[Resolved]internet security 2010 infection

[bigd]

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:32:14 PM, on 2/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Internet Explorer Plugin - {9A5B84B4-FC31-41F3-8744-EE1599395BCD} - kcgjaist.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.download.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: HimelanoImj - {189CAFB0-77E0-4627-A3B2-E93C8754179F} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9813 bytes

[PCBruiser]

Hi,

My name is PCBruiser, or PCB for short.  You will be assisted by my trainee kevinf80 under my direction.  He will be along shortly with your first instructions.  Please do not do anything to your system, or run any antimalware or registry cleaning programs unless specifically asked to do so.  Also, please post any steps you have taken to either diagnose or fix any malware on your system.

[kevinf80]

Hello bigd and welcome to SpywareHammer, my name is kevinf80 and i`ll be assisting you with your problems. Please take the time to read through any instructions as they are given, if there is anything you don`t understand you must tell me. You may find it beneficial to copy and print the instructions as they are given.
Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher, we are all volunteers here with jobs and families so I ask that you be patient when waiting for replies.
It is inadvisable to seek help at more than one forum, this could compound any issues you already have and cause considerable confusion for the helpers.
Whilst I will do my very best to rid you of any infections that maybe on your system be aware that Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
You have multiple security programs on your PC, this will cause conflict and may even negate any system protection. I have included the excess in the uninstall process, please adhere to it. I`m also disabling Spybots TeaTimer, I`d advise you to leave it that way permanently; as it will conflict with any security program you use.


Step 1

Please re-open HiJackThis and scan only.  Check the boxes next to all the entries listed below.


R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O2 - BHO: Internet Explorer Plugin - {9A5B84B4-FC31-41F3-8744-EE1599395BCD} - kcgjaist.dll (file missing)
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll

O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

04 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O15 - Trusted Zone: *.download.com

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O22 - SharedTaskScheduler: HimelanoImj - {189CAFB0-77E0-4627-A3B2-E93C8754179F} - (no file)



Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present) don`t worry if they`re not :

Application Updater
AskBarDis
IObit
Search Settings
AVG
Avira

Please note any other programs that you dont recognize in that list in your next response

After that, Reboot.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to ALLOW the changes. Instructions available HERE

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from HERE and just double-click on mbam-rules.exe to install.
  

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 3


Re-open HJT carry out a scan and save a log file, copy & paste log in your next reply.

What i`d like to see in your reply :-

• Log from Malwarebytes
• Log from HJT

kevinf80

[bigd]

ok did everything up untill the starting in safe mode, i tried over twenty times and it never would start. so i then opened in normal and uninstalled all the programs i could find in your list and rebooted. i then downloaded malwarebytes.exe and saved to desk top but just like before it will not let me open or start and antispy or malware programs. here is my new highjackthis log. please let me know how to proceed and thanks for all your help so far.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:10:13 PM, on 2/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7671 bytes

[bigd]

also i keep getting random commercials that are sound only no visible windows open just the sound coming through my speakers. and i still can't open in safe mode nor can i open malwarebytes or any other related programs. It just seems to be blocking me at every turn!thank you again for your much needed help.

[kevinf80]

Hi bigd and thanks for the reply, the malware is obviously causing the issues that you are experiencing. Lets try Malwarebytes another way and see if we can make some in roads. Please proceed as follows :-

Please download Malwarebytes random named installer from HERE Save it on your desktop. You'll see it will have a random name, and will look like a set of books:
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log together with a new HJT log.

kevinf80

[bigd]

Finally that worked! opened mb perfect and found 45 infections! here is the mb log and the new hjt log. thanks

Malwarebytes' Anti-Malware 1.44
Database version: 3697
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/6/2010 11:10:28 AM
mbam-log-2010-02-06 (11-10-28).txt

Scan type: Quick Scan
Objects scanned: 136204
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a5b84b4-fc31-41f3-8744-ee1599395bcd} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9a5b84b4-fc31-41f3-8744-ee1599395bcd} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
C:\Program Files\schtml (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Temp\603.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\schtml\dbsinit.exe (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\wispex.html (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\pix.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\Thumbs.db (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w11.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.jpg (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\word.doc (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcgjaist.dll (Password.Stealer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:19:01 AM, on 2/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Owner\Desktop\mbam-installer\winlogon.exe
C:\Documents and Settings\Owner\Desktop\mbam-installer\explorer.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Owner\Desktop\mbam-installer\explorer.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7959 bytes

[kevinf80]

Hi bigd and thanks for the new logs.

