Author Topic: Hacked and Hijacked? :-( (Read 3308 times)

scrappingmama · « **Reply #20 on:** October 26, 2008, 10:13:39 PM »

This whole time I have been using another computer and have copied every executable to a USB drive and then downloaded the files manually to the desktop on the infected computer.

For this step, I hooked the infected computer back up to the network/internet and I went to the Symantec link you provided. I downloaded and ran the Norton Removal Tool. The system rebooted and tried to go to the Symantec link on restart. Interestingly enough, I could no longer get to the link. So, I tried going to www.symantec.com and I couldn't get there. I also tried Atribune and Lavasoft and I can't get to any of them any longer. I can get to other sites fine (like this one), but no site that seems like it would protect my computer. Something seems to be blocking it again.

I was able to still run HJT, so I did the steps that you outlined for removing the items and here is the next log --
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:35 PM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - https://cim.accenture.com/system/web/view/l...g/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409226343
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409212234
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B33422AC-C567-4F7D-BB28-6583371EC4EE} (Microsoft CMS HTML Editor) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/NRDHtml.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/nrdhtml.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 7981 bytes

guestolo · « **Reply #21 on:** October 26, 2008, 10:20:07 PM »

For now, don't do too much navigating the web with this computer till we have it clear of malware

Can you do the following
Download HostsXpert [color=\"red\"]Here[/color] and unzip it to your desktop.
Next, open HostsXpert

Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
then click on 'Restore MS host files'>>OK
Close HostsXpert.

Afterwards: I had you run the wrong Norton removal tool
Can you download and run this one please
NoNav.exe

Afterwards: follow all the next steps I posted earlier
Here they are again

======================================================================
Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Download [color=\"#FF0000\"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Exit ATF-Cleaner from the Main menu

Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935
Save the installer to desktop

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer

Back in Windows
Can you post all the following back please
It may take more than one reply to do so

1. Post a fresh hijackthis log
2. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"

scrappingmama · « **Reply #22 on:** October 26, 2008, 11:19:05 PM »

Okay, had to use the USB drive again from my other computer to get ATF Cleaner because the infected computer still can't open the site. ATF Cleaner ran and I have downloaded and installed Avira. I have done the update for it and it is now scanning.

I am heading off to bed. Three late nights in a row is killing me.

I have clicked the option to Delete any future detections so hopefully it will keep going through the night. I will post all logs and reports in the morning.

Thanks again for all of your help.

guestolo · « **Reply #23 on:** October 26, 2008, 11:22:44 PM »

I'm off to bed myself right away
I'll look for the logs later tomorrow
P.S, It's just past 10 pm my time

scrappingmama · « **Reply #24 on:** October 27, 2008, 07:37:21 AM »

It was midnight here. :-(

Okay, new day and new start. Here are the logs --

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:28 AM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - https://cim.accenture.com/system/web/view/l...g/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409226343
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409212234
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B33422AC-C567-4F7D-BB28-6583371EC4EE} (Microsoft CMS HTML Editor) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/NRDHtml.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/nrdhtml.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8226 bytes

AVIRA AntiVir Personal
Report file date: Sunday, October 26, 2008 23:54

Scanning for 1708013 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: BIGMAMA

Version information:
BUILD.DAT : 8.2.0.334 16933 Bytes 10/16/2008 14:55:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 20:54:15
ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 10/19/2008 04:52:40
ANTIVIR3.VDF : 7.0.7.93 198656 Bytes 10/26/2008 04:52:42
Engineversion : 8.2.0.9
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/27/2008 04:52:54
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 10/27/2008 04:52:53
AESCN.DLL : 8.1.1.3 123252 Bytes 10/27/2008 04:52:52
AERDL.DLL : 8.1.1.2 438644 Bytes 10/27/2008 04:52:51
AEPACK.DLL : 8.1.2.4 369014 Bytes 10/27/2008 04:52:50
AEOFFICE.DLL : 8.1.0.29 196988 Bytes 10/27/2008 04:52:49
AEHEUR.DLL : 8.1.0.63 1479032 Bytes 10/27/2008 04:52:49
AEHELP.DLL : 8.1.1.2 115062 Bytes 10/27/2008 04:52:46
AEGEN.DLL : 8.1.0.42 319861 Bytes 10/27/2008 04:52:46
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/27/2008 04:52:45
AECORE.DLL : 8.1.2.8 172406 Bytes 10/27/2008 04:52:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/27/2008 04:52:43
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 10/27/2008 04:52:42
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, October 26, 2008 23:54

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'ADService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'sqlbrowser.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'AppServices.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ewidoctrl.exe' - '1' Module(s) have been scanned
Scan process 'dsNcService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'Weather.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'VTTimer.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\ltmdmntc.old
[DETECTION] Is the TR/StartPage.vn.1 Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\' <PRESARIO_RP>

End of the scan: Monday, October 27, 2008 01:01
Used time: 1:07:19 Hour(s)

The scan has been done completely.

