[Resolved] Antivirus Live removal

MandaPanda · 5th December 2009

Hi, I'm trying to rid my girlfriend's computer of that antivirus live trojan that seems to be going around. I myself am a Mac user, and it has been years since I've been on a Windows machine, so I'm a little out of practice when it comes to actually using one. This being said, she's trying to run a super antispyware scan now, but it seems to be stalling.

Any help with this would be much appreciated.

DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 0:46:22.14 on Sat 12/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.74 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
svchost.exe
C:\Documents and Settings\Owner.YOUR-F214038061\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Owner.YOUR-F214038061\Application Data\U3\000017F9AC64F582\LaunchPad.exe
C:\Documents and Settings\Owner.YOUR-F214038061\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.livejournal.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\owner.your-f214038061\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ubrylvhr] c:\documents and settings\owner.your-f214038061\local settings\application data\gbgchm\wbwbsysguard.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.candystand.com/play/boardwalk-bowling"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ubrylvhr] c:\documents and settings\owner.your-f214038061\local settings\application data\gbgchm\wbwbsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: Semagic - c:\program files\semagic\link.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - hxxp://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-26 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-8-20 200576]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\esri\license\arcgis9x\lmgrd.exe [2007-1-26 467968]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-8-20 69692]

=============== Created Last 30 ================

2009-11-18 01:19:58 0 ----a-w- c:\documents and settings\owner.your-f214038061\ipconfig
2009-11-15 21:54:18 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2009-11-15 21:54:06 0 d-----w- c:\program files\AIM
2009-11-15 21:53:32 0 d-----w- c:\program files\common files\Software Update Utility
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-08 18:50:14 0 d-----w- c:\program files\iPod
2009-11-08 18:49:37 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\cmd.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\netstat.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\ping.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\regedit.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\taskkill.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\tasklist.com
2007-05-04 00:07:35 0 -csh--w- c:\windows\system32\tracert.com
2008-08-29 18:40:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 0:47:41.93 ===============

**Geri** · 5th December 2009

Hi MandaPanda
Welcome to WindowsBBS.

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
Geri

MandaPanda · 5th December 2009

Ran ComboFix, here's the log:

ComboFix 09-12-04.05 - Owner 12/05/2009 13:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.145 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-F214038061\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\outlook
c:\recycler\S-1-5-21-2670495171-2819364547-283783911-500
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\cmd.com
c:\windows\system32\netstat.com
c:\windows\system32\ping.com
c:\windows\system32\regedit.com
c:\windows\system32\taskkill.com
c:\windows\system32\tasklist.com
c:\windows\system32\tracert.com
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 04:59 . 2009-12-05 04:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-05 03:28 . 2009-12-05 05:40 -------- d-----w- c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\gbgchm
2009-11-26 04:51 . 2009-11-26 04:52 -------- d-----w- c:\program files\QuickTime
2009-11-15 21:54 . 2009-11-15 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-11-15 21:54 . 2009-11-15 21:54 -------- d-----w- c:\program files\AIM
2009-11-15 21:53 . 2009-11-15 21:53 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-11-08 18:50 . 2009-11-08 18:50 -------- d-----w- c:\program files\iPod
2009-11-08 18:49 . 2009-11-08 18:51 -------- d-----w- c:\program files\iTunes
2009-11-08 18:41 . 2009-11-08 18:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 06:14 . 2006-08-21 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-05 05:43 . 2007-08-02 00:13 -------- d-----w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\U3
2009-12-04 20:36 . 2006-08-21 05:36 -------- d-----w- c:\program files\Semagic
2009-11-29 06:47 . 2009-10-08 19:16 117760 ----a-w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 12:26 . 2009-10-08 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-22 09:52 . 2007-01-07 20:59 -------- d-----w- c:\program files\Shockwave.com
2009-11-22 09:15 . 2007-10-20 17:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-20 04:38 . 2007-05-08 05:14 -------- d-----w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\funkitron
2009-11-16 01:35 . 2006-08-21 02:06 -------- d-----w- c:\program files\Trillian
2009-11-15 21:53 . 2007-04-27 00:24 -------- d-----w- c:\program files\Common Files\AOL
2009-11-11 04:24 . 2007-11-21 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-08 18:50 . 2008-03-10 06:34 -------- d-----w- c:\program files\Common Files\Apple
2009-11-04 19:40 . 2005-11-23 09:38 119512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 03:14 . 2007-11-21 17:23 -------- d-----w- c:\program files\Microsoft Works
2009-11-04 03:04 . 2006-08-21 02:09 -------- d-----w- c:\program files\Java
2009-11-04 03:02 . 2009-11-04 03:02 152576 ----a-w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-19 23:46 . 2009-10-19 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\GameHouse
2009-10-19 21:27 . 2006-08-21 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-19 21:23 . 2009-10-19 20:43 -------- d-----w- c:\program files\Panda Security
2009-10-19 20:45 . 2009-10-19 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2009-10-19 03:01 . 2008-02-02 08:32 -------- d-----w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\PlayFirst
2009-10-19 03:01 . 2008-02-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-10-19 02:03 . 2009-10-19 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\hitpointstudios
2009-10-18 02:30 . 2008-12-09 00:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-18 02:29 . 2008-12-09 00:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-10-11 09:17 . 2008-12-24 12:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 19:15 . 2009-10-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-08 19:14 . 2009-10-08 19:14 -------- d-----w- c:\documents and settings\Owner.YOUR-F214038061\Application Data\SUPERAntiSpyware.com
2009-10-08 19:14 . 2009-10-08 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:18 . 2006-08-21 00:22 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"Google Update"="c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-08 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-25 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-4 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/20/2006 7:55 PM 200576]
S2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1/26/2007 10:26 AM 467968]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [8/20/2006 7:52 PM 69692]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4100604578-1265856044-2140275292-1006Core.job
- c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-08 00:25]

