Active Google Redirect

[Active] Google Redirect

I look to have the Google redirect virus. Seems that there has been a lot of success in removing this. I have a real issue with my internet connection telling me that it can not connect to microsoft, anti-virus, and other sites that are downloads to find and remove the virus. Any suggestions on where to start would be greatly appreciated.

 

Welcome to Windows BBS, aopahighflyer!

Do you have a second computer, or have access to one?

 

Yes I do.

 

First, download Flash_Disinfector to the clean computer. This program creates a hidden folder named autorun.inf in the USB drive that is plugged in when the program is run. This folder helps protect your USB drive from future infection.

Save it to the Desktop.

Double-click Flash_Disinfector.exe to run it, and follow any prompts that appear.

The utility asks you to insert your flash drives.
Plug in your USB thumb/flash drive, and allow the utility to clean it up.
Wait until the program has finished scanning and then exit the program.
Re-start the computer when done.

~~~~
Next, download the latest version of ComboFix to the non-infected computer. However, rename Combofix.exe as you download it, and not after it is on the computer.

To rename Combofix.exe as you download it (using Internet Explorer), select to Save the download
In the Save as prompt:
Save in: Desktop
File name: dCat.exe
Move the dCat.exe file to the thumb/flash drive
Then connect the thumb/flash drive to the infected computer
Save dCat.exe to the Desktop <<<

• Close all open windows
• Double-click dCat.exe to run the program
• Follow the prompts.
• If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
• When told that the RC is installed correctly, press YES to continue scanning for malware.
• ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
• The program may reboot the computer and resume running when it restarts.
• When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

ComboFix 09-03-22.01 - Matthew Shepherd 2009-03-24 2:05:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.280 [GMT -5:00]
Running from: c:\documents and settings\Matthew Shepherd\Desktop\dcat.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a.bat
c:\windows\Readme.txt
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\akttzn.exe
c:\windows\system32\bdn.com
c:\windows\system32\bszip.dll
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\TDSSmact.sys
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\karna.dat
c:\windows\system32\mcrh.tmp
c:\windows\system32\msgp.exe
c:\windows\system32\mssecu.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\SYSTEM32\pqtss.bak2
c:\windows\system32\pqtss.ini
c:\windows\system32\ps1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\regm64.dll
c:\windows\system32\Rundl1.exe
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\tdssservers.dat
c:\windows\system32\TDSStkdv.log
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
c:\windows\userconfig9x.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-24 01:37 . 2009-03-24 01:37 <DIR> d-------- c:\documents and settings\Matthew Shepherd\Application Data\U3
2009-03-21 11:27 . 2009-03-21 11:27 <DIR> d-------- c:\program files\DivX
2009-03-21 11:27 . 2009-03-21 11:27 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-01 18:56 . 2009-03-01 18:56 30,720 --a------ c:\windows\wingbts.exe
2009-03-01 17:06 . 2009-03-01 17:06 0 --a------ c:\documents and settings\Matthew Shepherd\settings.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 07:04 --------- d-----w c:\program files\a-squared Anti-Malware
2009-02-23 04:39 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-23 02:43 67,424 ----a-w c:\windows\system32\drivers\CDAVFS.sys
2009-02-22 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 08:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-22 07:29 --------- d-----w c:\program files\RegCure
2009-02-14 18:08 --------- d-----w c:\program files\Yahoo!
2009-02-14 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\YAHOO
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-02 21:04 12,560 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2008-09-10 18:30 6,622 ----a-w c:\documents and settings\Matthew Shepherd\Application Data\wklnhst.dat
2007-06-27 21:19 1,182 ----a-w c:\documents and settings\Melissa Shepherd\Application Data\wklnhst.dat
2005-10-10 20:49 79,808 -c--a-w c:\program files\MC