9218 Scanning directories
401861 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
3 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
401857 Files not concerned
15069 Archives were scanned
1 Warnings
3 Notes

guestolo · « **Reply #25 on:** October 27, 2008, 07:51:07 AM »

Can you do the following

Open Malwarebytes Antimalware
Click the Update tab and try and update
If it will update, can you run a Quick Scan and post the new log

If it won't update, can you again open HostXpert and Restore MS Host file then try updating again with MBAM
Let me know

In addition, can you again delete your copy of ComboFix
Temporarily disable AntiVir protections
Right click it's icon by the clock and Uncheck "AntVir Guard Enable"
Redownload ComboFix from the following link
Combofix.exe
Run it again and post it's new log

scrappingmama · « **Reply #26 on:** October 27, 2008, 01:03:32 PM »

I tried to download the update from Malwarebytes but it still wouldn't connect. The same thing with Combofix.exe. I went ahead and used the USB drive with my other computer again and got combofix.exe on the infected computer. I ran that and then tried connecting to Malwarebytes again. This time it worked, so I ran the quick scan (log attached). It found three things so I chose to remove them. I hope that was okay.

I also was able to get to Combofix.exe on the infected machine too so I downloaded a new one and ran again (log attached).

Malwarebytes' Anti-Malware 1.30
Database version: 1328
Windows 5.1.2600 Service Pack 2