You will have seen for yourself what Malwarebytes has found and removed multiple backdoor bots and Password stealers. If you have used your PC for Banking or Financial dealings of any sort the best opton maybe to Re-Format and Re-install your system, at the very least you should change all passwords that are on your system relative to anything financial and inform your Bank. If you wish we can continue with the cleaning process the decision is upto you, if so proceed as follows :-

Step 1

Re-open and run Malwarebytes a second time :-

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log 

Step 2

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:  Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

Step 3

Re-open HJT carry out a scan asave a log file, copy/paste log to next reply.

What i`d like to see in your next reply :-

• Log from Malwarebytes
• Log from Combofix
• Log from HJT

kevinf80

[bigd]

it is still blocking me from visiting sites that deal with its removal such as bleepingcomputer.com so i can't download the combofix. here is my mb log it shows no infections. still stops me from running anti programs and is still playing audio for random commercials.

Malwarebytes' Anti-Malware 1.44
Database version: 3697
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/6/2010 1:22:04 PM
mbam-log-2010-02-06 (13-22-04).txt

Scan type: Quick Scan
Objects scanned: 136917
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[bigd]

also here is my newest hjt log.....

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:35:13 PM, on 2/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Owner\Desktop\mbam-installer\explorer.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7926 bytes

[kevinf80]

Hi bigd and thanks for the new logs and information. It would appear that there is a protective rootkit still active within your system, try to download Combofix from either of these new links and save to your Desktop that is very important :-

Link 1
Link 2

Using ComboFix

If you get a successful download and it will not run, delete it. Re-download again from the link that worked, but rename it to FRIEND.EXE

The first thing you should do is print out this guide, as we will close all the open windows and programs, including your web browser, before starting the ComboFix program.

To download ComboFix, simply left-click on one of the links above and you will see a prompt similar to the figure below.



Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.



When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on your desktop similar to the one below.


ComboFix Icon



We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

• Close all open Windows including this one.
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Right click on the avast! icon in system tray (looks like this: and choose (Stop On-Access Protection)
  

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon, you may see a screen similar to the one below.


Windows Open File Security Warning

 Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

You will now see the first ComboFix screen as shown below. The screen says wait Combofix is preparing to run


ComboFix is Preparing to Run

ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. This screen, press the OK button and you will now see the Disclaimer screen shown below.


ComboFix Disclaimer


If you do not agree to the disclaimer, then click on the No button to exit the program. Otherwise, to continue you should press the Yes button to continue. If you decided to continue, then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.


ComboFix is backing up the Windows Registry


Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:


ComboFix Recovery Console

At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.


ComboFix Recovery Console Finished

You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.


ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.


ComboFix is scanning the computer for infections

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.


Stages of the ComboFix AutoScan

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.


34th Stage of the ComboFix AutoScan

At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.


ComboFix is preparing the log report

When ComboFix has finished running, you will see a screen stating that it is preparing the log report as shown below.


ComboFix is almost done!

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.


ComboFix Log File

You should now post this log in your next reply.

Copy and paste the log in you reply from here..  C:\ComboFix.txt  if you don`t see it on your desk top.

Next:

Please re-open HJT do a scan and save a log file, copy/paste to next reply

What i`d like to see in your reply :-

• Combofix log
• HJT log

kevinf80

[bigd]

ComboFix 10-02-07.06 - Owner 02/07/2010  23:45:25.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3063.2702 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\FRIEND.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\windows\system32\_VOIDktkbodlsmr.log
c:\windows\system32\_VOIDmgfqxswpdn.dll
c:\windows\system32\_VOIDmqlvbwulki.dat
c:\windows\system32\_VOIDqprvkspxng.dll
c:\windows\system32\_VOIDqvnbmcwjkc.dll
c:\windows\system32\_VOIDrystholexu.dll
c:\windows\system32\_VOIDshsyst.dll
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\_VOIDmnreetbbmu.sys
c:\windows\system32\ide.txt
c:\windows\system32\qks.txt
c:\windows\system32\xef.txt

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service__VOIDd.sys
-------\Legacy__VOIDd.sys


(((((((((((((((((((((((((   Files Created from 2010-01-08 to 2010-02-08  )))))))))))))))))))))))))))))))
.