2005-04-28 06:01 92,848 ----a-w c:\documents and settings\Matthew Shepherd\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray "= "c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-22 26112]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2005-03-22 98304]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"type32 "= "c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EnWin "= {070DEA54-EB89-6D18-FDB5-067AF36CBF99} - c:\program files\ofuojv\EnWin.dll [2008-09-14 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@= "beep "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP "= 1723:TCPxpsp2res.dll,-22015
"1701:UDP "= 1701:UDPxpsp2res.dll,-22016
"500:UDP "= 500:UDPxpsp2res.dll,-22017

S2 NKOEQHLS;NKOEQHLS;\??\c:\windows\system32\nkoeqhls.bis --> c:\windows\system32\nkoeqhls.bis [?]
S3 CDAVFS;CDAVFS;c:\windows\SYSTEM32\DRIVERS\CDAVFS.sys [2009-02-22 67424]
S3 IntelinetSecure;IntelinetSecure; [x]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\SYSTEM32\DRIVERS\sndp202.sys [2008-07-02 245120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22f7ee2a-183e-11de-9563-00132000d25e}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]

2008-12-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{DDA28099-DACF-415D-A5A8-BB134FCA3D6A} - (no file)
Notify-sstqp - (no file)


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
TCP: {E2335782-4C43-4DF2-A5C3-5F37DE6B0297} = 195.62.37.19,24.247.15.53
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 02:10:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NKOEQHLS]
"ImagePath "= "\??\c:\windows\system32\nkoeqhls.bis "
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-24 2:13:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 07:13:23

Pre-Run: 15,263,612,928 bytes free
Post-Run: 15,835,209,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
189 --- E O F --- 2009-03-14 21:58:48

 

There are some files showing on the ComboFix log that we need to check out:
c:\windows\wingbts.exe
c:\program files\ofuojv\EnWin.dll
c:\windows\system32\nkoeqhls.bis

They may be of no concern, but to be safe, rather than sorry, please do the following:

Enable the viewing of Hidden Files and Folders as follows:

• At your Desktop, go to Start > My Computer
• Select the Tools menu and then Folder Options
• After the new window appears select the View tab
• Select: Display the contents of system folders
• Under the Hidden files and folders section select: Show hidden files and folders
• Remove the checkmark from: Hide file extensions for known file types
• Remove the checkmark from: Hide protected operating system files (Recommended)
• Press the Apply button
• Click OK

Then, go to: VirusTotal

• Click the Browse button and search for each of the files identified above
  (You need to do this one at a time.)
  
• When you find a file, click Open
• Then click Send File

Please be patient while the file is scanned.

For each file, please provide the scan results in your reply.

 

c:\windows\wingbts.exe

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.25 -
AhnLab-V3 5.0.0.2 2009.03.25 -
AntiVir 7.9.0.126 2009.03.25 TR/Downloader.Gen
Antiy-AVL 2.0.3.1 2009.03.25 -
Authentium 5.1.2.4 2009.03.24 -
Avast 4.8.1335.0 2009.03.24 -
AVG 8.5.0.283 2009.03.25 -
BitDefender 7.2 2009.03.25 Generic.Malware.FB.2C36C6EE
CAT-QuickHeal 10.00 2009.03.25 -
ClamAV 0.94.1 2009.03.25 -
Comodo 1084 2009.03.25 -
DrWeb 4.44.0.09170 2009.03.25 -
eSafe 7.0.17.0 2009.03.25 Suspicious File
eTrust-Vet 31.6.6416 2009.03.25 -
F-Prot 4.4.4.56 2009.03.24 -
F-Secure 8.0.14470.0 2009.03.25 -
Fortinet 3.117.0.0 2009.03.25 -
GData 19 2009.03.25 -
Ikarus T3.1.1.48.0 2009.03.25 -
K7AntiVirus 7.10.680 2009.03.24 -
Kaspersky 7.0.0.125 2009.03.25 Heur.Trojan.Generic
McAfee 5564 2009.03.25 -
McAfee+Artemis 5563 2009.03.24 -
McAfee-GW-Edition 6.7.6 2009.03.25 Trojan.Downloader.Gen
Microsoft 1.4502 2009.03.25 Trojan:Win32/Capface.A
NOD32 3962 2009.03.25 -
Norman 6.00.06 2009.03.25 -
nProtect 2009.1.8.0 2009.03.25 -
Panda 10.0.0.10 2009.03.24 -
PCTools 4.4.2.0 2009.03.25 -
Prevx1 V2 2009.03.25 High Risk Cloaked Malware
Rising 21.22.21.00 2009.03.25 -
Sophos 4.39.0 2009.03.25 Sus/Spy-B
Sunbelt 3.2.1858.2 2009.03.25 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.03.25 Suspicious.MH690.A
TheHacker 6.3.3.5.290 2009.03.25 -
TrendMicro 8.700.0.1004 2009.03.25 PAK_Generic.001
VBA32 3.12.10.1 2009.03.24 -
ViRobot 2009.3.25.1663 2009.03.25 -
VirusBuster 4.6.5.0 2009.03.25 -
Additional information
File size: 30720 bytes
MD5...: 811fb421915b10b3549e97b917f11ba7
SHA1..: 8ca84bc273352d5c071d39a8d0226a54c5f4186e
SHA256: 3e709a441a7a618f14c94928d038f643ba7d05188557863c5c8c2782eee5aa22
SHA512: 875470f686cf4afd52f6da61dafea24f603383d89698ca3e3d46750c8cfa7d53
4fb40183fffd5f4fa456f81f86d56a95ade7b9b0a392c70089163be5bfea99b6
ssdeep: 384:tGxkICNoguCrnb/2dk33trVNVHwNKSAJmdxP2ecVvW/y+WmaY0N8BAnyeITn
s9/6:AkIjguGj2Itrn5i/LcI/nv0qBgIg9

PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x15fa0