10/27/2008 1:12:17 PM
mbam-log-2008-10-27 (13-12-16).txt

Scan type: Quick Scan
Objects scanned: 60517
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combofix.exe
ComboFix 08-10-26.01 - Owner 2008-10-27 13:25:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.659 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 23:25 . 2008-10-26 23:25   <DIR>   d--------   C:\temp\NoNav
2008-10-26 23:25 . 2008-10-26 23:25   <DIR>   d--------   C:\temp
2008-10-26 22:31 . 2008-10-26 22:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-26 20:48 . 2008-10-26 20:48   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-26 20:47 . 2008-10-26 21:20   <DIR>   d--------   C:\SDFix
2008-10-26 19:19 . 2008-10-26 19:29   <DIR>   d--------   C:\Program Files\Microsoft Money
2008-10-26 15:57 . 2008-10-26 15:57   <DIR>   d--------   C:\rsit
2008-10-26 15:31 . 2008-10-26 15:31   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-26 14:13 . 2008-10-26 14:17   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-22 16:10   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-26 14:13 . 2008-10-22 16:10   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-26 02:18 . 2008-10-26 02:18   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-10-26 01:57 . 2008-10-26 01:51   1,554,567   --a------   C:\SDFix.exe
2008-10-25 22:53 . 2008-10-25 22:53   19,748   --a------   C:\WINDOWS\rogip.sys
2008-10-25 22:53 . 2008-10-25 22:53   16,053   --a------   C:\Documents and Settings\All Users\Application Data\gosy.reg
2008-10-25 22:53 . 2008-10-25 22:53   14,938   --a------   C:\WINDOWS\ykupyja.sys
2008-10-25 22:53 . 2008-10-25 22:53   14,191   --a------   C:\Documents and Settings\All Users\Application Data\voweva.vbs
2008-10-25 22:53 . 2008-10-25 22:53   12,670   --a------   C:\WINDOWS\system32\likyluki.bin
2008-10-25 22:53 . 2008-10-25 22:53   11,758   --a------   C:\Documents and Settings\Owner\Application Data\aqixikixyd.dll
2008-10-25 22:53 . 2008-10-25 22:53   11,333   --a------   C:\Documents and Settings\All Users\Application Data\acoho.dat
2008-10-25 22:53 . 2008-10-25 22:53   11,306   --a------   C:\WINDOWS\ojeqopom.ban
2008-10-25 22:53 . 2008-10-25 22:53   10,560   --a------   C:\WINDOWS\system32\sowapiwoci.bin
2008-10-25 22:53 . 2008-10-25 22:53   10,233   --a------   C:\WINDOWS\system32\gukylyw.lib
2008-10-25 17:13 . 2008-10-25 17:13   18,041   --a------   C:\WINDOWS\system32\koda.bat
2008-10-25 17:13 . 2008-10-25 17:13   17,867   --a------   C:\Documents and Settings\All Users\Application Data\esurebale.pif
2008-10-25 17:13 . 2008-10-25 17:13   16,260   --a------   C:\WINDOWS\sopiryxuk.scr
2008-10-25 17:13 . 2008-10-25 17:13   15,827   --a------   C:\WINDOWS\nyfupa.vbs
2008-10-25 17:13 . 2008-10-25 17:13   15,772   --a------   C:\WINDOWS\yfywak.reg
2008-10-25 17:13 . 2008-10-25 17:13   15,164   --a------   C:\WINDOWS\ebog.lib
2008-10-25 14:51 . 2008-10-25 14:51   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-09-29 14:41 . 2008-10-27 09:13   <DIR>   d--------   C:\Program Files\iTunes
2008-09-29 14:41 . 2008-09-29 14:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-29 14:39 . 2008-10-25 23:12   <DIR>   d--------   C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 14:13   ---------   d-----w   C:\Program Files\iPod
2008-10-26 04:36   ---------   d-----w   C:\Program Files\Wal-Mart Music Downloads Store
2008-10-26 04:19   ---------   d-----w   C:\Program Files\THQ
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8032
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8022
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Scholastic
2008-10-26 04:19   ---------   d-----w   C:\Program Files\RecordNow!
2008-10-26 04:19   ---------   d-----w   C:\Program Files\QuickTime
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Print Workshop 2004 LE
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Works
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Visual Studio 8
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft SQL Server
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Plus! Digital Media Edition
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Lavasoft
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Juniper Networks
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Java
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductibleEX
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2006
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2005
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Iomega
2008-10-26 04:17   ---------   d-----w   C:\Program Files\IntelliMover Data Transfer Demo
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Infogrames Interactive
2008-10-26 04:17   ---------   d-----w   C:\Program Files\HP
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hasbro Interactive
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-10-25 13:33   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-20 19:25   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AirSet Desktop Sync
2008-10-16 01:30   30   ----a-w   C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2008-03-17 17:38   103,536   ----a-w   C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-01 23:37   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-26_20.01.28.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-10-27 01:48:35   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:35   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-10-27 01:48:21   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:22   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-09-29 19:42:35   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
+ 2008-10-27 14:13:43   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-27 18:32:19   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 18:32:19   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 18:06:06   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081027\index.dat
+ 2008-10-27 18:06:06   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102720081028\index.dat
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-27 18:32:19   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 18:15:51   45,376   ----a-w   C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28   22,336   ----a-w   C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 20:03:55   75,072   ----a-w   C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22   28,352   ----a-w   C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-05-20 856064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Southwest Airlines\\Ding\\Ding.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 23552]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 45568]
S2 ltmdmntc;ltmdmntc;C:\WINDOWS\System32\drivers\ltmdmntc.sys [ ]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 15232]
S2 X4HS32;X4HS32;C:\Program Files\EXEtender\X4HS32.Sys [ ]
S3 BulkUsb;Usbscan.Sys;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-04 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ    hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9748cf25-b2a6-11dc-b0ef-000ea6306fee}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654261420322001
.
Contents of the 'Scheduled Tasks' folder

2008-10-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

2004-03-17 C:\WINDOWS\Tasks\Easy Internet Sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O16 -: {5445BE81-B796-11D2-B931-002018654E2E} - hxxps://cim.accenture.com/system/web/view/live/messaging/ie/SecMgr.cab
C:\WINDOWS\Downloaded Program Files\SecMgr.inf

O16 -: {B33422AC-C567-4F7D-BB28-6583371EC4EE} - hxxps://portal.accenture.com/NAVIGATOR/CMS/WebAuthor/Client/PlaceholderControlSupport/NRDHtml.cab
C:\WINDOWS\Downloaded Program Files\NRDHtml.inf
C:\WINDOWS\Downloaded Program Files\ncbmprdr.dll

O16 -: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} - hxxps://portal.accenture.com/NAVIGATOR/CMS/WebAuthor/Client/PlaceholderControlSupport/nrdhtml.cab
C:\WINDOWS\Downloaded Program Files\NRDHtml.inf
C:\WINDOWS\Downloaded Program Files\ncbmprdr.dll
C:\WINDOWS\Downloaded Program Files\NRDHtml.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 13:31:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSijso.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\urlmon.dll
-> ?:\WINDOWS\system32\urlmon.dll
-> ?:\WINDOWS\system32\DSOUND.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-27 13:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-27 18:36:00
ComboFix2.txt 2008-10-27 17:38:42
ComboFix3.txt 2008-10-27 01:01:53

