Neep help removing remnants of "AntiMalware Doctor" infection

[piratesteve83]

My computer (Dell Dimension 2400 with Windows XP) got infected with something called AntiMalware Doctor.  It totally hijacked my computer, opening a fake Anti-Malware program and opening internet explorer windows with inappropriate websites.  It wouldn’t let me open any programs.  I had to start in safe mode to have any control whatsoever.  I followed the advice I found on another site to get rid of this specific infection, and it seemed to alleviate the more severe symptoms, but there are still remnants.  For instance, at startup, I get this message:

“Error loading C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll”
“The specified module could not be found”

I have run AVG, SuperAntiSpyware and Malwarebytes several times, and they keep finding the same things, deleting them, and then they reappear the next time I scan.  I’m hoping you can help me get my computer totally clean.  I followed the directions on the “Read This etc.” post.  So here is what I found:

I tried to update SuperAntiSpyware and it wouldn’t let me.  It gave me this error message:

“There was an error trying to retrieve definitions.  Make sure your firewall is not blocking SUPERANTISPYWARE.EXE from accessing the Internet.”

I thought at first it might be a problem with the Online Armor firewall I just installed (per the directions given), but I just installed the same firewall on my other computer and had no problems updating SuperAntiSpyware.  This leads me to believe that the problem is not with the firewall, but with the infection on the computer.  I still ran the scan, without the update.

After installing Malwarebytes with no problem, it asked me if I wanted to update and start the program, and so per the instructions, I clicked Yes.  It started downloading updates and then gave me this error message:

“An error has occurred.  Please report this error code to our support team.”
“MBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)”

When I went to the link you provided to manually download updates, it said that the server at Malwarebytes.org was not found.  Other websites work, so I guess it’s just a problem with their website.  I tried downloading updates in this program on my other computer and had the same problem, so I’m guessing it’s the website.  On the infected computer, Malwarebytes did open, and I was able to run a scan, without the updates.

So here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/22/2010 at 01:52 PM

Application Version : 4.34.1000

Core Rules Database Version : 3784
Trace Rules Database Version: 0

Scan type       : Complete Scan
Total Scan Time : 00:51:42

Memory items scanned      : 485
Memory threats detected   : 0
Registry items scanned    : 5608
Registry threats detected : 2
File items scanned        : 72801
File threats detected     : 0

Adware.MyWebSearch/FunWebProducts
   HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
   HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/22/2010 4:11:45 PM
mbam-log-2010-10-22 (16-11-45).txt

Scan type: Quick scan
Objects scanned: 159035
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{88b1d06e-7339-43f6-9d4e-574a3cc1a84e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:43:05 PM, on 10/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Emsisoft\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\V0500Mon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Emsisoft\Online Armor\oaui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Emsisoft\Online Armor\OAhlp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [V0500Mon.exe] "C:\WINDOWS\V0500Mon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cofbesfq] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\wsfaxolto\yxivrunshdw.exe"
O4 - HKLM\..\Run: [fjmpxcnr] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\lggyyxyef\yobnhkashdw.exe"
O4 - HKLM\..\Run: [bipro] "rundll32" "C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll",,Run
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [mediafix70700en02.exe] "C:\Documents and Settings\Owner.STEVE\Application Data\6AF4966B29C8168896C6D1749ED8A6A1\mediafix70700en02.exe"
O4 - HKCU\..\Run: [XBV6RD5SZF] "C:\DOCUME~1\OWNER~1.STE\LOCALS~1\Temp\Rh2.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: ibygm.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ibygm.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194402456203
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: 6to4 -  - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

--
End of file - 8022 bytes

Thank you in advance for your help!

