trojan horge sheur2.gas

[4jcoonts]

my computer seems to be totally taken over.  It will not let me access internet explorer at all.  It will also not let me update or install any virus scans.  I am currently running AVG.  AVG picks up on the virus but it just comes right back.  HELP...my computer is useless untill I get it fixed.
I am on my work computer to post this.

[evilfantasy]

Can you get into your Control Panel?

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
  
• Also if this is found and you disable it.
• Now reboot and see if you can run the other scans that would not run.

.
Then work through the instructions here http://www.computerhope.com/forum/index.php/topic,46313.0.html

[4jcoonts]

I can't seem to get it turned on now???  If I can get it started in safe mode could I try these steps from there?

[evilfantasy]

Yes it's worth a try.

[4jcoonts]

That seemed to work.  I have now been able to download Avira Antivirus.  I had AVG but per thissites recommendation I changed to the other freeware since I only had the unsupported version 7.5

I tried to run the computer in regular mode but warnings come up so fast that I cannot close them fast enough to do anything else.  I am currently in safe mode running a full system scan.

what steps should I take next?  One site I had visited earlier said to run anti-malware...is this recommended?

[evilfantasy]

Then work through as much of the instructions that you can here http://www.computerhope.com/forum/index.php/topic,46313.0.html

[4jcoonts]

I had to run malware 1st because the superspyware wouldn't run

After running malware I was able to run the superspyware.  Should I run the malware again.  I am now actually able to use the computer in normal mode. 
I am now moving on to step 5

The other problem I am having is that no pictures show up on any webpage.  I have to right click download pictures on every single picture???


Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3

12/22/2008 2:17:50 PM
mbam-log-2008-12-22 (14-17-50).txt

Scan type: Quick Scan
Objects scanned: 50808
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 28
Registry Values Infected: 7
Registry Data Items Infected: 4
Folders Infected: 5
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hedagako.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{649a7765-b602-4855-a5cf-fb202b718247} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{649a7765-b602-4855-a5cf-fb202b718247} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\temusorupu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm47e538f0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\hedagako.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hedagako.dll  -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\hedagako.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hedagako.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lovojefu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2008 at 03:09 PM

Application Version : 4.23.1006

Core Rules Database Version : 3681
Trace Rules Database Version: 1659

Scan type       : Complete Scan
Total Scan Time : 00:44:01

Memory items scanned      : 434
Memory threats detected   : 0
Registry items scanned    : 5363
Registry threats detected : 8
File items scanned        : 61208
File threats detected     : 1

Rogue.Component/Trace
   HKLM\Software\Microsoft\44D619E2
   HKLM\Software\Microsoft\44D619E2#44d619e2
   HKLM\Software\Microsoft\44D619E2#Version
   HKLM\Software\Microsoft\44D619E2#44d6b462
   HKLM\Software\Microsoft\44D619E2#44d6dd87
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\Software\Microsoft\CS41275
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\Software\Microsoft\FIAS4018

Trojan.Fake-Alert/Trace
   HKU\S-1-5-21-842925246-1580818891-725345543-1005\SOFTWARE\Microsoft\fias4013

Rootkit.TDSServ-Trace
   C:\WINDOWS\SYSTEM32\TDSSLRVD.DAT

[evilfantasy]

No you don't need to run MBAM again.

[4jcoonts]

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:50 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\eMachines Bay  Reader\shwiconem.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay  Reader\shwiconem.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204750832468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204750898859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs:  c:\windows\system32\yivimefe.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvWomLf - tuvWomLf.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9383 bytes

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O4 - HKUS\S-1-5-19\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'LOCAL SERVICE')
• O4 - HKUS\S-1-5-20\..\Run: [temusorupu] Rundll32.exe "C:\WINDOWS\system32\dulupuhu.dll",s (User 'NETWORK SERVICE')
• O20 - AppInit_DLLs: c:\windows\system32\yivimefe.dll
• O20 - Winlogon Notify: tuvWomLf - tuvWomLf.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[4jcoonts]

here is the log from the combofix:
ComboFix 08-12-21.04 - Owner 2008-12-22 19:45:17.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1569 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\ayarahej.ini
c:\windows\system32\ehukakum.ini
c:\windows\system32\RBaHOqss.ini
c:\windows\system32\RBaHOqss.ini2
c:\windows\system32\talthjsd.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


(((((((((((((((((((((((((   Files Created from 2008-11-23 to 2008-12-23  )))))))))))))))))))))))))))))))
.

