Author Topic: Yoog, Globalsolutions, Pop Ups, and now Vundo??? (Read 1306 times)

shalafime21 · « **on:** December 13, 2008, 08:38:43 PM »

I need help.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I have an HP Pavilion laptop with Windows XP. I am not very good with computers other than the basics that a college student needs to know. If I get some lingo wrong I apologize ahead of time but I will try to make myself clear.

Sometime between December 2nd and December 5th I contracted some kind of virus or spyware that kept making yoog my default search engine and sending me pop ups from "globalsolutions". My laptop was running extremely slow and the pop ups were intollerable! I tried to do a system restore but it would not let me go back to any date BEFORE I got the virus.

So, after reading some different forums, I went to the store and purchased AVG 8.0. I had been running the free version of AVG along with Zone Alarm, but they obviously weren't cutting it, so I thought this might help me out. I also deleted internet explorer and downloaded mozilla firefox in an effort to combat the problem. I think I have sucessfully removed all of the internet explorer documents/files myself and mozilla seems to be working fine.

After the initial installation of mozilla, there was no more yoog issues. However, the next day when was surfing the web, it appeared again. I removed it and set a different default search and I have not seen it sense. My newest problem is something that continues to pop up when AVG scans my computer:

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP402\A0050564.dll

My scan finds between 10 and 20 of these at a rip EVERDAY! They all have some differences in the last few numbers before the .dll and they are all classified as Trojan Horse Vundo.CA, Trojan Horse Vundo.CE, and Trojan Horse Vundo.CD. I always tell AVG to remove the threats but they just keep coming back! I don't know what to do.

If anyone can help me I would really appreciate it. I spent my last $50 on the AVG and I've been going crazy with all of this stuff!

shalafime21 · « **Reply #1 on:** December 13, 2008, 08:54:17 PM »

Oh, I also forgot to mention something else...

I am still getting some pop ups even though I have my pop up blockers on. They are not all designated as being from globalsolutions, but they are still unsettling...

I also can't get my microsoft security center automatic updates to work... If I try to turn it on it tells me I do not have access to do that...

Just a few more fun things I thought might be important...thank you again...

guestolo · « **Reply #2 on:** December 14, 2008, 03:04:06 AM »

Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum----It is all important!

shalafime21 · « **Reply #3 on:** December 14, 2008, 07:26:37 PM »

Here is the log you requested. Hopefully it is what you needed! Let me know if you need anything else and thank you very very much!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:18 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prod.campuscruiser.com/PageServlet?...lcome&cp=98
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll owmeoy.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7344 bytes

guestolo · « **Reply #4 on:** December 14, 2008, 08:45:17 PM »

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
Save it ONLY to your Desktop

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool[/color]

Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combo-Fix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will run again on startup, it will prompt that it's creating a log
This process could take up to 15 minutes, let it run uninterrupted please

shalafime21 · « **Reply #5 on:** December 14, 2008, 10:43:21 PM »

I was unable to turn off my anti virus etc. before ComboFix ran, but it seemed to work properly without any problems. Here is the log that popped into notepad after I finished running combo fix and my laptop rebooted:

ComboFix 08-12-14.04 - test 2008-12-14 21:17:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.138 [GMT -5:00]
Running from: c:\documents and settings\test\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\test\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\test\Application Data\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\axpuahbe.ini
c:\windows\system32\evfnfonc.ini
c:\windows\system32\hpyhyunp.ini
c:\windows\system32\kdhqvgtp.ini
c:\windows\system32\opnlLDts.dll
c:\windows\system32\regsvr.exe
c:\windows\system32\stDLlnpo.ini
c:\windows\system32\stDLlnpo.ini2
c:\windows\system32\vfhryblg.ini
c:\windows\system32\wvFNVvut.ini
c:\windows\system32\wvFNVvut.ini2
c:\windows\system32\wvUNEWqN.dll
c:\windows\system32\xykxslur.ini
c:\windows\system32\yfmtdaas.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-14 19:22 . 2008-12-14 19:22 <DIR> d-------- c:\program files\Trend Micro
2008-12-08 19:40 . 2008-12-14 21:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-08 18:09 . 2008-12-09 20:59 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-08 18:09 . 2008-12-09 21:00 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-08 18:09 . 2008-12-08 18:09 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-08 18:09 . 2008-12-08 18:09 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-08 18:08 . 2008-12-14 19:13 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-08 18:08 . 2008-12-08 18:08 <DIR> d-------- c:\program files\AVG
2008-12-08 18:08 . 2008-12-08 18:50 <DIR> d-------- c:\documents and settings\test\Application Data\AVGTOOLBAR
2008-12-08 18:08 . 2008-12-08 18:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-07 22:08 . 2008-12-07 22:09 <DIR> d-------- C:\My Games
2008-12-07 22:07 . 2008-12-07 22:08 <DIR> d-------- C:\My Download Files
2008-12-05 23:39 . 2008-12-08 00:01 <DIR> d-------- c:\program files\GrandPack
2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-02 18:03 . 2008-12-06 12:47 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-02 12:12 . 2008-12-02 12:12 672,768 --a------ c:\windows\system32\nso11.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 03:20 29,747,232 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-15 03:16 349,412 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-15 01:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 01:24 --------- d-----w c:\program files\Mahjong Towers Eternity
2008-12-09 01:30 --------- d-----w c:\program files\Common Files\Real
2008-12-08 03:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 03:18 --------- d-----w c:\program files\Sudoku
2008-05-28 22:48 16,250 ----a-w c:\documents and settings\test\Application Data\wklnhst.dat
2005-10-17 23:15 774,144 ----a-w c:\program files\RngInterstitial.dll
.