[SuperDave]

Hello and welcome to

Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Error loading C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll”
“The specified module could not be found”

This is part of the infection.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [cofbesfq] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\wsfaxolto\yxivrunshdw.exe"
O4 - HKLM\..\Run: [fjmpxcnr] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\lggyyxyef\yobnhkashdw.exe"
O4 - HKLM\..\Run: [bipro] "rundll32" "C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll",,Run
O4 - HKCU\..\Run: [mediafix70700en02.exe] "C:\Documents and Settings\Owner.STEVE\Application Data\6AF4966B29C8168896C6D1749ED8A6A1\mediafix70700en02.exe"
O4 - HKCU\..\Run: [XBV6RD5SZF] "C:\DOCUME~1\OWNER~1.STE\LOCALS~1\Temp\Rh2.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: ibygm.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ibygm.exe (User 'Default user')
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: 6to4 -  - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[piratesteve83]

Hi Dave:

Something i forgot to mention in my first post:  I checked Add/Remove Programs and found something called "Street-Ads Browser Enhancer".  It did not look familiar, but per the instructions, I did not remove it.  Let me know if I should.  Here are the logs:

 

Results of screen317's Security Check version 0.99.5 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 AVG Free 9.0   
 Online Armor 4.0   
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Eusing Free Registry Cleaner 
 Java(TM) 6 Update 22 
 Out of date Java installed!
 Adobe Flash Player 10.1.85.3 
Adobe Reader 8.1.6
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.11) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 Tall Emu Online Armor OAcat.exe
 Tall Emu Online Armor oasrv.exe
 Tall Emu Online Armor oaui.exe
 Tall Emu Online Armor OAhlp.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

ComboFix 10-10-25.01 - Owner 10/26/2010   0:50.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1534.1004 [GMT -4:00]
Running from: c:\documents and settings\Owner.STEVE\desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.STEVE\Local Settings\Application Data\Windows Server
c:\windows\$NtUninstallMTF1011$
c:\windows\system32\Data
c:\documents and settings\Owner.STEVE\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Owner.STEVE\Local Settings\Application Data\Windows Server\server.dat
C:\LOG1.tmp
C:\LOG11.tmp
C:\LOG130E.tmp
C:\LOG131.tmp
C:\LOG2.tmp
C:\LOG289.tmp
C:\LOG3.tmp
C:\LOG3DE.tmp
C:\LOG53.tmp
C:\LOG5A1.tmp
C:\LOG68.tmp
C:\LOG8.tmp
C:\LOG84.tmp
C:\LOGC9.tmp
c:\windows\$NtUninstallMTF1011$\apUninstall.exe
c:\windows\$NtUninstallMTF1011$\zrpt.xml
c:\windows\system32\arp.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


(((((((((((((((((((((((((   Files Created from 2010-09-26 to 2010-10-26  )))))))))))))))))))))))))))))))
.

2010-10-23 17:58 . 2010-10-23 17:58   --------   d-----w-   c:\program files\Bonjour
2010-10-23 16:43 . 2010-10-23 16:43   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-10-22 20:38 . 2010-10-22 20:38   388096   ----a-r-   c:\documents and settings\Owner.STEVE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-22 20:38 . 2010-10-22 20:38   --------   d-----w-   c:\program files\Trend Micro
2010-10-22 20:30 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-22 20:30 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-22 19:45 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 19:45 . 2010-10-22 19:45   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-10-22 19:45 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-21 13:41 . 2010-10-21 14:00   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-10-21 13:41 . 2010-10-21 13:42   --------   d-----w-   c:\documents and settings\Owner.STEVE\Application Data\OnlineArmor
2010-10-21 13:41 . 2010-07-07 16:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-10-21 13:41 . 2010-07-07 16:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-10-21 13:41 . 2010-07-07 16:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-10-21 13:41 . 2010-10-21 13:41   --------   d-----w-   c:\program files\Emsisoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2003-07-16 20:33   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-07-16 20:33   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-07-16 20:33   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-07-16 20:33   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2010-09-15 06:29 . 2007-11-08 06:58   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-09-09 13:38 . 2006-06-23 16:33   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-07-16 20:30   1830912   ------w-   c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56   78336   ------w-   c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-07-16 20:25   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59   389120   ------w-   c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2003-07-16 20:24   285824   ----a-w-   c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-07-16 20:51   1852800   ----a-w-   c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-07-16 20:47   119808   ----a-w-   c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-07-16 20:46   99840   ----a-w-   c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-07-16 20:46   357248   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 14:37   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-07-16 20:25   617472   ----a-w-   c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55   58880   ----a-w-   c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16   590848   ----a-w-   c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2008-02-29 76304]
"V0500Mon.exe"="c:\windows\V0500Mon.exe" [2007-11-03 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\
ibygm.exe [2010-8-31 138752]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-28 805392]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-1-7 1261568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
2008-04-14 00:12   10752   ----a-w-   c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\My Games\\Worms 2\\frontend.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/5/2009 12:51 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/5/2009 12:51 PM 243024]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/21/2010 9:41 AM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/21/2010 9:41 AM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/21/2010 9:41 AM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:52 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:53 AM 308136]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [10/21/2010 9:41 AM 1283400]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [10/21/2010 9:41 AM 3364680]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [11/6/2007 10:13 PM 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [11/6/2007 10:13 PM 19534]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [1/7/2009 4:15 PM 272128]
S3 PSEXESVC;PsExec;

