Virus preventing access to antivirus sites and programs.

[vercor]

I am running Windows XP sp3.  I have a virus that is preventing firefox and IE from accessing online virus scan site, such as trans micro and kaspesky.  I found another thread describing similar problems and I followed the steps recommended in it as far as I could.  When the virus first hit my computer, McAfee did recognize the threat and tried to delete it, but for some reason it wasn't able to, it told me to manually remove it from Add/Remove Programs, I tried but I couldn't get to the program, I kept being redirected to a google shearch for Win32.DNSChanger.   After running virus scans with McAfee and AVG, I removed a handful of trojans and spyware, the most significant one being a Win32.DNSChanger.  This made it so that I was able to at least access files on my computer again. 

When I tried to download MBAM and SAS, i had trouble trying to get them to install. I now have them installed but I cannot get them to run.  I believe that virus is preventing them from running but I could be wrong.

Only other symptoms are that everything seems to be running very slowly, and my system is unstable (random freezes from time to time). Any help would be greatly appreciated!

I downloaded and ran RSIT and I will attach the files.  I was unable to run MBAM or SAS so no logs from them are available.



Note:  I believe that the virus hit my computer around 3:00pm yesterday (2/14/2009).






[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

The real-time protection of two antivirus programs may conflict with each other and cause the following:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
3) Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.

Please uninstall either AVG or McAfee before continuing.

----------

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot the computer.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: Win32-DNSChanger - {930E7881-D9F3-4293-A24B-23A80C013378} - C:\WINDOWS\system32\fejokt.dll (file missing)
O2 - BHO: {0894219f-015e-8d3b-1aa4-d72ce575ec3e} - {e3ce575e-c27d-4aa1-b3d8-e510f9124980} - C:\WINDOWS\system32\ibpwie.dll (file missing)
O4 - HKLM\..\Run: [Jgubofa] rundll32.exe \"C:\WINDOWS\Vqanun.dll\",e
O4 - HKLM\..\Run: [Ssemonusohoma] rundll32.exe \"C:\WINDOWS\etofisaw.dll\",e
O4 - Startup: PowerReg Scheduler.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ibpwie.dll
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[vercor]

1) AVG uninstalled.

2) I didn't find any of the .sys

3) done

4) I was able to get MBAM to run by renaming it and changing its extension to .bat (a recommendation I found on another forum).  I will copy and paste the log of that run.  After I restarted I was able to open MBAM with its original name, I rescanned and it detected nothing. 


MBAM log:


Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

2/15/2009 7:09:23 PM
mbam-log-2009-02-15 (19-09-23).txt

Scan type: Quick Scan
Objects scanned: 82318
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3ce575e-c27d-4aa1-b3d8-e510f9124980} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e3ce575e-c27d-4aa1-b3d8-e510f9124980} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmaspois (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmaspois.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7a85cdf5-284b-4496-a9a7-dd82fee9dcec} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fcd4b2f5-8793-4e1f-8774-6e520cf6cd79} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{930e7881-d9f3-4293-a24b-23a80c013378} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{930e7881-d9f3-4293-a24b-23a80c013378} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930e7881-d9f3-4293-a24b-23a80c013378} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jgubofa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssemonusohoma (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ibpwie.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmxejuctn.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACtvvmlrqj.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACubopxlvk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACylrdciqr.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACrpbprdnt.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\James Stokes\Local Settings\Temp\UACb7e4.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Local Settings\Temp\E6C3.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACc9d3.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\James Stokes\Local Settings\Temporary Internet Files\Content.IE5\2R0VBIDQ\pifccddur[1].txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Local Settings\Temporary Internet Files\Content.IE5\CX7S0RXV\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Favorites\Cheap Software.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sf.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Favorites\MP3 Download.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Stokes\Favorites\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\James Stokes\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\ios.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACdbqltltx.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACmevxfqhr.log (Trojan.Agent) -> Delete on reboot.

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[vercor]

ComboFix Log:


ComboFix 09-02-15.01 - James Stokes 2009-02-15 20:42:29.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1297 [GMT -5:00]
Running from: c:\documents and settings\James Stokes\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James Stokes\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\DKmnpXyb.ini
c:\windows\system32\DKmnpXyb.ini2
c:\windows\system32\WGiSvyay.ini
c:\windows\system32\WGiSvyay.ini2
c:\windows\Tasks\nbzpxgnw.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.

