last few steps.  The computer is already running just about like new.  It had been really slow.  Thanks!

[Malware Removal Specialist]

Your welcome.

Safe surfing...