2010-02-05 19:02 . 2010-01-20 00:00   6551808   ---ha-w-   c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2010-02-05 19:02 . 2010-01-19 23:57   730032   ---ha-w-   c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe
2010-02-04 15:16 . 2010-02-04 15:16   --------   d-----w-   c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-04 03:56 . 2010-02-04 03:56   43008   ----a-w-   c:\windows\system32\gpaeql8.dll
2010-02-03 18:40 . 2010-02-03 18:40   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-03 18:40 . 2010-02-03 18:40   --------   d-----w-   c:\program files\TrendMicro
2010-02-03 18:35 . 2010-02-03 18:35   --------   d-----w-   c:\program files\Trend Micro
2010-02-03 13:26 . 2010-02-03 13:26   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-02-03 13:15 . 2009-07-28 20:33   55656   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-02-03 13:01 . 2010-02-03 13:01   50968   ----a-w-   c:\windows\system32\avgfwdx.dll
2010-02-03 13:01 . 2010-02-03 13:01   30104   ----a-w-   c:\windows\system32\drivers\avgfwdx.sys
2010-02-03 13:01 . 2010-02-03 13:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-02-03 12:19 . 2010-02-03 12:19   --------   d-----w-   c:\windows\Internet Logs
2010-02-03 08:33 . 2010-02-03 08:33   --------   d-----w-   c:\documents and settings\Owner\Application Data\AVG8
2010-02-03 04:25 . 2010-01-28 21:57   163280   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-02-03 04:25 . 2010-01-28 21:54   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-02-03 04:25 . 2010-01-28 21:54   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-02-03 04:25 . 2010-01-28 21:57   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-02-03 04:25 . 2010-01-28 21:54   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-02-03 04:25 . 2010-01-28 21:54   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-02-03 04:25 . 2010-01-28 21:53   28240   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-02-03 04:25 . 2010-01-28 22:09   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-02-03 04:25 . 2010-01-28 22:09   152672   ----a-w-   c:\windows\system32\aswBoot.exe
2010-02-03 04:25 . 2010-02-03 04:25   --------   d-----w-   c:\program files\Alwil Software
2010-02-03 04:25 . 2010-02-03 04:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-03 03:51 . 2010-02-03 03:51   --------   d-----w-   c:\program files\OpenOffice.org 2.3
2010-02-03 03:49 . 2010-02-03 03:49   --------   d-----w-   c:\program files\Common Files\Java
2010-02-03 03:46 . 2010-02-06 22:02   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-02-03 03:45 . 2005-08-25 23:18   118784   ----a-w-   c:\windows\system32\MSSTDFMT.DLL
2010-02-03 03:45 . 2010-02-03 04:13   --------   d-----w-   c:\program files\SpywareBlaster
2010-02-02 22:49 . 2010-02-02 22:49   --------   d-----w-   c:\documents and settings\hunter cadence\Application Data\Media Player Classic
2010-01-24 09:27 . 2010-01-24 09:27   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-01-24 08:02 . 2010-01-24 08:02   152576   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-24 08:01 . 2010-01-24 08:01   79488   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 03:24 . 2010-01-20 00:00   6551808   ---ha-w-   c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup2.exe
2010-01-23 03:24 . 2010-01-19 23:57   730032   ---ha-w-   c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe
2010-01-20 00:01 . 2010-01-20 00:01   93016   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJack.dll
2010-01-20 00:00 . 2010-01-20 00:00   6551808   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\setup.exe
2010-01-20 00:00 . 2010-01-20 00:00   416248   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe
2010-01-20 00:00 . 2010-01-20 00:00   480608   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\octvqe1_apiw.dll
2010-01-20 00:00 . 2010-01-20 00:00   214360   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\TjVista.dll
2010-01-20 00:00 . 2010-01-20 00:00   337240   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\TjIpSys.dll
2010-01-20 00:00 . 2010-01-20 00:00   607600   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-01-20 00:00 . 2010-01-20 00:00   87384   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe
2010-01-20 00:00 . 2010-01-20 00:00   93016   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJack.dll
2010-01-20 00:00 . 2010-01-20 00:00   93016   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.dll
2010-01-19 23:58 . 2010-01-19 23:58   12482904   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.exe