Pre-Run: 41,382,154,240 bytes free
Post-Run: 41,430,233,088 bytes free

224

guestolo · « **Reply #27 on:** October 27, 2008, 01:50:27 PM »

I'm worried that your USB thumbdrive may be infected
Can you do the following
Insert your USB thumbdrive into this computer

Have Avira scan it please
You can just right click on the drive thru MyComputer
and select to scan with Avira

When done, leave the Thumbdrive inserted to the computer for now

Then:
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::
Driver::
TDSSserv.sys
File::
C:\WINDOWS\rogip.sys
C:\Documents and Settings\All Users\Application Data\gosy.reg
C:\WINDOWS\ykupyja.sys
C:\Documents and Settings\All Users\Application Data\voweva.vbs
C:\WINDOWS\system32\likyluki.bin
C:\Documents and Settings\Owner\Application Data\aqixikixyd.dll
C:\Documents and Settings\All Users\Application Data\acoho.dat
C:\WINDOWS\ojeqopom.ban
C:\WINDOWS\system32\sowapiwoci.bin
C:\WINDOWS\system32\gukylyw.lib
C:\WINDOWS\system32\koda.bat
C:\Documents and Settings\All Users\Application Data\esurebale.pif
C:\WINDOWS\sopiryxuk.scr
C:\WINDOWS\nyfupa.vbs
C:\WINDOWS\yfywak.reg
C:\WINDOWS\ebog.lib
C:\WINDOWS\system32\drivers\TDSSijso.sys
Folder::
C:\temp\NoNav
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9748cf25-b2a6-11dc-b0ef-000ea6306fee}]

[/color]
Save this as txtfile on your desktop
CFScript

Then

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..

I'll need to see that log again
With that log, can you also post a fresh Hijackthis log and let me know how things are now running

scrappingmama · « **Reply #28 on:** October 27, 2008, 03:03:03 PM »

Yeah, I was worried about the thumbdrive too, but it scanned fine. I have an external hard drive that is used for backup that I will need to scan too. I tried to just back things up file by file in the past few days and hope it doesn't get an infected one but other backups may have something.