timedatestamp.....: 0x49a9a358 (Sat Feb 28 20:49:28 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xe000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xf000 0x8000 0x7200 7.90 643d78e1685842ee48db78b1568ed8d0
UPX2 0x17000 0x1000 0x200 3.99 a9b164bdbe382e1172d1b5971cbc1a59

( 7 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> urlmon.dll: URLDownloadToFileA
> USER32.dll: wsprintfA
> WININET.dll: InternetOpenA

( 0 exports )

RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=811fb421915b10b3549e97b917f11ba7' target='_blank'>http://www.threatexpert.com/report.aspx?md5=811fb421915b10b3549e97b917f11ba7</a>
packers (Kaspersky): PE_Patch.UPX, UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=6503AB53009DEA9A78AE0082810E55006FE6408C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=6503AB53009DEA9A78AE0082810E55006FE6408C</a>
packers (F-Prot): UPX


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


*********************************************************
c:\program files\ofupjv\Enwin.dll

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.25 -
AhnLab-V3 5.0.0.2 2009.03.25 -
AntiVir 7.9.0.126 2009.03.25 TR/BHO.Gen
Antiy-AVL 2.0.3.1 2009.03.25 -
Authentium 5.1.2.4 2009.03.24 W32/Trojan-Obfuscated.1!Generic
Avast 4.8.1335.0 2009.03.24 Win32ureMorph
AVG 8.5.0.283 2009.03.25 -
BitDefender 7.2 2009.03.25 Trojan.Obfuscated.Gen.1
CAT-QuickHeal 10.00 2009.03.25 Win32.Trojan.Obfuscated.gx.4
ClamAV 0.94.1 2009.03.25 -
Comodo 1084 2009.03.25 -
DrWeb 4.44.0.09170 2009.03.25 -
eSafe 7.0.17.0 2009.03.25 -
eTrust-Vet 31.6.6416 2009.03.25 -
F-Prot 4.4.4.56 2009.03.24 W32/Trojan-Obfuscated.1!Generic
F-Secure 8.0.14470.0 2009.03.25 Trojan.Win32.Obfuscated.gx
Fortinet 3.117.0.0 2009.03.25 -
GData 19 2009.03.25 Trojan.Obfuscated.Gen.1
Ikarus T3.1.1.48.0 2009.03.25 -
K7AntiVirus 7.10.680 2009.03.24 -
Kaspersky 7.0.0.125 2009.03.25 Trojan.Win32.Obfuscated.gx
McAfee 5564 2009.03.25 -
McAfee+Artemis 5564 2009.03.25 -
McAfee-GW-Edition 6.7.6 2009.03.25 Trojan.BHO.Gen
Microsoft 1.4502 2009.03.25 VirTool:Win32/Obfuscator.DE
NOD32 3962 2009.03.25 -
Norman 6.00.06 2009.03.25 -
nProtect 2009.1.8.0 2009.03.25 -
Panda 10.0.0.10 2009.03.24 Malicious Packer
PCTools 4.4.2.0 2009.03.25 -
Prevx1 V2 2009.03.25 -
Rising 21.22.21.00 2009.03.25 -
Sophos 4.39.0 2009.03.25 Mal/EncPk-DG
Sunbelt 3.2.1858.2 2009.03.25 -
Symantec 1.4.4.12 2009.03.25 -
TheHacker 6.3.3.5.290 2009.03.25 -
TrendMicro 8.700.0.1004 2009.03.25 Possible_Obfus-3
VBA32 3.12.10.1 2009.03.24 BScope.Trojan-Dropper.Dilos.obfs
ViRobot 2009.3.25.1663 2009.03.25 -
VirusBuster 4.6.5.0 2009.03.25 -
Additional information
File size: 118784 bytes
MD5...: b299ef5a51514a843950ed5758119bf9
SHA1..: 2bbba56fea67a27989ccd4525c8e469c857d2920
SHA256: 8dcd14c2e326fb6abfd53b61fde32761ff8838e02da9a434e5b53f2814041edc
SHA512: 9bfb142f8cd081bd4f2d0d4b552783719ca9b98b45cbb8464f4e1f6f538ae25f
a32ddf400cec6ad46c58f7c30978e66e83b3a91ea1501f06a171c8fa40b619ba
ssdeep: 1536:Ul+oLBziNDEFIrETtuxRPBqZuspwjuxhX9BqKDAl/aMcx+CAVQ9scynVxFy
:GRIEIbPAZxwixhtBqKD4/ajxLAtVx

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11975
timedatestamp.....: 0x48cc5494 (Sun Sep 14 00:02:28 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.ncpo 0x1000 0x17388 0x18000 6.80 1949e8d3d180965c396138afde40cd12
.fulht 0x19000 0x731 0x1000 2.99 f1bb407da348cd73df92c0700bb0ee45
.yblb 0x1a000 0x1f3c 0x1000 0.53 065342f223c7f5d230f046d1da577366
.reloc 0x1c000 0x195e 0x2000 6.01 28159549dc119ee21194548eba52b483

( 4 imports )
> KERNEL32.dll: MoveFileW, LoadLibraryW, MulDiv, GetModuleHandleW, CreateProcessW, SetWaitableTimer, FindFirstChangeNotificationW, GlobalAlloc, SetThreadPriority, GetVersion, GlobalUnlock, LoadResource, GetCurrentProcessId, GetProcAddress, LoadLibraryA, GetCurrentThread, GlobalAddAtomW, CreateEventW, ResumeThread, QueryDosDeviceW, ResetEvent, GetLogicalDrives, SuspendThread, GetUserDefaultLangID, GetLocalTime, WaitForMultipleObjects, GetCurrentThreadId, SetCurrentDirectoryW, InterlockedDecrement
> USER32.dll: SendMessageW, ReleaseCapture, LoadBitmapW, DispatchMessageW, SendDlgItemMessageW, GetCursorPos, GetWindowTextW, DestroyMenu, PostMessageW, CreatePopupMenu, ReleaseDC, GetWindowRect, RegisterClassExW, SystemParametersInfoW, DestroyIcon, GetSysColor, GetClassNameW, LoadImageW
> GDI32.dll: GetObjectW, GetClipBox, SelectObject, DPtoLP, LineTo, CreateICW, SetBkMode, DeleteObject, SetTextColor
> ADVAPI32.dll: RegOpenKeyExW, RegNotifyChangeKeyValue, RegCreateKeyExW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

RDS...: NSRL Reference Data Set
-


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


*********************************************************
The nkoeqhis.bis file is no where to be found.

 