2010-01-19 23:57 . 2010-01-19 23:57   730032   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe
2010-01-19 23:57 . 2010-01-19 23:57   87384   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\in00000\mjsetup.exe
2010-01-19 23:57 . 2010-01-19 23:57   93016   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJack.dll
2010-01-19 23:55 . 2010-01-19 23:55   441704   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-01-19 23:55 . 2010-01-19 23:55   441704   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-01-19 23:55 . 2010-01-19 23:55   441704   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\magicJackSplash.exe
2010-01-19 23:55 . 2010-01-19 23:55   441704   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-01-19 23:55 . 2010-01-19 23:55   50520   ----a-w-   c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe
2010-01-18 18:42 . 2003-12-12 23:41   53248   ----a-w-   c:\windows\system32\ciaXPRegSvr20.dll
2010-01-18 18:42 . 2004-11-19 08:45   200704   ----a-w-   c:\windows\system32\ciaSCls20.dll
2010-01-18 18:42 . 2003-12-14 22:47   692224   ----a-w-   c:\windows\system32\ciaResSvr20.dll
2010-01-18 18:41 . 2001-05-29 15:00   352256   ----a-w-   c:\windows\system32\ijl15.dll
2010-01-18 18:41 . 2007-04-05 02:27   278528   ----a-w-   c:\windows\system32\duzactx.dll
2010-01-18 18:41 . 2008-02-21 07:41   732656   ----a-w-   c:\windows\system32\wodPop3.dll
2010-01-18 18:41 . 2008-04-04 09:14   753136   ----a-w-   c:\windows\system32\wodSmtp.dll
2010-01-18 18:40 . 2010-02-03 12:53   --------   d-----w-   c:\windows\FontApp
2010-01-17 22:49 . 2010-01-17 22:49   --------   d-sh--w-   c:\documents and settings\hunter cadence\PrivacIE
2010-01-17 22:49 . 2010-01-17 22:49   --------   d-----w-   c:\documents and settings\hunter cadence\Local Settings\Application Data\Yahoo
2010-01-17 22:49 . 2010-02-02 22:47   --------   d-----w-   c:\documents and settings\hunter cadence\Application Data\Search Settings
2010-01-17 22:49 . 2010-01-17 22:49   --------   d-----w-   c:\documents and settings\hunter cadence\Local Settings\Application Data\IObitCom
2010-01-17 22:49 . 2010-01-17 22:49   --------   d-----w-   c:\documents and settings\hunter cadence\Local Settings\Application Data\Conduit
2010-01-17 15:49 . 2010-01-17 15:49   --------   d-----w-   c:\documents and settings\Guest\Application Data\FUJIFILM
2010-01-14 02:51 . 2001-08-18 03:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-01-14 02:51 . 2008-04-14 10:42   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-01-14 02:51 . 2008-04-14 05:15   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-01-14 02:51 . 2008-04-14 05:15   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-01-14 02:40 . 2010-01-14 02:41   --------   d-----w-   c:\program files\FinePixViewerS
2010-01-14 02:40 . 2010-01-14 02:40   --------   d-----w-   c:\documents and settings\Owner\Application Data\InstallShield
2010-01-14 02:39 . 2010-01-14 02:48   --------   d-----w-   c:\documents and settings\Owner\Application Data\FUJIFILM
2010-01-13 22:19 . 2010-01-14 15:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip
2010-01-13 09:24 . 2010-01-13 09:24   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\tjnet
2010-01-13 03:19 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-11 22:22 . 2010-01-11 22:29   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2010-01-11 22:21 . 2010-01-11 22:50   --------   d-----w-   c:\documents and settings\Owner\Application Data\Ahead
2010-01-11 22:17 . 2010-01-14 15:49   --------   d-----w-   c:\program files\Common Files\Ahead
2010-01-11 22:17 . 2010-01-11 22:17   --------   d-----w-   c:\program files\Nero
2010-01-11 19:22 . 2010-02-05 19:02   --------   d-----w-   c:\documents and settings\Owner\Application Data\mjusbsp
2010-01-11 19:06 . 2008-04-14 05:15   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2010-01-11 19:06 . 2008-04-14 05:15   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-01-11 19:06 . 2008-04-14 05:15   60032   -c--a-w-   c:\windows\system32\dllcache\usbaudio.sys
2010-01-11 19:06 . 2008-04-14 05:15   60032   ----a-w-   c:\windows\system32\drivers\USBAUDIO.sys
2010-01-11 19:06 . 2008-04-14 05:15   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2010-01-11 19:06 . 2008-04-14 05:15   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2010-01-10 14:36 . 2010-02-03 08:11   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-10 14:36 . 2010-02-03 03:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 19:39 . 2009-06-01 04:41   --------   d-----w-   c:\program files\uTorrent