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 12872]
S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [5/21/2010 3:27 PM 251264]
.
Contents of the 'Scheduled Tasks' folder

2010-10-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1417001333-2077806209-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-10-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1417001333-2077806209-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = www.hotmail.com
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Owner.STEVE\Application Data\Mozilla\Firefox\Profiles\ael2xack.default\
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Owner.STEVE\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 00:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-2077806209-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1417001333-2077806209-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:24,42,a6,c6,90,d5,09,83,56,71,4a,c1,6c,ae,ff,cc,d0,e8,76,79,e0,97,50,
   11,f7,76,f5,0e,89,30,62,22,66,0e,27,a8,a1,ad,e3,b9,de,0d,62,96,19,aa,6e,2c,\
"??"=hex:bc,dc,a7,72,80,37,df,2e,5f,9f,d9,e9,74,d0,31,5d

[HKEY_USERS\S-1-5-21-1417001333-2077806209-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:73,89,55,9d,44,26,08,d4,c9,35,6d,ac,a9,be,be,5c,1d,cc,77,b1,2f,
   d3,8d,02,57,42,51,84,c4,d9,ca,05,46,d0,66,79,d9,d6,7a,72,6e,26,98,6e,30,60,\
"rkeysecu"=hex:c6,ed,05,48,4e,80,0d,29,fa,cb,7e,1e,83,32,7e,c3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(432)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2268)
c:\windows\system32\WININET.dll
c:\program files\Emsisoft\Online Armor\OAwatch.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Emsisoft\Online Armor\OAhlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-26  01:06:26 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-26 05:06

Pre-Run: 51,095,035,904 bytes free
Post-Run: 51,162,779,648 bytes free

- - End Of File - - 944F46CE55753297D4F02D6240CF9C23

[SuperDave]

I checked Add/Remove Programs and found something called "Street-Ads Browser Enhancer".  It did not look familiar, but per the instructions, I did not remove it.  Let me know if I should.

Yes. Please uninstall it.

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
************************************
Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
Eusing Free Registry Cleaner 

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
**************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\
ibygm.exe 
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
**********************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[piratesteve83]

here's the scan link:

http://virusscan.jotti.org/en/scanresult/c53b80151655c55b2db861a364c17ef04bad9720

and the log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B0216000
Module End: B022E000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F798F000
Module End: F7991000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\OWNER~1.STE\LOCALS~1\Temp\mbr.sys
Service Name: mbr
Module Base: F77FF000
Module End: F7805000
Hidden: Yes

Module Name: \??\C:\commy\catchme.sys
Service Name: catchme
Module Base: B0469000
Module End: B0471000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F79AB000
Module End: F79AD000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: B062CED0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: B062D700
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: B062ADA0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: B063A9C0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: B062A8E0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: B0627620
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: B0627A30
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: B0626EF0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: B0628F20
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: B0629B90
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: B062A6F0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: B062C490
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: B063B040
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: B0628A20
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenSection
Address: B0627310
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: B0629420
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: B062D350
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueryDirectoryFile
Address: B062CA70
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: B062D8A0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestPort
Address: B062B9A0
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: B062BF90
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: B063A550
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: B062A340
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: B062B190
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: B0629970
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: B0629D30
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: B062C370
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: B062A520
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: B062A130
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: B0629F40
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: B0628C80
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateThread
Address: B0629760
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwUnloadDriver
Address: B062C780
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: B062D520
Driver Base: B060E000
Driver End: B065C000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Owner.STEVE\Application Data\SecuROM\UserData\??p???
Status: Hidden