ComboFix 08-10-27.01 - Owner 2008-10-27 15:04:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\acoho.dat
C:\Documents and Settings\All Users\Application Data\esurebale.pif
C:\Documents and Settings\All Users\Application Data\gosy.reg
C:\Documents and Settings\All Users\Application Data\voweva.vbs
C:\Documents and Settings\Owner\Application Data\aqixikixyd.dll
C:\WINDOWS\ebog.lib
C:\WINDOWS\nyfupa.vbs
C:\WINDOWS\ojeqopom.ban
C:\WINDOWS\rogip.sys
C:\WINDOWS\sopiryxuk.scr
C:\WINDOWS\system32\drivers\TDSSijso.sys
C:\WINDOWS\system32\gukylyw.lib
C:\WINDOWS\system32\koda.bat
C:\WINDOWS\system32\likyluki.bin
C:\WINDOWS\system32\sowapiwoci.bin
C:\WINDOWS\yfywak.reg
C:\WINDOWS\ykupyja.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\acoho.dat
C:\Documents and Settings\All Users\Application Data\esurebale.pif
C:\Documents and Settings\All Users\Application Data\gosy.reg
C:\Documents and Settings\All Users\Application Data\voweva.vbs
C:\Documents and Settings\Owner\Application Data\aqixikixyd.dll
C:\temp\NoNav
C:\temp\NoNav\ESUGUnEn.exe
C:\temp\NoNav\nolu.inf
C:\temp\NoNav\nolu.reg
C:\temp\NoNav\NONAV.BAT
C:\temp\NoNav\nonav.inf
C:\temp\NoNav\nonav.pif
C:\temp\NoNav\nonav.reg
C:\temp\NoNav\nonav.txt
C:\temp\NoNav\noquar.inf
C:\temp\NoNav\noquar.reg
C:\temp\NoNav\RTVSTOP.EXE
C:\temp\NoNav\UnEngVar.BAT
C:\temp\NoNav\UnEngVar.Txt
C:\WINDOWS\ebog.lib
C:\WINDOWS\nyfupa.vbs
C:\WINDOWS\ojeqopom.ban
C:\WINDOWS\rogip.sys
C:\WINDOWS\sopiryxuk.scr
C:\WINDOWS\system32\drivers\TDSSijso.sys
C:\WINDOWS\system32\gukylyw.lib
C:\WINDOWS\system32\koda.bat
C:\WINDOWS\system32\likyluki.bin
C:\WINDOWS\system32\sowapiwoci.bin
C:\WINDOWS\yfywak.reg
C:\WINDOWS\ykupyja.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 23:25 . 2008-10-27 15:04   <DIR>   d--------   C:\temp
2008-10-26 22:31 . 2008-10-26 22:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-26 20:48 . 2008-10-26 20:48   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-26 20:47 . 2008-10-26 21:20   <DIR>   d--------   C:\SDFix
2008-10-26 19:19 . 2008-10-26 19:29   <DIR>   d--------   C:\Program Files\Microsoft Money
2008-10-26 15:57 . 2008-10-26 15:57   <DIR>   d--------   C:\rsit
2008-10-26 15:31 . 2008-10-26 15:31   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-26 14:13 . 2008-10-26 14:17   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-22 16:10   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-26 14:13 . 2008-10-22 16:10   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-26 02:18 . 2008-10-26 02:18   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-10-26 01:57 . 2008-10-26 01:51   1,554,567   --a------   C:\SDFix.exe
2008-10-25 14:51 . 2008-10-25 14:51   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-10-25 14:51 . 2008-10-27 15:02   77,824   --a------   C:\WINDOWS\system32\TDSSeuvq.dll
2008-10-25 14:51 . 2008-10-27 15:02   31,232   --a------   C:\WINDOWS\system32\TDSSckvy.dll
2008-10-25 14:51 . 2008-10-27 15:02   30,720   --a------   C:\WINDOWS\system32\TDSSfhvv.dll
2008-10-25 14:51 . 2008-10-27 15:02   29,696   --a------   C:\WINDOWS\system32\TDSSurta.dll
2008-10-25 14:51 . 2008-10-27 15:02   26,112   --a------   C:\WINDOWS\system32\TDSSesan.dll
2008-10-25 14:51 . 2008-10-27 15:02   2,840   --a------   C:\WINDOWS\system32\TDSSnhvw.dll
2008-10-25 14:51 . 2008-10-27 15:02   164   --a------   C:\WINDOWS\system32\TDSSierd.dat
2008-09-29 14:41 . 2008-10-27 09:13   <DIR>   d--------   C:\Program Files\iTunes
2008-09-29 14:41 . 2008-09-29 14:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-29 14:39 . 2008-10-25 23:12   <DIR>   d--------   C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 14:13   ---------   d-----w   C:\Program Files\iPod
2008-10-26 04:36   ---------   d-----w   C:\Program Files\Wal-Mart Music Downloads Store
2008-10-26 04:19   ---------   d-----w   C:\Program Files\THQ
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8032
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8022
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Scholastic
2008-10-26 04:19   ---------   d-----w   C:\Program Files\RecordNow!
2008-10-26 04:19   ---------   d-----w   C:\Program Files\QuickTime
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Print Workshop 2004 LE
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Works
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Visual Studio 8
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft SQL Server
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Plus! Digital Media Edition
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Lavasoft
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Juniper Networks
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Java
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductibleEX
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2006
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2005
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Iomega
2008-10-26 04:17   ---------   d-----w   C:\Program Files\IntelliMover Data Transfer Demo
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Infogrames Interactive
2008-10-26 04:17   ---------   d-----w   C:\Program Files\HP
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hasbro Interactive
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-10-25 13:33   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-20 19:25   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AirSet Desktop Sync
2008-10-16 01:30   30   ----a-w   C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2008-03-17 17:38   103,536   ----a-w   C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-01 23:37   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-26_20.01.28.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-10-27 01:48:35   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:35   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-10-27 01:48:21   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:22   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-09-29 19:42:35   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
+ 2008-10-27 14:13:43   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-27 20:02:04   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 20:02:04   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 18:06:06   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081027\index.dat
+ 2008-10-27 18:42:19   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102720081028\index.dat
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-27 20:02:04   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 18:15:51   45,376   ----a-w   C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28   22,336   ----a-w   C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 20:03:55   75,072   ----a-w   C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22   28,352   ----a-w   C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-05-20 856064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Southwest Airlines\\Ding\\Ding.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 23552]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 45568]
S2 ltmdmntc;ltmdmntc;C:\WINDOWS\System32\drivers\ltmdmntc.sys [ ]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 15232]
S2 X4HS32;X4HS32;C:\Program Files\EXEtender\X4HS32.Sys [ ]
S3 BulkUsb;Usbscan.Sys;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-04 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