2010-02-03 18:09 . 2009-10-30 02:52   15080   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 13:09 . 2009-05-17 15:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2010-02-03 13:01 . 2009-05-17 15:37   --------   d-----w-   c:\program files\AVG
2010-02-03 12:46 . 2009-05-17 15:20   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-03 08:54 . 2009-12-16 00:08   --------   d-----w-   c:\program files\CheckPoint
2010-02-03 08:38 . 2009-05-28 16:35   4212   ---ha-w-   c:\windows\system32\zllictbl.dat
2010-02-03 03:51 . 2009-05-28 21:56   --------   d-----w-   c:\program files\Java
2010-02-02 07:22 . 2006-02-28 12:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-01-24 20:11 . 2009-10-27 23:14   --------   d-----w-   c:\documents and settings\Guest\Application Data\Search Settings
2010-01-17 22:49 . 2010-01-06 02:19   --------   d--h--r-   c:\documents and settings\hunter cadence\Application Data\yahoo!
2010-01-14 02:40 . 2009-05-17 16:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-10 14:46 . 2009-06-28 03:50   --------   d-----w-   c:\documents and settings\Owner\Application Data\IObit
2010-01-10 01:47 . 2009-12-31 03:07   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-05-17 15:20   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-05-17 15:21   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-06 02:19 . 2010-01-06 02:19   --------   d-----w-   c:\documents and settings\hunter cadence\Application Data\Windows Desktop Search
2010-01-06 02:19 . 2010-01-06 02:19   --------   d-----w-   c:\documents and settings\hunter cadence\Application Data\CheckPoint
2009-12-31 07:17 . 2009-12-31 07:17   --------   d-----w-   c:\documents and settings\Owner\Application Data\Aura4You
2009-12-31 07:17 . 2009-12-31 07:17   --------   d-----w-   c:\program files\Aura4You
2009-12-31 03:03 . 2009-05-28 18:41   --------   d-----w-   c:\program files\CA Yahoo! Anti-Spy
2009-12-27 20:57 . 2009-12-27 20:57   --------   d-----w-   c:\program files\Shanghai Mahjong
2009-12-27 20:02 . 2009-12-27 20:02   --------   d-----w-   c:\documents and settings\Guest\Application Data\SpinTop
2009-12-21 19:14 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-17 15:53 . 2009-12-17 15:53   --------   d-----w-   c:\documents and settings\Guest\Application Data\Malwarebytes
2009-12-16 15:57 . 2009-05-28 18:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-16 03:09 . 2009-12-16 03:09   --------   d-----w-   c:\documents and settings\Guest\Application Data\CheckPoint
2009-12-16 00:08 . 2009-12-16 00:08   --------   d-----w-   c:\documents and settings\Owner\Application Data\CheckPoint
2009-12-15 22:29 . 2009-12-15 22:29   13104   ----a-w-   c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 16:03 . 2009-12-15 16:03   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Dealio
2009-12-15 16:03 . 2009-12-15 16:03   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Search Settings
2009-12-14 00:28 . 2009-12-14 00:28   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-11-21 15:51 . 2006-02-28 12:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2001-03-30 17:14 . 2001-03-30 17:14   32768   --sha-r-   c:\windows\system32\pinoutld.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-01-19 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-1-13 303104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2010 11:25 PM 163280]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [5/28/2009 11:36 AM 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2010 11:25 PM 19024]
S0 apbkffw;apbkffw;c:\windows\system32\drivers\wrxjubge.sys --> c:\windows\system32\drivers\wrxjubge.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/3/2010 8:01 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/3/2010 8:01 AM 30104]
S3 SDTHelper;Helper driver for SDT-Tool;c:\documents and settings\Owner\Desktop\virus protection\radix_installer_trial\SDTHLPR.sys [11/25/2007 5:01 PM 9401]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\documents and settings\Owner\Desktop\mbam-installer\explorer.exe
AddRemove-WinImage - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8LYBC1YV\winima81[1]\winimage.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A163618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/1000 MT Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0
 PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
 SendHandler -> NDIS.sys @ 0xf742487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-02-07  23:57:24
ComboFix-quarantined-files.txt  2010-02-08 04:57