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste all the text inside the code box below to Notepad:

Code:

File::
c:\windows\wingbts.exe
c:\windows\system32\nkoeqhls.bis

Folder::
c:\program files\ofupjv

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "EnWin "=- 
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NKOEQHLS]

Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop

Now, using the left mouse button, drag the CFScript.txt >>> onto >>> ComboFix.exe, and drop it.

ComboFix runs a scan, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Please provide the contents of the new ComboFix log in your reply.

 

ComboFix 09-03-22.01 - Matthew Shepherd 2009-03-28 0:44:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.238 [GMT -5:00]
Running from: c:\documents and settings\Matthew Shepherd\Desktop\dcat.exe
Command switches used :: c:\documents and settings\Matthew Shepherd\Desktop\CFScript.txt
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\nkoeqhls.bis
c:\windows\wingbts.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\wingbts.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-24 01:37 . 2009-03-24 01:37 <DIR> d-------- c:\documents and settings\Matthew Shepherd\Application Data\U3
2009-03-21 11:27 . 2009-03-21 11:27 <DIR> d-------- c:\program files\DivX
2009-03-21 11:27 . 2009-03-21 11:27 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-01 17:06 . 2009-03-01 17:06 0 --a------ c:\documents and settings\Matthew Shepherd\settings.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 07:04 --------- d-----w c:\program files\a-squared Anti-Malware
2009-02-23 04:39 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-23 02:43 67,424 ----a-w c:\windows\system32\drivers\CDAVFS.sys
2009-02-22 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 08:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-22 07:29 --------- d-----w c:\program files\RegCure
2009-02-14 18:08 --------- d-----w c:\program files\Yahoo!
2009-02-14 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\YAHOO
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-02 21:04 12,560 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2008-12-03 19:13 1,663 ----a-w c:\windows\INF\COM123.tmp
2008-09-10 18:30 6,622 ----a-w c:\documents and settings\Matthew Shepherd\Application Data\wklnhst.dat
2007-06-27 21:19 1,182 ----a-w c:\documents and settings\Melissa Shepherd\Application Data\wklnhst.dat
2005-10-10 20:49 79,808 -c--a-w c:\program files\MC
2005-04-28 06:01 92,848 ----a-w c:\documents and settings\Matthew Shepherd\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_ 2.12.34.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-09-15 18:27:54 192,512 ----a-w c:\windows\INF\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w c:\windows\INF\unregmp2.exe
- 2004-09-15 18:28:06 8,192 ----a-w c:\windows\SYSTEM32\asferror.dll
+ 2006-10-19 02:47:08 7,168 ----a-w c:\windows\SYSTEM32\asferror.dll
- 2004-09-15 18:28:06 480,768 ----a-w c:\windows\SYSTEM32\Audiodev.dll
+ 2006-10-19 02:47:08 276,992 ----a-w c:\windows\SYSTEM32\audiodev.dll
- 2004-09-15 18:28:06 233,472 ----a-w c:\windows\SYSTEM32\blackbox.dll
+ 2006-10-19 02:47:10 542,720 ----a-w c:\windows\SYSTEM32\blackbox.dll
- 2004-09-15 18:28:06 161,792 ----a-w c:\windows\SYSTEM32\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 ----a-w c:\windows\SYSTEM32\cewmdm.dll
- 2004-09-15 18:28:06 8,192 -c--a-w c:\windows\SYSTEM32\DLLCACHE\asferror.dll
+ 2006-10-19 02:47:08 7,168 -c--a-w c:\windows\SYSTEM32\DLLCACHE\asferror.dll
- 2004-09-15 18:28:06 233,472 -c--a-w c:\windows\SYSTEM32\DLLCACHE\blackbox.dll
+ 2006-10-19 02:47:10 542,720 -c--a-w c:\windows\SYSTEM32\DLLCACHE\blackbox.dll
- 2004-09-15 18:28:06 161,792 -c--a-w c:\windows\SYSTEM32\DLLCACHE\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 -c--a-w c:\windows\SYSTEM32\DLLCACHE\cewmdm.dll
- 2004-09-15 18:28:08 527,360 -c--a-w c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 -c--a-w c:\windows\SYSTEM32\DLLCACHE\drmv2clt.dll
- 2004-09-15 18:27:52 6,656 -c--a-w c:\windows\SYSTEM32\DLLCACHE\laprxy.dll
+ 2006-10-19 02:47:14 11,264 -c--a-w c:\windows\SYSTEM32\DLLCACHE\LAPRXY.dll
- 2008-06-10 14:17:42 96,768 -c--a-w c:\windows\SYSTEM32\DLLCACHE\logagent.exe
+ 2008-06-18 06:09:22 100,864 -c--a-w c:\windows\SYSTEM32\DLLCACHE\logagent.exe
- 2004-08-12 13:22:22 310,272 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\MP43DMOD.dll
- 2004-08-12 13:22:22 384,512 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\MP4SDMOD.dll
- 2008-04-14 00:11:57 240,640 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\MPG4DMOD.dll
- 2004-09-15 18:27:52 344,064 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mpvis.dll