------- Sigcheck -------

2004-08-04 03:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 03:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-04 03:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-06-27 09:40 824320 d6ed5e042c5207553e7f5e842918137f c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2004-08-04 03:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB896688$\wininet.dll
2005-09-02 18:52 658432 af61ebb1f550175eff406d545d6ab086 c:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 c:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 c:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
2006-10-23 10:17 658944 6b2735adff5a5d3b9130ca4a794722f0 c:\windows\$NtUninstallKB925454$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 c:\windows\$NtUninstallKB925454_0$\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 c:\windows\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 08:27 822784 be43d00d802c92f01c8cc952c6f483f8 c:\windows\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 09:34 823808 8068cbb58fe60cc95aeb2cff70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f c:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\system32\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\system32\dllcache\wininet.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 03:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-04 03:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-04 03:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-04 03:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 03:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2057600 1d659bfb788ed2ba45075624b748d249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 03:00 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe

2004-08-04 03:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-04 03:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-04 03:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 03:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-04 03:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2004-08-04 03:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cb34c50-cecb-4f51-48b5-8ba4146bf868}]
2008-12-02 12:12 672768 --a------ c:\windows\system32\nso11.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-04-10 36972]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-10 111816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-14 155648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-09 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=,avgrsstx.dll owmeoy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-08 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-08 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-08 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-08 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-27 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3979e2a-39ab-11da-ac33-806d6172696f}]
\shell\play\command - "c:\program files\InterVideo\WinDVD\WinDVD.exe" %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{0EFA3FC0-93CE-4D86-B88A-76DEDFBA0F1F} - c:\windows\system32\opnlLDts.dll
BHO-{5B40A308-28C6-44DE-9C94-649FE938C0FD} - c:\windows\system32\tuvVNFvw.dll
BHO-{BCBBF5F0-EB72-E2D6-2FE0-2B2E80E56E64} - c:\windows\system32\pzygdecofkllc.dll
BHO-{f1ca0e2a-8fee-4588-be7e-c75bd1cc861f} - c:\windows\system32\owmeoy.dll
HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://prod.campuscruiser.com/PageServlet?pg=home_welcome&cp=98
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\program files\AMICUS50\Research\GetTags.htm
IE: {{ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - c:\program files\AMICUS50\Research\GetTags.htm -
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\f8jdgcn6.default\
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://prod.campuscruiser.com/q?pg=home_welcome&cp=98
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 22:18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?

?3?6?3?0??p?

?,?B?

???hLC?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2008-12-14 22:29:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-15 03:28:15

Pre-Run: 42,295,164,928 bytes free
Post-Run: 42,761,490,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2008-12-05 03:57:03

guestolo · « **Reply #6 on:** December 14, 2008, 11:02:11 PM »

That's looking better, but can we run one more scanner so we can remove some more entries

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

shalafime21 · « **Reply #7 on:** December 14, 2008, 11:37:23 PM »

I successfully ran the scan and removed the objects as you requested. Here's the log you requested:

Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 3

12/14/2008 11:25:45 PM
mbam-log-2008-12-14 (23-25-45).txt

Scan type: Quick Scan
Objects scanned: 50699
Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\grandbar.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bb112471-9094-471b-92b0-931a40c42b98} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GrandPack (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6cb34c50-cecb-4f51-48b5-8ba4146bf868} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6cb34c50-cecb-4f51-48b5-8ba4146bf868} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\GrandPack\GrandPack.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nso11.dll (Adware.BHO) -> Quarantined and deleted successfully.

guestolo · « **Reply #8 on:** December 15, 2008, 12:06:56 AM »

Can I see the following log please
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

shalafime21 · « **Reply #9 on:** December 15, 2008, 12:19:36 AM »

Here you go:

Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AIM 6
AVG 8.0
Big Fish Games Client
Big Fish Games Sudoku (remove only)
Business Contact Manager for Outlook 2003
Conexant AC-Link Audio
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp deskjet 3320 series (Remove only)
HP Software Update
HP User Guides 0001
HP Wireless Assistant
Intel® Graphics Media Accelerator Driver for Mobile
Internet Speed Monitor
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0
Lexmark Z600 Series
Mahjong Towers Eternity
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
My Wal-Mart Digital Photo Center
MyDsc2
PhoTags Express
Quick Launch Buttons 5.10 B2
QuickTime
Sansa Media Converter
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SSH2Deluxe Screen Saver
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
upapp
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
ZoneAlarm

guestolo · « **Reply #10 on:** December 15, 2008, 12:58:12 AM »

Can you do the following

Print these next set of Instructions, or save them to a text file on desktop
I'll need you to keep your browser windows closed for much of this

In IE7, beside the Address bar, is a Search bar
To the right of the search bar is a magnifying glass and a drop down arrow
Left click the drop down arrow
and select>>"Change Search Defaults"
If you see "Yoog Search" in the list
Highlight it and Remove it
Then highlight Google and set to Default

Close IE7 and don't reopen it till we reboot the computer later

In Mozilla Firefox
Beside the address bar is the Search engine bar
Can you use the drop down arrow beside the search box, >>Select "Manage Search Engines"
If YOOG is listed, can you highlight it and remove it
Then Highlight Google and Hit OK

Close Firefox, don't reopen it until we are done

Set Windows is to show hidden files/folders
In MyComputer select TOOLS>>FOLDER OPTIONS>>VIEW
Select the Radio button to Show hidden files/folders
Apply and OK it

Navigate to the following folder
c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\f8jdgcn6.default
In that folder right click on prefs.js and select EDIT
Delete the 2 lines referring to the following

===================================================
user_pref("browser.search.selectedEngine", "Yoog Search");
user_pref("keyword.URL", "http://www10.yoog.com/search.php?q=");
======================================================
Close prefs.js and save the changes when prompted
remain in the f8jdgcn6.default folder
Right click on user.js and select edit
If the following entries are found related to the following
================
browser.search.selectedEngine - Yoog Search
keyword.URL - hxxp://www10.yoog.com/search.php?q=
keyword.enabled - true
================

And are the only 3 entries found in user.js
Delete the file user.js itself
If there are other entries, let me know later please

Access your Add and Remove programs and remove all the following
Internet Speed Monitor
J2SE Runtime Environment 5.0
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Reboot the computer
Back in Windows
[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE) 10.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
Click the "Download" button to the right.
In the Window that opens, select Windows in the dropdown box beside Platform:,>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.

Come back here and post a fresh Hijackthis log afterwards
Let me know if you removed user.js file

shalafime21 · « **Reply #11 on:** December 15, 2008, 01:03:03 AM »

Ok I have printed out the instructions. Right now I am out for the night! Thank you very much for all of your help and I will send you the fresh log/report tomorrow afternoon.

guestolo · « **Reply #12 on:** December 15, 2008, 01:07:25 AM »

Have a good night

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

shalafime21 · « **Reply #13 on:** December 15, 2008, 01:49:02 PM »

Ok I am back

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I have some good news and bad news. I do not have your new hijackthis log yet. I encountered some problems while following your last set of instructions.

Here is a rundown of what happened:

1.) Internet Explorer will not open. I believe I deleted all of the files that went with it before I asked for your help. After I ran the combofix it appeared on my desktop again but I did not reinstall it or anything myself and it does not do anything when I click to open it. I was able to right click on the icon and go to properties and remove yoog from the search default that way, but there was not google option so I put Yahoo for the default.

2.) Yoog was not listed in my Mozilla search engines. I left Yahoo the default there as well.

3.) I successfully deleted user_pref("keyword.URL", "http://www10.yoog.com/search.php?q but user_pref("browser.search.selectedEngine", "Yoog Search"); was not in the Mozilla prefs folder.

4.) The only entries in user.js were what you mentioned:

browser.search.selectedEngine - Yoog Search
keyword.URL - hxxp://www10.yoog.com/search.php?q=
keyword.enabled - true

So, I deleted user.js.

5.) In the add/remove programs an error occurred while I was trying to get rid of Internet Speed Monitor. It said it may have already been uninstalled, so I clicked yes to simply remove it from the add or remove programs list.

6.) When I go to the site to download the JRE 6 Update 10 it is not on the list. Here is what is listed:

<h3 id="jre">[font=\"Arial\"]Java SE Runtime Environment (JRE) 6 Update 11[/font]</h3>[font=\"Arial\"]Java SE Development Kit (JDK) 6 Update 11[/font][/size] <h3 id="jdkJavaEE">[font=\"Arial\"]JDK 6 Update 10 with Java EE[/font]</h3> <h3 id="jdkNetBeans">[font=\"Arial\"]JDK 6 Update 11 with NetBeans 6.5[/font]</h3>
...and a couple other things that I know are also not correct (patches etc.). The closest was the JRE 6 Update 11, but I didn't want to download the wrong thing and mess everything up...