Pre-Run: 60,405,248,000 bytes free
Post-Run: 61,232,541,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D2AFDC3B06C8049B115BDEF2CB152869

[bigd]

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:06:39 AM, on 2/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7134 bytes

[kevinf80]

Hi bigd and thanks for the new logs. Please proceed as follows in the order given :

Step 1

Disable SpywareBlaster:

To disable protection for all database items (remove all protection):

• Open SpywareBlaster
• Click on the "Disable All Protection" link under Quick Tasks
• Exit the program

You can enable this program later once we cleaned all of the current infection from your PC

Step 2

From Add/Remove programs via your contol panel please uninstall if present:

AskBarDis
uTorrent

uTorrent is classed as a P2P program, whilst it may not be classed as illegal itself, its uses certainly are. This type of program is one of the major
conduits for the distribution of computer infections. Please read the following topic:    
You Must Remove P2P Programs Before Posting Here

Step 3

Upload a File to Virustotal
Please visit Virustotal

• Click the Browse... button
  
• Navigate to the file c:\windows\system32\gpaeql8.dll
  
• Click the Open button
  
• Click the Send button
  
• Copy and paste the results back here please.

Repeat the above for c:\windows\system32\drivers\atapi.sys

Step 4

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\windows\system32\gpaeql8.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Repeat the above for c:\windows\system32\drivers\atapi.sys

Step 5


1. Close any open browsers.


2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

Killall::

File::
c:\windows\system32\avgfwdx.dll
c:\windows\system32\drivers\avgfwdx.sys
c:\windows\system32\avgfwdx.dll
c:\windows\system32\drivers\avgfwdx.sys
c:\windows\system32\pinoutld.dll
c:\windows\system32\drivers\wrxjubge.sys
c:\windows\system32\zllictbl.dat

Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\windows\Internet Logs
c:\documents and settings\Owner\Application Data\AVG8
c:\windows\system32\config\systemprofile\Application Data\Application Updater
c:\windows\system32\config\systemprofile\Application Data\Dealio
c:\windows\system32\config\systemprofile\Application Data\Search Settings
c:\documents and settings\hunter cadence\Local Settings\Application Data\IObitCom
c:\documents and settings\Owner\Desktop\virus protection
c:\program files\uTorrent
c:\program files\AskBarDis
c:\program files\AVG
c:\program files\CheckPoint
c:\documents and settings\hunter cadence\Application Data\CheckPoint
c:\documents and settings\Guest\Application Data\CheckPoint
c:\documents and settings\Owner\Application Data\CheckPoint

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1

Driver::
ASKService
Avgfwdx
Avgfwfd
apbkffw
SDTHelper

Save this as CFScript.txt, in the same location as ComboFix.exe







Refering to the picture above, drag CFScript into ComboFix.exe (yours will be called FRIEND.exe)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 6

Re-open HJT carry out a scan and save the log file, copy and paste log to your next reply.

What i`d like to see in your next reply :-

• Results from Jotti
• Results from VirusTotal
• Combofix log
• HJT log
• How is your PC running now, any problems.