+ 2006-10-19 02:47:14 243,712 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mpvis.dll
- 2004-09-15 18:27:52 141,312 -c--a-w c:\windows\SYSTEM32\DLLCACHE\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 -c--a-w c:\windows\SYSTEM32\DLLCACHE\msnetobj.dll
- 2004-09-15 18:27:52 25,088 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
+ 2006-10-19 02:47:16 27,136 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
- 2004-09-15 18:27:52 169,472 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mspmsp.dll
+ 2006-10-19 02:47:16 175,616 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mspmsp.dll
- 2004-09-15 18:27:52 360,176 -c--a-w c:\windows\SYSTEM32\DLLCACHE\msscp.dll
+ 2006-12-04 21:21:50 414,720 -c--a-w c:\windows\SYSTEM32\DLLCACHE\msscp.dll
- 2004-09-15 18:27:52 311,296 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mswmdm.dll
+ 2006-10-19 02:47:16 321,536 -c--a-w c:\windows\SYSTEM32\DLLCACHE\mswmdm.dll
- 2004-09-15 18:27:54 221,184 -c--a-w c:\windows\SYSTEM32\DLLCACHE\qasf.dll
+ 2006-10-19 02:47:18 211,456 -c--a-w c:\windows\SYSTEM32\DLLCACHE\qasf.dll
- 2004-09-15 18:27:54 819,200 -c--a-w c:\windows\SYSTEM32\DLLCACHE\setup_wm.exe
+ 2006-11-01 23:31:38 1,669,120 -c--a-w c:\windows\SYSTEM32\DLLCACHE\setup_wm.exe
- 2004-09-15 18:27:54 192,512 -c--a-w c:\windows\SYSTEM32\DLLCACHE\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 -c--a-w c:\windows\SYSTEM32\DLLCACHE\unregmp2.exe
- 2004-09-15 18:27:54 380,144 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMADMOD.dll
- 2004-09-15 18:27:54 712,704 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMADMOE.dll
- 2007-10-27 22:40:06 227,328 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmasf.dll
+ 2007-10-27 22:40:30 222,720 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmasf.dll
- 2004-09-15 18:27:54 30,208 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmdmlog.dll
+ 2006-10-19 02:47:18 33,792 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmdmlog.dll
- 2004-09-15 18:27:54 34,304 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmdmps.dll
+ 2006-10-19 02:47:18 37,376 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmdmps.dll
- 2004-09-15 18:27:54 189,440 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmerror.dll
+ 2006-10-19 02:47:20 227,328 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmerror.dll
- 2004-09-15 18:27:54 150,016 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmidx.dll
+ 2006-10-19 02:47:20 157,184 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmidx.dll
- 2008-06-10 16:37:02 1,026,048 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMNetmgr.dll
+ 2008-06-18 10:03:08 938,496 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMNetmgr.dll
- 2007-04-30 13:20:24 5,537,792 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmp.dll
- 2004-09-15 18:28:00 135,168 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpasf.dll
- 2004-09-15 18:28:00 77,824 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpband.dll
+ 2006-10-19 02:47:20 96,256 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpband.dll
- 2004-09-15 18:28:00 282,624 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpdxm.dll
- 2004-09-15 18:28:00 73,728 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmplayer.exe
+ 2006-10-19 02:46:20 64,000 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmplayer.exe
- 2004-09-15 18:28:00 3,371,008 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmploc.dll
- 2004-09-15 18:28:00 86,016 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmpshell.dll
- 2004-09-15 18:28:00 773,368 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmsdmod.dll
- 2004-09-15 18:28:02 1,116,160 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmsdmoe2.dll
- 2004-09-15 18:28:02 531,192 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMSPDMOD.dll
- 2004-09-15 18:28:02 936,960 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMSPDMOE.dll
- 2008-06-10 16:57:40 2,364,472 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
+ 2008-06-18 10:03:14 2,458,112 -c--a-w c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
- 2004-09-15 18:28:06 871,160 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmvdmod.dll
- 2004-09-15 18:28:06 999,424 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w c:\windows\SYSTEM32\DLLCACHE\wmvdmoe2.dll
- 2004-09-15 18:28:06 18,944 ----a-w c:\windows\SYSTEM32\DRIVERS\wpdusb.sys
+ 2006-10-19 01:00:00 38,528 ----a-w c:\windows\SYSTEM32\DRIVERS\wpdusb.sys
- 2004-09-15 18:28:08 527,360 ----a-w c:\windows\SYSTEM32\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 ----a-w c:\windows\SYSTEM32\drmv2clt.dll
- 2004-09-15 18:27:52 6,656 ----a-w c:\windows\SYSTEM32\laprxy.dll
