Problem - Please Help

[SCHC]

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/8/2010 9:48:43 PM
mbam-log-2010-03-08 (21-48-28).txt

Scan type: Quick Scan
Objects scanned: 118910
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljigdcdrv (Trojan.Vundo) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljigdcdrv (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmkklldrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qomligdrv (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qomlkhsys (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vtrpmmsys (Trojan.Vundo) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vtrpmmsys (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe nynw.wmo mynleeq) Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dr Jay]

Try one more quick scan and post a log, please.

[SCHC]

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/8/2010 11:26:52 PM
mbam-log-2010-03-08 (23-26-52).txt

Scan type: Quick Scan
Objects scanned: 119034
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcbcdedrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddaawudrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxvstudrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxvstudrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mliihisys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dddabxsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dddabxsys (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dr Jay]

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[SCHC]

ComboFix 10-03-08.01 - Me 03/09/2010   0:06.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1377 [GMT -6:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe

.
(((((((((((((((((((((((((   Files Created from 2010-02-09 to 2010-03-09  )))))))))))))))))))))))))))))))
.

2010-03-05 06:36 . 2010-03-05 06:36   --------   d-----w-   C:\Rooter$
2010-03-04 03:21 . 2010-03-06 23:21   --------   d-----w-   c:\program files\MalwareBytes
2010-03-03 23:07 . 2010-03-03 23:07   61440   ----a-w-   c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19b5e70a-n\decora-sse.dll
2010-03-03 23:07 . 2010-03-03 23:07   503808   ----a-w-   c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54eb42d2-n\msvcp71.dll
2010-03-03 23:07 . 2010-03-03 23:07   499712   ----a-w-   c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54eb42d2-n\jmc.dll
2010-03-03 23:07 . 2010-03-03 23:07   348160   ----a-w-   c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54eb42d2-n\msvcr71.dll
2010-03-03 23:07 . 2010-03-03 23:07   12800   ----a-w-   c:\documents and settings\Me\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19b5e70a-n\decora-d3d.dll
2010-03-03 23:07 . 2010-03-03 23:06   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-03-03 21:01 . 2010-03-03 21:01   52224   ----a-w-   c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-03 21:01 . 2010-03-03 21:01   117760   ----a-w-   c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-03 21:00 . 2010-03-03 21:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-03 20:59 . 2010-03-03 20:59   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-03-03 20:59 . 2010-03-03 20:59   --------   d-----w-   c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com
2010-03-03 20:19 . 2010-03-03 20:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-03 20:19 . 2010-03-03 20:19   --------   d-----w-   c:\documents and settings\Me\Application Data\OnlineArmor
2010-03-03 20:18 . 2009-12-05 13:28   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-03-03 20:18 . 2009-12-05 13:27   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-03-03 20:18 . 2009-12-05 13:27   223312   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-03-03 20:18 . 2010-03-03 20:18   --------   d-----w-   c:\program files\Tall Emu
2010-03-03 17:49 . 2010-03-03 17:49   --------   d-----w-   c:\program files\CCleaner
2010-03-03 02:30 . 2009-11-25 17:19   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-03-03 02:30 . 2009-03-30 15:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-03-03 02:30 . 2009-02-13 17:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-03-03 02:30 . 2009-02-13 17:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-03-03 02:30 . 2010-03-03 02:30   --------   d-----w-   c:\program files\Avira
2010-03-03 02:30 . 2010-03-03 02:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2010-03-03 02:01 . 2010-03-03 22:58   --------   d-----w-   c:\program files\mapp
2010-03-03 01:28 . 2010-03-03 01:28   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-02 16:54 . 2010-03-02 16:54   91648   ---ha-w-   c:\windows\system32\jkhfde.dll
2010-03-02 05:56 . 2010-03-02 05:57   97280   ---ha-w-   c:\windows\system32\rqrstu.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 16:41 . 2008-08-26 20:16   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-03 23:12 . 2007-08-06 12:04   --------   d-----w-   c:\program files\Java
2010-03-03 23:07 . 2007-08-06 12:04   --------   d-----w-   c:\program files\Common Files\Java
2010-03-03 20:58 . 2007-12-03 02:29   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-03-03 17:55 . 2007-12-03 05:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-24 15:16 . 2009-10-03 18:26   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-20 20:09 . 2008-03-09 01:17   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-02-14 20:18 . 2007-08-14 02:23   --------   d-----w-   c:\program files\Google
2010-02-10 16:34 . 2007-08-14 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-21 21:41 . 2007-08-06 11:51   91562   ----a-w-   c:\windows\system32\nvModes.dat
2010-01-21 13:54 . 2009-06-02 04:54   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-15 00:11 . 2008-09-19 02:31   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2008-08-26 20:16   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-08-26 20:16   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-10 17:51   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 17:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 17:50   17408   ------w-   c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-10 17:51   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-18 17:18 . 2007-11-30 20:43   638339   ----a-w-   c:\windows\jgzr.dat
2009-12-16 18:43 . 2004-08-10 18:01   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-06-09 16:29 . 2009-06-09 16:20   724952   ----a-w-   c:\program files\avenger.zip
2008-08-27 16:50 . 2008-08-27 16:50   1495112   ----a-w-   c:\program files\install_flash_player.exe
2008-08-26 21:07 . 2008-08-26 20:44   7499056   ----a-w-   c:\program files\Firefox Setup 3.0.1.exe
2008-08-12 23:14 . 2008-08-12 23:14   2367160   ----a-w-   c:\program files\LinksysWebConnectPC.exe
2008-07-06 20:16 . 2008-07-06 20:16   9390251   ----a-w-   c:\program files\vlc-0.8.6h-win32.exe
2008-01-04 03:10 . 2008-01-04 03:10   13413048   ----a-w-   c:\program files\Google_Earth_BZXD.exe
2007-08-30 12:08 . 2007-08-30 12:08   238450   ----a-w-   c:\program files\SecureW2_2kXP.exe
2007-08-27 12:43 . 2007-08-27 12:43   50009400   ----a-w-   c:\program files\iTunesSetup.exe
2007-08-06 12:09 . 2007-08-06 12:09   76   --sh--r-   c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]
"jkhgdcdrv"="rqrstu.dll" [2010-03-02 97280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"fcbbxwdrv"="rqrstu.dll" [2010-03-02 97280]
"mlmljgsys"="jkhfde.dll" [2010-03-02 91648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
"wvvvvvsys"="jkhfde.dll" [2010-03-02 91648]
"ssqpopdrv"="rqrstu.dll" [2010-03-02 97280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-6 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 jkhfde.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/3/2010 2:18 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/3/2010 2:18 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/3/2010 2:18 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/2/2010 8:30 PM 108289]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/3/2010 2:18 PM 1282248]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9a393ba0b99a0;Google Update Service (gupdate1c9a393ba0b99a0);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2009 10:25 PM 133104]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/3/2010 2:18 PM 3291336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-13 04:25]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-13 04:25]