Please post each section reply in a seperate post by replying to each one, thankyou.

kevinf80

[bigd]

File DAD92DD700D58177A848000ABBFD5300D94182AF.dll received on 2010.02.02 16:41:06 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.02 Trojan-Spy.Win32.Ambler!IK
AhnLab-V3 5.0.0.2 2010.02.01 -
AntiVir 7.9.1.156 2010.02.02 -
Antiy-AVL 2.0.3.7 2010.02.02 -
Authentium 5.2.0.5 2010.02.02 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.02 -
BitDefender 7.2 2010.02.02 -
CAT-QuickHeal 10.00 2010.02.02 -
ClamAV 0.96.0.0-git 2010.02.02 -
Comodo 3794 2010.02.02 -
DrWeb 5.0.1.12222 2010.02.02 -
eSafe 7.0.17.0 2010.02.02 -
eTrust-Vet 35.2.7276 2010.02.02 -
F-Prot 4.5.1.85 2010.02.01 -
F-Secure 9.0.15370.0 2010.02.02 -
Fortinet 4.0.14.0 2010.02.02 -
GData 19 2010.02.02 -
Ikarus T3.1.1.80.0 2010.02.02 Trojan-Spy.Win32.Ambler
Jiangmin 13.0.900 2010.02.02 -
K7AntiVirus 7.10.963 2010.02.02 -
Kaspersky 7.0.0.125 2010.02.02 -
McAfee 5880 2010.02.02 -
McAfee+Artemis 5879 2010.02.01 -
McAfee-GW-Edition 6.8.5 2010.02.02 -
Microsoft 1.5406 2010.02.02 Worm:Win32/Ambler.A
NOD32 4828 2010.02.02 -
Norman 6.04.03 2010.02.02 -
nProtect 2009.1.8.0 2010.02.02 -
Panda 10.0.2.2 2010.02.02 -
PCTools 7.0.3.5 2010.02.02 -
Prevx 3.0 2010.02.02 Medium Risk Malware
Rising 22.33.01.04 2010.02.02 -
Sophos 4.50.0 2010.02.02 -
Sunbelt 3.2.1858.2 2010.02.02 -
TheHacker 6.5.1.0.176 2010.02.02 -
TrendMicro 9.120.0.1004 2010.02.02 PAK_Generic.001
VBA32 3.12.12.1 2010.02.02 -
ViRobot 2010.2.2.2168 2010.02.02 -
VirusBuster 5.0.21.0 2010.02.02 -
 
Additional information
File&nbsp;size: 43008 bytes
MD5&nbsp;&nbsp;&nbsp;: 578d3a9e89b23e8ec2475dbe4f09e3ff
SHA1&nbsp;&nbsp;: 2952c0349f3b9f560fd91be319877e7c00225725
SHA256: be3391b43f28eaf93faab9188705fc3fa7ac2da2090f47ce03bac0a073d816ad
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x20490<BR>timedatestamp.....: 0x4B67D43E (Tue Feb 2 08:29:02 2010)<BR>machinetype.......: 0x14C (Intel I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x16000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x17000 0xA000 0x9800 7.88 0e45ee1c5a945ebbda4aece299691469<BR>.rsrc 0x21000 0x1000 0xC00 3.63 d77ece56ba64d41f589966c23d461704<BR><BR>( 6 imports )<BR><BR>&gt; atl.dll: -<BR>&gt; kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree<BR>&gt; msvcp60.dll: _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB<BR>&gt; msvcrt.dll: atoi<BR>&gt; oleaut32.dll: -<BR>&gt; user32.dll: wsprintfA<BR><BR>( 1 exports )<BR><BR>&gt; DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
TrID&nbsp;&nbsp;: File type identification<BR>UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
ssdeep: 768:pGcj2Whly/RYPCwJ+c7RKlw2AK1+P6shPgCI:Acj2Who/mJ+cYlb+jhPg5
Prevx&nbsp;Info: <A href="http://info.prevx.com/aboutprogramtext.asp?PX5=DAD92DD700D58177A848000ABBFD5300D94182AF" target=_blank>http://info.prevx.com/aboutprogramtext.asp?PX5=DAD92DD700D58177A848000ABBFD5300D94182AF</A>
PEiD&nbsp;&nbsp;: -
packers&nbsp;(Kaspersky): PE_Patch.UPX, UPX
packers&nbsp;(F-Prot): UPX
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<BR>-