+ 2006-10-19 02:47:14 11,264 ----a-w c:\windows\SYSTEM32\LAPRXY.dll
- 2008-06-10 14:17:42 96,768 ----a-w c:\windows\SYSTEM32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\SYSTEM32\logagent.exe
- 2004-08-12 13:22:22 310,272 ----a-w c:\windows\SYSTEM32\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w c:\windows\SYSTEM32\MP43DMOD.dll
- 2004-08-12 13:22:22 384,512 ----a-w c:\windows\SYSTEM32\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w c:\windows\SYSTEM32\MP4SDMOD.dll
- 2008-04-14 00:11:57 240,640 ----a-w c:\windows\SYSTEM32\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w c:\windows\SYSTEM32\MPG4DMOD.dll
- 2004-09-15 18:27:52 141,312 ----a-w c:\windows\SYSTEM32\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 ----a-w c:\windows\SYSTEM32\msnetobj.dll
- 2004-09-15 18:27:52 25,088 ----a-w c:\windows\SYSTEM32\MsPMSNSv.dll
+ 2006-10-19 02:47:16 27,136 ----a-w c:\windows\SYSTEM32\mspmsnsv.dll
- 2004-09-15 18:27:52 169,472 ----a-w c:\windows\SYSTEM32\MsPMSP.dll
+ 2006-10-19 02:47:16 175,616 ----a-w c:\windows\SYSTEM32\mspmsp.dll
- 2004-09-15 18:27:52 360,176 ----a-w c:\windows\SYSTEM32\MSSCP.dll
+ 2006-12-04 21:21:50 414,720 ----a-w c:\windows\SYSTEM32\msscp.dll
- 2004-09-15 18:27:52 311,296 ----a-w c:\windows\SYSTEM32\MSWMDM.dll
+ 2006-10-19 02:47:16 321,536 ----a-w c:\windows\SYSTEM32\mswmdm.dll
- 2004-09-15 18:27:54 221,184 ----a-w c:\windows\SYSTEM32\qasf.dll
+ 2006-10-19 02:47:18 211,456 ----a-w c:\windows\SYSTEM32\qasf.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2007-07-27 14:41:40 16,760 ------w c:\windows\SYSTEM32\spmsg.dll
- 2007-08-11 01:46:18 26,488 ----a-w c:\windows\SYSTEM32\spupdsvc.exe
+ 2007-07-27 14:41:38 26,488 ----a-w c:\windows\SYSTEM32\spupdsvc.exe
- 2004-09-15 18:27:54 47,104 ----a-w c:\windows\SYSTEM32\uwdf.exe
+ 2006-10-19 02:58:00 8,704 ----a-w c:\windows\SYSTEM32\uwdf.exe
- 2004-09-15 18:27:54 15,872 ----a-w c:\windows\SYSTEM32\wdfapi.dll
+ 2006-10-19 02:47:18 4,096 ----a-w c:\windows\SYSTEM32\wdfapi.dll
- 2004-09-15 18:27:54 38,912 ----a-w c:\windows\SYSTEM32\wdfmgr.exe
+ 2006-10-19 02:58:00 8,704 ----a-w c:\windows\SYSTEM32\wdfmgr.exe
- 2004-09-15 18:27:54 380,144 ----a-w c:\windows\SYSTEM32\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 ----a-w c:\windows\SYSTEM32\WMADMOD.dll
- 2004-09-15 18:27:54 712,704 ----a-w c:\windows\SYSTEM32\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 ----a-w c:\windows\SYSTEM32\WMADMOE.dll
- 2007-10-27 22:40:06 227,328 ----a-w c:\windows\SYSTEM32\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ----a-w c:\windows\SYSTEM32\wmasf.dll
- 2004-09-15 18:27:54 30,208 ----a-w c:\windows\SYSTEM32\WMDMLOG.dll
+ 2006-10-19 02:47:18 33,792 ----a-w c:\windows\SYSTEM32\wmdmlog.dll
- 2004-09-15 18:27:54 34,304 ----a-w c:\windows\SYSTEM32\WMDMPS.dll
+ 2006-10-19 02:47:18 37,376 ----a-w c:\windows\SYSTEM32\wmdmps.dll
- 2004-09-15 18:27:54 344,064 ----a-w c:\windows\SYSTEM32\WMDRMdev.dll
+ 2006-10-19 02:47:18 429,056 ----a-w c:\windows\SYSTEM32\wmdrmdev.dll
- 2004-09-15 18:27:54 290,816 ----a-w c:\windows\SYSTEM32\WMDRMNet.dll
+ 2006-10-19 02:47:20 348,672 ----a-w c:\windows\SYSTEM32\wmdrmnet.dll
- 2004-09-15 18:27:54 189,440 ----a-w c:\windows\SYSTEM32\wmerror.dll
+ 2006-10-19 02:47:20 227,328 ----a-w c:\windows\SYSTEM32\wmerror.dll
- 2004-09-15 18:27:54 150,016 ----a-w c:\windows\SYSTEM32\wmidx.dll
+ 2006-10-19 02:47:20 157,184 ----a-w c:\windows\SYSTEM32\wmidx.dll
- 2008-06-10 16:37:02 1,026,048 ----a-w c:\windows\SYSTEM32\WMNetmgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\SYSTEM32\WMNetmgr.dll
- 2007-04-30 13:20:24 5,537,792 ----a-w c:\windows\SYSTEM32\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 ----a-w c:\windows\SYSTEM32\wmp.dll
- 2004-09-15 18:28:00 135,168 ----a-w c:\windows\SYSTEM32\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 ----a-w c:\windows\SYSTEM32\wmpasf.dll
- 2004-09-15 18:28:00 282,624 ----a-w c:\windows\SYSTEM32\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 ----a-w c:\windows\SYSTEM32\wmpdxm.dll
- 2004-09-15 18:28:00 1,589,760 ----a-w c:\windows\SYSTEM32\wmpencen.dll
+ 2006-10-19 02:47:20 1,661,440 ----a-w c:\windows\SYSTEM32\wmpencen.dll
- 2004-09-15 18:28:00 3,371,008 ----a-w c:\windows\SYSTEM32\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 ----a-w c:\windows\SYSTEM32\wmploc.dll
- 2004-09-15 18:28:00 86,016 ----a-w c:\windows\SYSTEM32\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 ----a-w c:\windows\SYSTEM32\wmpshell.dll
- 2004-09-15 18:28:00 175,104 ----a-w c:\windows\SYSTEM32\wmpsrcwp.dll
+ 2006-10-19 02:47:20 204,288 ----a-w c:\windows\SYSTEM32\wmpsrcwp.dll
- 2004-09-15 18:28:00 773,368 ----a-w c:\windows\SYSTEM32\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\wmsdmod.dll