Object: C:\Documents and Settings\Owner.STEVE\Application Data\SecuROM\UserData\??p???
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[piratesteve83]

seems like all signs of trouble are gone.  my superantispyware updates just fine now, and there's no error message at startup.  i also finally updated malwarebytes (it was the website that was down last time i tried), and did another scan which found one infected registry key, which is now deleted.  here's the info on it:

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

and here's the ESETscan:

C:\zrpt.xml   Win32/Adware.SpywareProtect2009 application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\zrpt.xml.vir   Win32/Adware.SpywareProtect2009 application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP856\A0178026.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP857\A0181329.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP857\A0181331.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP857\A0181336.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP857\A0181338.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP858\A0181342.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP858\A0181343.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP858\A0181349.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP858\A0181351.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0181358.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0183349.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0183351.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0184359.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0184361.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0184365.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0184366.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185359.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185361.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185364.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185365.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185366.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{C9B0D9BA-3F49-42E7-9323-D9B010BDFB55}\RP859\A0185367.lnk   Win32/Adware.SecToolbar application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP1\A0000020.dll   a variant of Win32/Adware.Lifze.N application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP1\A0000021.sys   Win32/Olmarik.ZC trojan   cleaned - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP2\A0002046.ini   Win32/Adware.AntimalwareDoctor.AE.Gen application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP2\A0002048.exe   a variant of Win32/Kryptik.GOD trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP2\A0002049.exe   a variant of Win32/Kryptik.GOD trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007575.exe   Win32/Adware.SpywareProtect2009 application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007576.exe   Win32/Adware.SpywareProtect2009 application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007577.exe   a variant of Win32/Kryptik.GPR trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007598.dll   a variant of Win32/Adware.Lifze.N application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007599.exe   Win32/TrojanDownloader.FakeAlert.AQI trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007600.dll   Win32/Olmarik.ACK trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCE07011-6AFD-4919-87F5-7940798E1916}\RP7\A0007601.dll   probably a variant of Win32/AutoRun.Spy.Ambler.NAD worm   cleaned by deleting - quarantined
C:\WINDOWS\system32\hlp.dat   Win32/Bamital.DZ trojan   cleaned by deleting - quarantined

[SuperDave]

That sounds good. Let's do some cleanup

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

*******************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

***********************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[piratesteve83]

okay, i tried the first step, and it gave me this message:

Windows cannot find 'commy'.  Make sure you typed the name correctly, and then try again.  To search for a file, click the Start button, and then click Search."

i checked to make sure "commy.exe"  is still on my desktop, and it's there.  so what else should i try?

i figured i'd wait to do the other steps until i complete this one, as i don't want to do anything out of order.

[SuperDave]

Ok. Please delete commy from your desktop. You can also delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt


To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

[piratesteve83]

Ok. Please delete commy from your desktop. You can also delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

I deleted everything except for C:\QooBox folder, which gave me this message:

Cannot delete BackEnv: Access is denied
Make sure the disk is not full or write-protected and that the file is not currently in use.

Should I be worried about this?  Or should I just leave it?

[SuperDave]

Should I be worried about this?  Or should I just leave it?

Let's try this:

Copy and paste the text in the code box below into Notepad.

Code: [Select]

@echo off
del C:\QooBox folder
del blackpudding.bat
exit
Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.

Double-click on blackpudding.bat to run it.

[piratesteve83]

I'm sorry to say that this did not work either.  Anything else I should try?

[SuperDave]

It's not a big deal. Empty that folder of everything you can delete and continue with the rest of the instructions.

[piratesteve83]

okee-doke!  thanks so much for all your help!