2008-12-22 15:37 . 2008-12-22 15:37   <DIR>   d--------   c:\program files\Trend Micro
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 14:07 . 2008-12-22 14:07   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-22 14:06 . 2008-12-22 14:06   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-22 13:56 . 2008-12-22 13:56   <DIR>   d--------   c:\program files\CCleaner
2008-12-22 13:49 . 2008-12-22 13:49   8,192   --a------   c:\documents and settings\Jamie
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\program files\Avira
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 10:11 . 2008-12-22 11:22   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:11 . 2008-12-22 10:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:11 . 2008-12-03 19:53   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:11 . 2008-12-03 19:53   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-21 22:21 . 2008-11-10 05:43   410,984   --a------   c:\windows\system32\deploytk.dll
2008-12-21 20:15 . 2008-12-21 21:30   <DIR>   d--------   c:\windows\system32\cap2
2008-12-21 20:15 . 2008-12-21 20:16   <DIR>   d--------   c:\windows\system32\ain
2008-12-21 20:15 . 2008-12-21 20:15   <DIR>   d--------   c:\temp\REX81
2008-12-21 20:15 . 2008-12-22 19:45   <DIR>   d--------   C:\Temp
2008-12-21 19:54 . 2008-12-21 19:54   <DIR>   d--------   c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 03:48   ---------   d-----w   c:\documents and settings\Owner\Application Data\LimeWire
2008-12-22 23:33   ---------   d-----w   c:\program files\Java
2008-12-22 21:50   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg7
2008-12-22 21:49   ---------   d-----w   c:\documents and settings\Owner\Application Data\AVG7
2008-10-28 04:51   ---------   d-----w   c:\documents and settings\All Users\Application Data\EPSON
2008-10-28 04:29   ---------   d-----w   c:\program files\Google
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft.NET
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft ActiveSync
2008-10-28 03:56   ---------   d-----w   c:\documents and settings\Owner\Application Data\Leadertech
2008-10-28 03:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-28 03:54   ---------   d-----w   c:\program files\Smart Panel
2008-10-28 03:54   ---------   d-----w   c:\program files\ABBYY FineReader 5.0 Sprint
2008-10-28 03:53   ---------   d-----w   c:\program files\EPSON
2008-10-25 08:06   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 22:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 22:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 22:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 22:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 22:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 22:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 22:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 22:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 22:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 22:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-03 10:02   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-07-15 06:25   19,288   ----a-w   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-09-22 05:07   8,192   --sha-w   c:\windows\system32\ludoyuja.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunKistEM"="c:\program files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 135168]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-12-06 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CPU Meter.lnk - c:\windows\system32\taskmgr.exe [2004-08-10 135680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-09 24652]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 ati1ttxxx;ati1ttxxx;c:\windows\system32\drivers\ati1ttxxx.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc9d051-ee45-11dc-adfb-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\akqxrtmb.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 16:12]

2008-12-20 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 16:12]

2008-12-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 19:47:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-22 19:50:04 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-23 03:50:00

Pre-Run: 423,415,984,128 bytes free
Post-Run: 423,377,719,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

209   --- E O F ---   2008-12-18 20:41:32




Is this the last step?  If so Thank you Thank you Thank you!
Lastly...how do I get pictures to upload properly.  On the web and in e-mail I just get boxes with shapes and I have to right clip and select open picture on each and everyone now

[evilfantasy]

Is this the last step?  If so Thank you Thank you Thank you!
Lastly...how do I get pictures to upload properly.  On the web and in e-mail I just get boxes with shapes and I have to right clip and select open picture on each and everyone now

We will fix the images after this next log. I want to be sure the malware is gone first or it could just cause problems.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

File::
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\Tasks\akqxrtmb.job
C:\WINDOWS\system32\dulupuhu.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[4jcoonts]

Is there anyway to get the log again?
I forgot to turn the virus scan off again.  The program stopped midway.  I then turned off virus scan and restarted.  I copied the log but internet wouldn't work so I had to reboot...not thinking that it would earase the log. Sorry.  What should I do now?