- 2004-09-15 18:28:02 1,116,160 ----a-w c:\windows\SYSTEM32\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\wmsdmoe2.dll
- 2004-09-15 18:28:02 531,192 ----a-w c:\windows\SYSTEM32\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 ----a-w c:\windows\SYSTEM32\WMSPDMOD.dll
- 2004-09-15 18:28:02 936,960 ----a-w c:\windows\SYSTEM32\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 ----a-w c:\windows\SYSTEM32\WMSPDMOE.dll
- 2004-09-15 18:28:04 1,181,944 ----a-w c:\windows\SYSTEM32\wmvadvd.dll
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\WMVADVD.dll
- 2004-09-15 18:28:04 1,509,376 ----a-w c:\windows\SYSTEM32\WMVADVE.DLL
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\WMVADVE.DLL
- 2008-06-10 16:57:40 2,364,472 ----a-w c:\windows\SYSTEM32\WMVCore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\SYSTEM32\WMVCore.dll
- 2004-09-15 18:28:06 871,160 ----a-w c:\windows\SYSTEM32\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\wmvdmod.dll
- 2004-09-15 18:28:06 999,424 ----a-w c:\windows\SYSTEM32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w c:\windows\SYSTEM32\wmvdmoe2.dll
- 2004-09-15 18:28:06 38,912 ----a-w c:\windows\SYSTEM32\wpd_ci.dll
+ 2006-10-19 02:47:22 629,760 ----a-w c:\windows\SYSTEM32\wpd_ci.dll
- 2004-09-15 18:28:06 61,952 ----a-w c:\windows\SYSTEM32\wpdconns.dll
+ 2006-10-19 02:47:22 35,840 ----a-w c:\windows\SYSTEM32\wpdconns.dll
- 2004-09-15 18:28:06 114,176 ----a-w c:\windows\SYSTEM32\wpdmtp.dll
+ 2006-10-19 02:47:22 154,624 ----a-w c:\windows\SYSTEM32\wpdmtp.dll
- 2004-09-15 18:28:06 66,560 ----a-w c:\windows\SYSTEM32\wpdmtpus.dll
+ 2006-10-19 02:47:22 63,488 ----a-w c:\windows\SYSTEM32\wpdmtpus.dll
- 2006-10-19 01:47:22 38,400 -c--a-w c:\windows\SYSTEM32\wpdshextres.dll
+ 2006-10-19 02:47:22 38,400 ----a-w c:\windows\SYSTEM32\wpdshextres.dll
- 2004-09-15 18:28:06 327,680 ----a-w c:\windows\SYSTEM32\wpdsp.dll
+ 2006-10-19 02:47:22 356,352 ----a-w c:\windows\SYSTEM32\wpdsp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray "= "c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-22 26112]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2005-03-22 98304]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"type32 "= "c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@= "beep "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP "= 1723:TCPxpsp2res.dll,-22015
"1701:UDP "= 1701:UDPxpsp2res.dll,-22016
"500:UDP "= 500:UDPxpsp2res.dll,-22017

S3 CDAVFS;CDAVFS;c:\windows\SYSTEM32\DRIVERS\CDAVFS.sys [2009-02-22 67424]
S3 IntelinetSecure;IntelinetSecure; [x]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\SYSTEM32\DRIVERS\sndp202.sys [2008-07-02 245120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22f7ee2a-183e-11de-9563-00132000d25e}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]

2008-12-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
TCP: {E2335782-4C43-4DF2-A5C3-5F37DE6B0297} = 195.62.37.19,24.247.15.53
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 00:48:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2009-03-28 0:51:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 05:51:31
ComboFix2.txt 2009-03-24 07:13:38

Pre-Run: 14,390,140,928 bytes free
Post-Run: 14,429,765,632 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
325 --- E O F --- 2009-03-25 19:01:29

 

Let's take care of the Java entry in your reports. It is out of date...


Please download JavaRa


Unzip it to the Desktop.

This program checks if your computer has the latest version of Java Runtime Environment (JRE). If the version installed is superseded by a newer version, the program downloads and installs the newer version by running Java's update program.

JavaRa then allows you to remove all possible older versions of the JRE program. This ensures the security of your computer is enhanced and also creates some extra space on your hard disk

Double-click on JavaRa.exe to start the program.

• In the prompt that appears, select: Search for Updates
• Next select: Update using Sun Java’s website
• Click: Search
• In Sun Java’s website, download: Java Runtime Environment (JRE) 6 Update 12

Note: Currently, as part of its update, Java also provides for the installation of the Google Toolbar. You can decline its installation of by unchecking "Google Toolbar for Internet Explorer ", then click Next to continue.

• Back to JavaRa, click on Remove Older Versions
• Click Yes when prompted.
• When JavaRa is done, a notice appears that a logfile was produced.
• If you wish to see the log, click OK, for it to show. (The log is also saved as C:\JavaRa.log)
• Use the X on the upper right side to close JavaRa
• Next, restart the computer to complete the changes.