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> So I await further instructions before I download anything and proceed to run the Hijackthis again.

guestolo · « **Reply #14 on:** December 15, 2008, 01:55:23 PM »

Sorry, go to Java's site and get
Java SE Runtime Environment (JRE) 6 Update 11

I forgot you deleted a whole bunch of files related to Internet Explorer
It's best just to hide IE, but no concern now

shalafime21 · « **Reply #15 on:** December 15, 2008, 02:26:45 PM »

I downloaded the Java and installed it. Here is the hijackthis log I ran after:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:58 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prod.campuscruiser.com/PageServlet?...lcome&cp=98
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll owmeoy.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7137 bytes

guestolo · « **Reply #16 on:** December 15, 2008, 02:46:03 PM »

=Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Double click on fix.reg and allow to add/merge to the registry at the prompt
Reboot the computer

Come back here and post one more fresh Hijackthis log
Let me know how things are running

NOTE: Here's some reading on Hiding IE instead of removing it
http://kb.mozillazine.org/Uninstalling_Internet_Explorer

shalafime21 · « **Reply #17 on:** December 15, 2008, 03:05:13 PM »

I have been meaning to tell you (and thank you!) that things have been running EXCELLENT since the first combofix and MBAM run. I haven't been plagued by any pop ups or Trojan Vundo warnings and it is a very nice change from the past week and a half!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

I was able to create, copy, save, and open the notepad fix you had me make and I rebooted the laptop with no problems.

Here is the newest hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:09 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prod.campuscruiser.com/PageServlet?...lcome&cp=98
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Add to Library - {ECDCA4E5-DE44-4b94-8F46-CD0D5B4895FC} - C:\PROGRAM FILES\AMICUS50\Research\GetTags.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7183 bytes

guestolo · « **Reply #18 on:** December 15, 2008, 03:50:18 PM »

I'm sure Grisoft, the makers of AVG thank you for purchasing their product
You do know they also have a free version don't you?

Can you still do the following
Go to START>>RUN>>copy and paste the following then click OK
ComboFix /u
This will uninstall ComboFix and it's components

Manually delete fix.reg and the Java installer from desktop

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

I would opt to hold onto MalwareByte's Anti-Malware
Update and run a Quick Scan occassionally
Or uninstall it from Add and Remove Programs
If you decide to hold onto it
Open MBAM, Open the Quarantine tab>>and select ONLY Delete All

Can you Download CCleaner from the following link
http://www.ccleaner.com/download/builds
Choose the bottom download
CCleaner v2.14.763 - Slim

Save it then double click to Install
When installing, untick all options except for the Desktop Shortcut
In an open CCleaner window click on OPTIONS>>COOKIES
Move the ones you want to keep to the KEEP side
Then click on ADVANCED>>Untick "Only delete Temp files older than 48 hours"
Click on CLEANER on the left then click on "RUN CLEANER" on the bottom right
OK the prompt
Let it finish then Exit
You can manually check for updates on the bottom right hand side
of the main screen every couple months or so
If there is an update, I suggest that you untick the option to install the Toolbar
You can install over top of an older version, keeping your settings intact
I would hold onto this tool and run it every week

I forgot to change one registry setting that may have been changed by the infections
After you have deleted fix.reg, can we redo it
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Double click on fix.reg and allow to add/merge to the registry at the prompt
You will have to reboot for the change to take effect
This will put that setting back to default

shalafime21 · « **Reply #19 on:** December 16, 2008, 03:37:35 PM »

Iâ€™m sure AVG is very happy that I purchased their product.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I was using the free version along with zone alarm on my laptop before I contracted all of the trouble youâ€™ve been helping me fix. For some reason the free stuff wasnâ€™t cutting it since the virus got through and when I ran my scans NOTHING was showing up. I only knew I had major issues due to my laptopâ€™s sudden poor performance, pop ups, and when I searched your forums and others for this yoog thing. Plus, the purchased protection included spyware, rootkit finders, webshields, a toolbar, and all of that extra stuff that it doesnâ€™t hurt to have handy!

I definitely plan on keeping MBAM (thank you very much for bringing my attention to it!) because it seems to be very efficient and easy to use. Every little bit helps and I have plenty of space on my laptop to keep it.

I also installed CCLeaner and the Spyware Blaster. I will definitely make use of the CCLeaner since Mozilla seems to retain everything from every site I visit.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I also completed your other instructions with not problems. Thank you sooooo much for all of your time and assistance. I could not be happier with how my laptop is running now. I think itâ€™s the fastest itâ€™s been in a long time.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

News:

Author Topic: Yoog, Globalsolutions, Pop Ups, and now Vundo??? (Read 1306 times)