2009-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4100604578-1265856044-2140275292-1006UA.job
- c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-08 00:25]

2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{67BE62E6-85BA-4685-B8AE-6816AE8B40EB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: Semagic - c:\program files\Semagic\link.htm
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-ubrylvhr - c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\gbgchm\wbwbsysguard.exe
HKLM-Run-ubrylvhr - c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\gbgchm\wbwbsysguard.exe
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Broadcom\Broadcom 802.11 Network Adapter\bcmwlu00.exe verbose
AddRemove-PictureItSuiteTrial_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=TRIAL VERSION=11
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 13:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

hidec.exe [2576]

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-05 13:52
ComboFix-quarantined-files.txt 2009-12-05 18:51

Pre-Run: 10,329,649,152 bytes free
Post-Run: 11,236,020,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E23637356B8451C6FB64C8601BC62450

**Geri** · 5th December 2009

Hi
Can you tell me what is in this folder?

c:\documents and settings\Owner.YOUR-F214038061\Local Settings\Application Data\gbgchm

Geri

MandaPanda · 5th December 2009

It appears to be empty.

**Geri** · 5th December 2009

Hi
OK please go back and delete it.

Now please do this.

Download RootRepeal from the following location and save it to your desktop.

Open RootRepeal on your desktop.
Click the ReportTab tab.
Click the Scan button.
Check all seven boxes
Push Ok
Check the box for your main system drive (Usually C: ), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the SaveReport. button.

Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Thanks
Geri

MandaPanda · 5th December 2009

Finished running RootRepeal, the log follows:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/05 14:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\catchme.sys
Address: 0xF788E000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1D4E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7A42000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFC96000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP720\A0367035.exe:{F25F62D0-1A9C-0FD9-0FE8-B8DDBED0580A}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.YOUR-F214038061\Local Settings\Apps\2.0\DVAXTR8R.TVD\NYX8HAQQ.KKZ\manifests\clickonce_bootstrap.e xe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner.YOUR-F214038061\Local Settings\Apps\2.0\DVAXTR8R.TVD\NYX8HAQQ.KKZ\manifests\clickonce_bootstrap.e xe.manifest
Status: Locked to the Windows API!

==EOF==

**Geri** · 5th December 2009

Hi
OK looking good.

Now lets get a on line scan.

Please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.

The program will launch and then begin downloading the latest definition files:
Under Scan on the left side, Click on My Computer
This will start the program and scan your system.
Click the “Scan Report” On the left side.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
Save the text file to your desktop.
Copy and paste that information in your next post.

Please post the Kaspersky results.

Let me know of any problems you might be having.

Thanks
Geri

MandaPanda · 6th December 2009

Hey, sorry it took so long. The scan took over 11 hours to complete. No problems so far, but it did find three issues. The text from the report follows.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 05, 2009 20:21:43
Records in database: 3333830
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 132762
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 06:47:03

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx Infected: not-a-virus:AdWare.Win32.IWon.c 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Selected area has been scanned.

**Geri** · 6th December 2009

Hi
OK that's looking good.

Please post a HiJackthis log. If you don't have it downloaded here are the instructions.

Download a copy of HijackThis installer from here and save it to your Desktop.

Save HJTInstall.exe to your desktop.
Double-click on the HJTintall.exe icon on your desktop.
(Let it install to the default location C:\Program Files\Hijackthis)
Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
Put a check by Create a desktop icon and then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch HijackThis.
Click on the Do a system scan and save a log file button.
(It will scan and the log should open in Notepad.)
Click on "Edit" > "Select All" to highlight the entire Notepad contents.
Then click on "Edit" > "Copy".
Come back here to this thread and Paste the log in your next reply.
(Right-click in the message body field and select "Paste".)

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable. Most of what HijackThis finds will be harmless or even required.

Thanks
Geri

MandaPanda · 6th December 2009

I don't see a Select Additional Tasks option. After HijackThis installs, I accept the tos and it brings me to a window with the following options:

Do a system scan and save a logfile
Do a system scan only

View the list of backups
Open the Misc Tools section

Open HijackThisQuickStart

None of the above, just start the program

a check box that says Show this window when I start HijackThis

**Geri** · 6th December 2009

Do a system scan and save a logfile

MandaPanda · 6th December 2009

Here's the contents of the log file from hijack this, should I close the HJT window, or leave it open?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:19 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.YOUR-F214038061\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.candystand.com/play/boardwalk-bowling"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/bal...webinstall.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WON...herControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8041 bytes

**Geri** · 6th December 2009

Hi
Leave it open for now.

Please do the following.

Do a scan only. Check the boxes next to all the entries listed below.

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WON...herControl.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now do the following.

Delete RootRepeal. exe and the log it created.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

This will uninstall ComboFix and remove the files/folders it created.
This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

Let me know how everything is running.

Geri

MandaPanda · 6th December 2009

Everything is removed, and the machine is running better than before the malware! My girlfriend and I both thank you so much!