~~~~
Now, let’s see if Kaspersky picks up any infected files. There is no option to clean/disinfect, however, we can analyze the information on the report and determine whether further action is needed.


Please close all windows, and temporarily turn off the real time scanner of your antivirus program.
Then, use Internet Explorer, and do an online scan with Kaspersky WebScanner
Click: Scan Now
Then click: Accept
The program launches and downloads the latest definition files.

• Once the files are downloaded, click on: Next
• Under select a target to scan, select: My Computer

When the scan is done, any infection is displayed.

• Click on: View scan report

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

~~~~
Please provide the contents of the Kaspersky Online Scanner report in your reply.

 

After downloading the updated Java I went to the Kaspersky Webscan and when it first checks my computer I get the error message "You need to install Java version 1.5 or later to run Kaspersky online scanner 7.0 ".

 

Try enabling the Java in the Add-ons for IE. Kaspersky will then work.

In IE, go to Tools > Manage Add-ons > Enable or disable add-ons

In the Manage Add-ons prompt:
In Show: Add-ons currently loaded in Internet Explorer
Under Name, select/highlight the Java add-on
Under Settings, Enable the add-on
Click: OK

Now, try running Kaspersky.

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 01, 2009 05:25:40
Records in database: 1991770
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 74116
Threat name: 8
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:57:36


File name / Threat name / Threats count
C:\Documents and Settings\Matthew Shepherd\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-51b9c747.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Program Files\ofuojv\EnWin.dll Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\karna.dat.vir Infected: Backdoor.Win32.Small.gjm 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSScfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000001.dll Infected: Backdoor.Win32.TDSS.blh 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000002.dll Infected: Backdoor.Win32.TDSS.asz 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000003.dll Infected: Backdoor.Win32.TDSS.atb 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000004.dll Infected: Rootkit.Win32.TDSS.dbg 1

The selected area was scanned.

 

Please do the following:

Temporarily disable security/protection applications as they sometimes interfere with running some of the programs needed to eradicate infections. Check the list in How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs for any programs run.


Next, download ATF Cleaner

Double-click ATF-Cleaner.exe to run the program
Click Select All
Click: Empty Selected

Click Exit to close the ATF Cleaner program.

~~~~
Now, download Malwarebytes' Anti-Malware (MBAM)
Save the program to the Desktop
Close all Windows, including this one. (Print the instructions first)

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts

• If an update is found, MBAM will download and install the latest.
• Click OK

At the main program window

• Make sure the following is checked: Perform Quick Scan
• Click: Scan (The scan may take some time to finish, so please be patient.)
• When the scan completes, a message box appears, click OK

At the main Scanner screen:

• Click on: Show Results
• A screen displaying the malware found shows
• Make sure everything found is checked, and click: Remove Selected
• When the disinfection is complete, you may be prompted to Restart. Please do so.
• When MBAM finishes removing the malware, a log opens in Notepad
• The log is automatically saved and can be viewed by clicking the Logs tab.

~~~~
Please provide the MBAM report in your reply.

 

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/3/2009 12:30:29 AM
mbam-log-2009-04-03 (00-30-29).txt

Scan type: Quick Scan
Objects scanned: 81454
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpyClean (Rogue.NetCom3) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Matthew Shepherd\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully.

 

Let’s try one more online scan…however, temporarily disable security/malware protection applications as they may interfere with running programs needed to eradicate infections. Check the list in How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs for any programs run.

Now, download: Panda ActiveScan

• Click on: Scan Your PC Now
• Register - you can select the Free Registration
• When finished witht the registration, select: Full Scan
• Click on: Scan Now
• Wait for the program components to load and install. (Don't close this window or go to another page while the program components are downloading.)
• If the program finds any malware it can disinfect, the Disinfect button is enabled.
• If so, click on: Disinfect (You can ignore the offer to buy the program.)
• When done, click on: Export To
• Export the log and save it to the Desktop.

Please provide the contents of the Panda Online Scan log in your reply.

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-16 01:37:30
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Sunbelt VIPRE 3.1.2710 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00132734 adware/24-7-search Adware No 0 Yes No c:\windows\system32\unppc.exe
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@atdmt[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@mediaplex[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@ad.yieldmanager[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@bs.serving-sys[2].txt
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@sextracker[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@zedo[2].txt
00206953 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@counter14.sextracker[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Matthew Shepherd\Cookies\matthew_shepherd@ads.addynamix[1].txt
00446437 Adware/AntivirusPro2009 Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\karna.dat.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\Program Files\ofuojv\EnWin.dll
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000001.dll
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000002.dll
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000007.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000053.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0000956.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000334.sys
03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000003.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location `
;===================================================================================================================================================================================
No C:\RECYCLER\S-1-5-21-3757171262-3875660443-1075117811-1005\Dc84.exe `
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description `
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Please download The Avenger

• Unzip/extract it to a folder on the Desktop.
• Double click on avenger.exe to run the program.
• OK the warning.
• When the Avenger display opens, copy/paste the text inside the Code box below into the Avenger box titled: Input script here
  
  
  
  Code:

  Files to delete:
  c:\windows\system32\unppc.exe
  Folders to delete:
  C:\RECYCLER
  C:\Program Files\ofuojv

• Click the Execute button to run the repair.
• Click Yes to allow the reboot.
• After the necessary reboots are completed, a log should automatically open.
• The log is also found at C:\avenger.txt

Please post the Avenger.txt in your reply.

 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\unppc.exe" deleted successfully.
Folder "C:\RECYCLER" deleted successfully.
Folder "C:\Program Files\ofuojv" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

 

Good job!!

Let's see if you can now download DDS...

Please download DDS to the Desktop.

• If you receive a script-blocking warning from any Anti-Malware program running on your computer asking if you would like DDS to run, allow it to do so.
• Double-click on the DDS icon to start the program.
• DDS displays a black window providing information as to what DDS is doing on your computer.
• Next, DDS starts scanning the computer and compiling a variety of information.
• When DDS finishes scanning, all of the information compiled is displayed in two Notepad reports named dds.txt and attach.txt.
• Save the reports to the Desktop

Please post the dds.txt and attach.txt in your reply.