2004-03-17 C:\WINDOWS\Tasks\Easy Internet Sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 15:10:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSijso.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-10-27 15:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-27 20:18:52
ComboFix2.txt 2008-10-27 18:36:11
ComboFix3.txt 2008-10-27 17:38:42
ComboFix4.txt 2008-10-27 01:01:53

Pre-Run: 41,345,298,432 bytes free
Post-Run: 41,392,779,264 bytes free

233

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:46 PM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - https://cim.accenture.com/system/web/view/l...g/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409226343
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409212234
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B33422AC-C567-4F7D-BB28-6583371EC4EE} (Microsoft CMS HTML Editor) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/NRDHtml.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/nrdhtml.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8197 bytes

Things seem to running okay, but I'm missing a lot of files/executables so most of my apps no longer work. Also, I still keep getting a Windows Install on report that tries to install TrayApp.

What do you recommend I use for AV and other protection on this computer and my new Vista laptop?

Thanks.

guestolo · « **Reply #29 on:** October 27, 2008, 06:04:59 PM »

Can you delete cfscript.txt
We're going to redo that step

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::
Driver::
TDSSserv.sys
File::
C:\WINDOWS\system32\TDSSeuvq.dll
C:\WINDOWS\system32\TDSSckvy.dll
C:\WINDOWS\system32\TDSSfhvv.dll
C:\WINDOWS\system32\TDSSurta.dll
C:\WINDOWS\system32\TDSSesan.dll
C:\WINDOWS\system32\TDSSnhvw.dll
C:\WINDOWS\system32\TDSSierd.dat
C:\WINDOWS\system32\drivers\TDSSijso.sys
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]

[/color]
Save this as txtfile on your desktop
CFScript

Then

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..

I'll need to see that log again later

NOTE: Do you have a disk for your HP Printer/Scanner
If so, when prompted for trayapp, can you put the CD in and see what happens

Can you again temporarily disable Avira, by right click it's icon and unchecking "AntiVir Guard Enable"

Please do a scan with [color=\"#3333FF\"]Kaspersky Online Scanner[/color]

[color=\"green\"]Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.[/color]

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post along with the log from ComboFix please

Ensure to reenable the Guard for Avira when the scan is completed

scrappingmama · « **Reply #30 on:** October 27, 2008, 08:05:52 PM »

I put in the CD for one of my printers and the TrayApp install error got past but now I have an AIOSoftware.msi Windows install error. I can't find the disk to my other printer. I tried to open the printer folder to remove the one for which I don't have the disk but the folder won't open. I just get an error. I have removed the other printer from add/remove programs but there are many other HP items that are still there and I'm sure it is looking for.

Once we get this computer clean enough for me to move things off of, I think it is time to re-image it and start with a fresh install. At this point, none of the applications (except IE) work so it is only data I have to be careful to get.

I am just about to run the Kaspersky scan but I will leave it running tonight. I will post the log in the morning if I have time before I go to work.