[evilfantasy]

Go to Start > Run then type c:\combofix.txt and click OK. It should pop up.

[4jcoonts]

ComboFix 08-12-21.04 - Owner 2008-12-22 20:35:56.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1599 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-11-23 to 2008-12-23  )))))))))))))))))))))))))))))))
.

2008-12-22 15:37 . 2008-12-22 15:37   <DIR>   d--------   c:\program files\Trend Micro
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-12-22 14:21 . 2008-12-22 14:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 14:07 . 2008-12-22 14:07   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-22 14:06 . 2008-12-22 14:06   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-22 13:56 . 2008-12-22 13:56   <DIR>   d--------   c:\program files\CCleaner
2008-12-22 13:49 . 2008-12-22 13:49   8,192   --a------   c:\documents and settings\Jamie
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\program files\Avira
2008-12-22 12:54 . 2008-12-22 12:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 10:11 . 2008-12-22 11:22   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:11 . 2008-12-22 10:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:11 . 2008-12-03 19:53   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:11 . 2008-12-03 19:53   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-21 22:21 . 2008-11-10 05:43   410,984   --a------   c:\windows\system32\deploytk.dll
2008-12-21 20:15 . 2008-12-21 21:30   <DIR>   d--------   c:\windows\system32\cap2
2008-12-21 20:15 . 2008-12-21 20:16   <DIR>   d--------   c:\windows\system32\ain
2008-12-21 20:15 . 2008-12-21 20:15   <DIR>   d--------   c:\temp\REX81
2008-12-21 20:15 . 2008-12-22 19:45   <DIR>   d--------   C:\Temp
2008-12-21 19:54 . 2008-12-21 19:54   <DIR>   d--------   c:\windows\Sun

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 03:48   ---------   d-----w   c:\documents and settings\Owner\Application Data\LimeWire
2008-12-22 23:33   ---------   d-----w   c:\program files\Java
2008-12-22 21:50   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg7
2008-12-22 21:49   ---------   d-----w   c:\documents and settings\Owner\Application Data\AVG7
2008-10-28 04:51   ---------   d-----w   c:\documents and settings\All Users\Application Data\EPSON
2008-10-28 04:29   ---------   d-----w   c:\program files\Google
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft.NET
2008-10-28 04:03   ---------   d-----w   c:\program files\Microsoft ActiveSync
2008-10-28 03:56   ---------   d-----w   c:\documents and settings\Owner\Application Data\Leadertech
2008-10-28 03:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-28 03:54   ---------   d-----w   c:\program files\Smart Panel
2008-10-28 03:54   ---------   d-----w   c:\program files\ABBYY FineReader 5.0 Sprint
2008-10-28 03:53   ---------   d-----w   c:\program files\EPSON
2008-10-25 08:06   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 22:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 22:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 22:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 22:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 22:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 22:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 22:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 22:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 22:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 22:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-03 10:02   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-07-15 06:25   19,288   ----a-w   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-09-22 05:07   8,192   --sha-w   c:\windows\system32\ludoyuja.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-12-22_19.49.37.54   )))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunKistEM"="c:\program files\eMachines Bay  Reader\shwiconem.exe" [2004-03-11 135168]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-12-06 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CPU Meter.lnk - c:\windows\system32\taskmgr.exe [2004-08-10 135680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 ati1ttxxx;ati1ttxxx;c:\windows\system32\drivers\ati1ttxxx.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-09 24652]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc9d051-ee45-11dc-adfb-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\akqxrtmb.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 16:12]

2008-12-20 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 16:12]

2008-12-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 20:36:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-22 20:37:34
ComboFix-quarantined-files.txt  2008-12-23 04:37:32
ComboFix2.txt  2008-12-23 03:50:05

Pre-Run: 423,336,161,280 bytes free
Post-Run: 423,326,187,520 bytes free

167   --- E O F ---   2008-12-23 03:50:43