2010-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\xs21qfhi.default\
FF - prefs.js: browser.startup.homepage - hxxp://law.wustl.edu/
FF - plugin: c:\documents and settings\Me\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 00:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\TEMP\TMP000000CC5AEF8701CB5A8A30 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *·*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\rqrstu.dll

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\jkhfde.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'csrss.exe'(524)
c:\windows\system32\wininet.dll
.
Completion time: 2010-03-09  00:13:37
ComboFix-quarantined-files.txt  2010-03-09 06:13

Pre-Run: 86,253,690,880 bytes free
Post-Run: 87,853,133,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BD3BA76768EFDDE9CFE95CC7C0D48527

[Dr Jay]

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  killall::
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "jkhgdcdrv"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "fcbbxwdrv"=-
  "mlmljgsys"=-
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
  "wvvvvvsys"=-
  "ssqpopdrv"=-
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
  @=""
  
  File::
  c:\windows\system32\jkhfde.dll
  c:\windows\system32\rqrstu.dll
  c:\windows\jgzr.dat
  
  rootkit::
  reboot::
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

[SCHC]

ComboFix 10-03-09.03 - Me 03/09/2010  14:00:55.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1385 [GMT -6:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Me\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\windows\jgzr.dat"
"c:\windows\system32\jkhfde.dll"
"c:\windows\system32\rqrstu.dll"
.

[Dr Jay]

That is not a full log.

Look in C:\Combofix.txt and see if you can find the full log.

[SCHC]

That is all that is there.  Could it be a problem that Avira and my firewall both automatically restarted when ComboFix restarted Windows?

[Dr Jay]

Might be.

Re-run ComboFix, and post a log. But, do not do the script above, just double-click on ComboFix.

[SCHC]

Should I shut off the autostart features for Avira and Online Armor first?

[Dr Jay]

If you want to. Just remember to turn them back on.

[SCHC]

Still just this:


ComboFix 10-03-09.03 - Me 03/09/2010  14:55:20.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -6:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

[SCHC]

I also got a message when Windows restarted saying something about ComboFix and not having permission, but the screenshot I attempted to take didn't work, so sorry I can't tell you exactly what it said.

And I got these two messages:

Error loading rqrstu.dll
The specified module could not be found.

and

Error loading jkhfde.dll
The specified module could not be found.

[SCHC]

Also, Online Armor blocked two programs automatically:

CF21025.cfxxe

iernonce.dll