Here is the combofix log --
ComboFix 08-10-27.02 - Owner 2008-10-27 20:22:58.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\TDSSijso.sys
C:\WINDOWS\system32\TDSSckvy.dll
C:\WINDOWS\system32\TDSSesan.dll
C:\WINDOWS\system32\TDSSeuvq.dll
C:\WINDOWS\system32\TDSSfhvv.dll
C:\WINDOWS\system32\TDSSierd.dat
C:\WINDOWS\system32\TDSSnhvw.dll
C:\WINDOWS\system32\TDSSurta.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\TDSSckvy.dll
C:\WINDOWS\system32\TDSSesan.dll
C:\WINDOWS\system32\TDSSfhvv.dll
C:\WINDOWS\system32\TDSSierd.dat
C:\WINDOWS\system32\TDSSnhvw.dll
C:\WINDOWS\system32\TDSSurta.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 23:50 . 2008-10-26 23:50   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 23:25 . 2008-10-27 15:04   <DIR>   d--------   C:\temp
2008-10-26 22:31 . 2008-10-26 22:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-26 20:48 . 2008-10-26 20:48   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-26 20:47 . 2008-10-26 21:20   <DIR>   d--------   C:\SDFix
2008-10-26 19:19 . 2008-10-26 19:29   <DIR>   d--------   C:\Program Files\Microsoft Money
2008-10-26 15:57 . 2008-10-26 15:57   <DIR>   d--------   C:\rsit
2008-10-26 15:31 . 2008-10-26 15:31   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-26 14:13 . 2008-10-26 14:17   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-26 14:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-26 14:13 . 2008-10-22 16:10   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-26 14:13 . 2008-10-22 16:10   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-26 02:18 . 2008-10-26 02:18   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2008-10-26 01:57 . 2008-10-26 01:51   1,554,567   --a------   C:\SDFix.exe
2008-10-25 14:51 . 2008-10-25 14:51   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-09-29 14:41 . 2008-10-27 09:13   <DIR>   d--------   C:\Program Files\iTunes
2008-09-29 14:41 . 2008-09-29 14:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-29 14:39 . 2008-10-25 23:12   <DIR>   d--------   C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 14:13   ---------   d-----w   C:\Program Files\iPod
2008-10-26 04:36   ---------   d-----w   C:\Program Files\Wal-Mart Music Downloads Store
2008-10-26 04:19   ---------   d-----w   C:\Program Files\THQ
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8032
2008-10-26 04:19   ---------   d-----w   C:\Program Files\sz8022
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Scholastic
2008-10-26 04:19   ---------   d-----w   C:\Program Files\RecordNow!
2008-10-26 04:19   ---------   d-----w   C:\Program Files\QuickTime
2008-10-26 04:19   ---------   d-----w   C:\Program Files\Print Workshop 2004 LE
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Works
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Visual Studio 8
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft SQL Server
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft Plus! Digital Media Edition
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
2008-10-26 04:18   ---------   d-----w   C:\Program Files\Lavasoft
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Juniper Networks
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Java
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductibleEX
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2006
2008-10-26 04:17   ---------   d-----w   C:\Program Files\ItsDeductible2005
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Iomega
2008-10-26 04:17   ---------   d-----w   C:\Program Files\IntelliMover Data Transfer Demo
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Infogrames Interactive
2008-10-26 04:17   ---------   d-----w   C:\Program Files\HP
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-10-26 04:17   ---------   d-----w   C:\Program Files\Hasbro Interactive
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-10-26 04:15   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-10-25 13:33   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-20 19:25   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AirSet Desktop Sync
2008-10-16 01:30   30   ----a-w   C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2008-08-29 15:18   87,336   ----a-w   C:\WINDOWS\system32\dns-sd.exe
2008-08-29 14:53   61,440   ----a-w   C:\WINDOWS\system32\dnssd.dll
2008-03-17 17:38   103,536   ----a-w   C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-01 23:37   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-26_20.01.28.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-10-27 01:48:35   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:35   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-10-27 01:48:21   9,252,864   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-10-27 01:48:22   802,816   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-11 02:33:53   65,536   ----a-r   C:\WINDOWS\Installer\{10E1E87C-656C-4D08-86D6-5443D28583BE}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
+ 2008-10-28 01:16:17   65,536   ----a-r   C:\WINDOWS\Installer\{10E1E87C-656C-4D08-86D6-5443D28583BE}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2008-09-29 19:42:35   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
+ 2008-10-27 14:13:43   102,400   ----a-r   C:\WINDOWS\Installer\{41B9E2CF-0B3F-442A-B5B3-592A4A355634}\iTunesIco.exe
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-27 20:02:04   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-27 00:58:28   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 20:02:04   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 18:06:06   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081027\index.dat
+ 2008-10-27 18:42:19   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102720081028\index.dat
+ 2008-05-09 18:15:51   45,376   ----a-w   C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28   22,336   ----a-w   C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 20:03:55   75,072   ----a-w   C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22   28,352   ----a-w   C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-05-20 856064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Southwest Airlines\\Ding\\Ding.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 23552]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 45568]
S2 ltmdmntc;ltmdmntc;C:\WINDOWS\System32\drivers\ltmdmntc.sys [ ]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 15232]
S2 X4HS32;X4HS32;C:\Program Files\EXEtender\X4HS32.Sys [ ]
S3 BulkUsb;Usbscan.Sys;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-04 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

2004-03-17 C:\WINDOWS\Tasks\Easy Internet Sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 20:28:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-10-27 20:36:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 01:35:58
ComboFix2.txt 2008-10-27 20:18:58
ComboFix3.txt 2008-10-27 18:36:11
ComboFix4.txt 2008-10-27 17:38:42
ComboFix5.txt 2008-10-28 01:22:02

Pre-Run: 41,295,572,992 bytes free
Post-Run: 41,344,692,224 bytes free

192

guestolo · « **Reply #31 on:** October 27, 2008, 08:37:55 PM »

The last ComboFix log looked good, but I'll wait to see the Kaspersky scan

It is your option to Clean Install the system
If your having that much problems with programs, it may be the better route
and will ensure the system is clean

scrappingmama · « **Reply #32 on:** October 28, 2008, 07:56:07 PM »

Unfortunately, I was unable to check the scan this morning (late for work as usual) and when I just checked it I found that it was at 6% and hung up on an Outlook not configured error. I have answered the popups and now the scanning is going well.