2009-02-15 19:00 . 2009-02-15 19:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-15 18:55 . 2009-02-15 18:55   <DIR>   d--------   c:\documents and settings\James Stokes\Application Data\Malwarebytes
2009-02-15 18:53 . 2009-02-15 19:11   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-15 18:53 . 2009-02-15 18:53   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-15 18:53 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 18:53 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-15 13:45 . 2009-02-15 17:07   <DIR>   d--------   C:\rsit
2009-02-15 13:18 . 2009-02-15 19:40   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-02-15 13:18 . 2009-02-15 13:18   <DIR>   d--------   c:\documents and settings\James Stokes\Application Data\SUPERAntiSpyware.com
2009-02-15 11:55 . 2009-02-15 11:55   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-15 04:24 . 2009-02-15 15:55   <DIR>   d--h-----   C:\$AVG8.VAULT$
2009-02-15 04:20 . 2009-02-15 19:29   <DIR>   d--------   c:\documents and settings\All Users\Application Data\avg8
2009-02-14 17:11 . 2009-02-14 17:11   302,592   --a------   c:\windows\system32\byXpnmKD.dll.vir
2009-02-14 15:18 . 2009-02-14 15:18   302,592   --a------   c:\windows\system32\yayvSiGW.dll.vir
2009-02-12 03:02 . 2009-02-12 03:02   <DIR>   d--------   c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-06 14:18 . 2009-02-06 14:38   <DIR>   d--------   c:\program files\PowerStrip
2009-02-06 13:54 . 2009-02-06 13:54   <DIR>   d--------   c:\program files\MonInfo
2009-02-06 13:00 . 2009-02-06 13:00   <DIR>   d--------   c:\program files\TightVNC
2009-02-06 12:30 . 2009-02-06 12:30   <DIR>   d--------   c:\documents and settings\jhs\Application Data\Logitech
2009-02-06 12:30 . 2009-02-06 12:30   <DIR>   d--------   c:\documents and settings\jhs\Application Data\GTek
2009-02-06 12:29 . 2009-02-15 04:20   <DIR>   d--------   c:\documents and settings\jhs
2009-02-06 11:11 . 2009-02-06 11:16   <DIR>   d--------   c:\program files\AirPort

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 01:47   ---------   d-----w   c:\documents and settings\James Stokes\Application Data\nView_Wallpaper
2009-02-15 19:45   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2009-02-15 18:18   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-02-15 00:31   ---------   d-----w   c:\documents and settings\James Stokes\Application Data\EndNote
2009-02-14 21:09   ---------   d--h--w   c:\documents and settings\James Stokes\Application Data\Move Networks
2009-02-14 20:25   ---------   d-----w   c:\program files\McAfee
2009-02-12 08:44   ---------   d-----w   c:\program files\DivX
2009-02-12 08:14   ---------   d-----w   c:\documents and settings\James Stokes\Application Data\Azureus
2009-01-06 08:15   ---------   d-----w   c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-06 03:14   ---------   d-----w   c:\program files\Common Files\AOL
2009-01-06 03:14   ---------   d-----w   c:\program files\AIM
2009-01-06 03:14   ---------   d-----w   c:\documents and settings\James Stokes\Application Data\Aim
2009-01-06 03:13   ---------   d-----w   c:\documents and settings\All Users\Application Data\AOL
2008-12-29 08:14   ---------   d-----w   c:\program files\Java
2008-12-29 08:10   ---------   d-----w   c:\program files\Google
2008-12-25 18:09   ---------   d-----w   c:\program files\SystemRequirementsLab
2008-12-18 23:50   ---------   d-----w   c:\program files\Intelligen
2008-02-28 02:35   44,360   ----a-w   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-02-28 02:35   107,928   ----a-w   c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-04-24 14:58   122,880   ----a-w   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-11-12 03:07   88   --sha-r   c:\windows\system32\BA8C5A2E66.sys
2008-11-12 03:07   3,350   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-07-01 22:06   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070120080702\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-08 1410296]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Google Update"="c:\documents and settings\James Stokes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-12 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-24 29744]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-22 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 c:\windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-12 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-06-05 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-06-07 528384]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 1134592]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.avis"= ff_acm.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-25 206096]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-06-05 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-29 356920]
S3 se32;EnTech softEngine;c:\windows\system32\drivers\se32.sys [2007-05-03 12112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33220075-2790-11dc-b8cb-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-914741439-1241626394-3683679332-1006.job
- c:\documents and settings\James Stokes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 14:54]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.bat.exe
HKCU-Run-BeFree4iPhone - c:\program files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\James Stokes\Application Data\Mozilla\Firefox\Profiles\r1yv8447.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\James Stokes\Application Data\Mozilla\Firefox\Profiles\r1yv8447.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\James Stokes\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 20:49:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\CTXFISPI.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-15 20:59:25 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-16 01:59:21

Pre-Run: 146,709,557,248 bytes free
Post-Run: 146,866,094,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

258   --- E O F ---   2009-02-12 08:06:36

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\byXpnmKD.dll.vir
c:\windows\system32\yayvSiGW.dll.vir

DirLook::
c:\documents and settings\jhs

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[vercor]

Attached is the Combofix log. 

I want to go ahead and thank you for all your help, evilfantasy.   

[attachment deleted by admin]

[evilfantasy]

That looks OK. how is the computer running now?

[vercor]

Its running great.  Its probably running better than it did before the virus infected it. 

Thanks again. 

[evilfantasy]

Sounds good.

Cleanup steps.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before.

For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.