While clean install may be my final result, having a clean system now is imperative so that I can back up all my data safely. I really appreciate all that you have done and I will post the Kaspersky results when they are complete.

What antivirus, internet security, antispyware, etc. packages do you recommend most for XP and Vista? I want to make sure my systems are better protected.

scrappingmama · « **Reply #33 on:** October 28, 2008, 10:24:31 PM »

Well, it looks like Kaspersky found something. It just amazes me how many tools you need to be able to effectively clean a computer.

Here are the results of the scan --
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 28, 2008 01:00:23
Records in database: 1352247
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\

Scan statistics:
   Files scanned: 116389
   Threat name: 5
   Infected objects: 5
   Suspicious objects: 0
   Duration of the scan: 25:52:06

File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\GetRidofHijackers\smitfraudfix\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   1
C:\Documents and Settings\Owner\Desktop\nerodownload\Nero-7.7.5.1_eng_trial.exe   Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSckvy.dll.vir   Infected: Backdoor.Win32.TDSS.atb   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSfhvv.dll.vir   Infected: Trojan.Win32.Agent.akki   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurta.dll.vir   Infected: Backdoor.Win32.TDSS.asz   1

The selected area was scanned.

guestolo · « **Reply #34 on:** October 29, 2008, 07:44:45 AM »

Everything Kaspersky's found was harmless
The worst was found in ComboFix's quarantined area

Can you please post one last Hijackthis log, let me know what problems your still experiencing

scrappingmama · « **Reply #35 on:** October 29, 2008, 09:03:51 PM »

The system seems to be running okay now with the exception of the loss of all my applications and some key data. I still get the errors on reboot for the printers but that is just annoying.

New HJT Log --
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:22 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Java\jre6\bin\jusched.exe
c:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - https://cim.accenture.com/system/web/view/l...g/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409226343
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218409212234
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O16 - DPF: {B33422AC-C567-4F7D-BB28-6583371EC4EE} (Microsoft CMS HTML Editor) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/NRDHtml.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab
O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - https://portal.accenture.com/NAVIGATOR/CMS/...ort/nrdhtml.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dir.svc.accenture.com,accenture.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - c:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8613 bytes

guestolo · « **Reply #36 on:** October 30, 2008, 08:33:01 PM »

I have no idea what you mean that all executables don't work

Does Avira work?
Does Windows Updates still work?

Since your willing to reinstall, ensure that you scan your backups with Avira or another updated virus scanner

In addition, after you CLEAN install
Look at the following

You don't have to protect your computer with Avira AntiVirus, if you don't prefer
But please look at the following advice
[color=\"#4169E1\"]How to Prevent Malware:[/color]

scrappingmama · « **Reply #37 on:** October 30, 2008, 09:10:15 PM »

All the executables that I had before the hack are gone (MS products, MS Money, TurboTax, Paintshop Pro, iTunes, any game downloads). The ones I have tried to reinstall won't work or won't work correctly. This is why I think I need a total wipe and install though I'm not looking forward to it.

Windows update was not set to automatic and that is another thing that likely caused a lot of my issues.

Avira is working and I have read up on the AV/spyware/malware, etc. comparisons and Avira ranks better than most though it looks like the next level might be a bit better.

I scanned my back ups at the same time you had me scan my USB thumbdrive and everything was okay.

What are some of the products I can run together or is there one that does it all (antivirus, antispyware, antimalware)?

guestolo · « **Reply #38 on:** October 30, 2008, 09:25:45 PM »

Did you read the link I posted
How to Prevent Malware???

scrappingmama · « **Reply #39 on:** October 31, 2008, 08:02:01 PM »

Yes, I sure did. That was one of the reasons why I was asking the question. It just seems like there are a lot of tools to do similar things and two AV can't run on the same computer. It looked like Avira was a solid performer but to get the anti-malware and antispyware, you need to upgrade. So, is it best to upgrade to Avira for those or some other product.

Also, I have a new Vista laptop. If I use Avira on my current XP desktop, I plan on also using it on my new Vista laptop. However, factory install includes a Norton option to install. It pops up on every start up. I didn't install it but I think I need to get rid of it to install Avira, right?

Thanks again for everything. This has been an unfortunate but productive learning experience.

News:

Author Topic: Hacked and Hijacked? :-( (Read 3308 times)