0

Recently, my computer's been having weird pop-ups about Windows Defender which I've never downloaded. I ran a virus scan with avast and such, adaware, stuff like that... nothing much at all. I noticed several posts about this Vundo thing and have been researching for hours. This post helped the most: http://www.daniweb.com/forums/thread185178.html

Now, I'm 20-30% certain that this is possibly, maybe, could be the same thing. I ran HiJack This in safe mode and came across awkwardly named *.dll files in the reg. keys. The post had the guy delete these files, but there were several other steps, too. Since the virus has a habit of naming random things, I'm not sure what I should delete. Furthermore, I did run HiJack This in safemode and don't know if that affects the log's outcomes.

Currently, I'm running XP 32-bit on SP2. It's used for music production as a hobby, so some of the files might have to be looked up since some of them work for professional audio programs (like Pro-Tools, M-audio drivers, and other things like that). I'm able to give other stats if you need them. (Oh, and I have 3 internal HDD's if that matters and an external one, as well).

This is the log I generated in SAFE MODE:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:31 AM, on 4/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4078dbfa-ec75-47de-87a4-bd59bf539d9b} - C:\WINDOWS\system32\keyisori.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\radayogu.dll",s
O4 - HKLM\..\Run: [e4dfef14] rundll32.exe "C:\WINDOWS\system32\tapubanu.dll",b
O4 - HKLM\..\Run: [CPMe7ecdc88] Rundll32.exe "c:\windows\system32\tehayela.dll",a
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "v:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EA Core] "E:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-20\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\radayogu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Copy to Semagic - E:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - E:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wabedelu.dll c:\windows\system32\tehayela.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tehayela.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tehayela.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9237 bytes


If it helps you guys, my assumption was to go and delete the following:

O2 - BHO: (no name) - {4078dbfa-ec75-47de-87a4-bd59bf539d9b} - C:\WINDOWS\system32\keyisori.dll
O4 - HKLM\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\radayogu.dll",s
O4 - HKLM\..\Run: [e4dfef14] rundll32.exe "C:\WINDOWS\system32\tapubanu.dll",b
O4 - HKLM\..\Run: [CPMe7ecdc88] Rundll32.exe "c:\windows\system32\tehayela.dll",a
O4 - HKUS\S-1-5-20\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\radayogu.dll",s (User 'NETWORK SERVICE')

It seems like there's some things I'm missing. The post I mentioned had the guy delete an *.exe file at some point in the key (02 something... I think it was a BHO (no name) kind of deal). I didn't touch anything in case I was wrong. Wanted to ask some professionals. If I need to re-do this log in a normal boot of XP, I'll have it up as fast as someone asks.

Oh, also... I ran vundofix.exe in safemode. The program said it didn't detect anything. Also, I worked in safemode because it seemed like the most logical thing to do.

Thanks, guys! I appreciate the help in advance.

P.S.: Looks like a lot of the posts are suggesting a security vulnerability in the Java software. Is this the underlying problem?

2
Contributors
16
Replies
17
Views
8 Years
Discussion Span
Last Post by jholland1964
0

First of all, unless it is impossible to run in Normal Mode HiJackThis should not be run in Safe Mode. You don't get a full picture of the computer in safe mode. Secondly, fixes done with HJT are most generally Clean up fixes AFTER removal programs have been completed. Just removing something with HJT doesn't necessarily remove the offending file, just removes the listing from HJT so please only consider it a scanner program.
Also, there are items disabled from starting using msconfig. Please go back in and make sure all are enabled so we can see what is listed there too. We can give steps for disabling unneeded start ups later, for now we need to see what those may be.

Do the following, and it must be done in NORMAL MODE as MBA-M is configured to scan and remove in Normal Mode:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer

Run HiJackThis again, in NORMAL MODE. Save the log.
Post back here with the MBA-M log and the new HJT log.
Judy

P.S.: Looks like a lot of the posts are suggesting a security vulnerability in the Java software. Is this the underlying problem?

Yes, especially with this computer since the java program is WAY out of date. We will fix that later. Continue with the steps given.

0

Thanks for the super speedy reply. Finally got around to getting this all done. Lots of volume to get through. I ran MBAM and stuff... still on the slow side. Nothing, actually, has seemed to change. Don't know if there's more to do. But, anyway, here's the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 5.1.2600 Service Pack 2

4/14/2009 9:21:40 PM
mbam-log-2009-04-14 (21-21-40).txt

Scan type: Full Scan (C:\|D:\|E:\|I:\|V:\|)
Objects scanned: 512201
Time elapsed: 2 hour(s), 52 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wabedelu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tapubanu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\keyisori.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\radayogu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tehayela.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4078dbfa-ec75-47de-87a4-bd59bf539d9b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4078dbfa-ec75-47de-87a4-bd59bf539d9b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4078dbfa-ec75-47de-87a4-bd59bf539d9b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4dfef14 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mafosulevu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme7ecdc88 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wabedelu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wabedelu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tehayela.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tapubanu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\unabupat.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\radayogu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tehayela.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\keyisori.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wabedelu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Oxygen\Local Settings\Temp\e.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\migirega.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wuvajepe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tizuguve.dll (Trojan.Agent) -> Delete on reboot.

AND now the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:40 PM, on 4/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
V:\steam\steam.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4078dbfa-ec75-47de-87a4-bd59bf539d9b} - C:\WINDOWS\system32\mikomuyo.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\wuvajepe.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "v:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EA Core] "E:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\wuvajepe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\wuvajepe.dll",s (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Copy to Semagic - E:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - E:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\migirega.dll,C:\WINDOWS\system32\vidomovo.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11020 bytes

Once again, thank you so much for the speedy reply.

0

One reason for the slowness is that you have a HUGE number of programs running all the time in the background, most or many auto start and are not needed to do so. I will give you a list of those that don't need to do that shortly and also a FREE program to use to easily stop them.
But first there is another program you need to run. While MBA-M removed a lot, there are a lot of infected files still remaining. Please do the following:
download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.
Judy

0

I shut down pretty much everything with the exception of my Logitech SetPoint (I noticed this still running after i started ComboFix, but was too paranoid to shut if off).

ComboFix kind of didn't do all the things you said it would do. After I ran it, it prompted me to download the recovery console. It also didn't make a backup of my registry (I think... I'm not exactly sure if it did this while I looked away for a second or what... either way, I wasn't prompted to save it anywhere). It then rebooted my computer.

While the log report was being prepared (it said not to run any programs until it finished... but my start-up programs ran... don't know if that interfered with it), a rundll window appeared, I guess from when some of the DLL files were deleted with MBAM.

Anyway, it generated a report just fine; dunno if the reboot or the start-up programs interfered. And here it is:

ComboFix 09-04-15.08 - Oxygen 04/15/2009 2:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2896 [GMT -4:00]
Running from: c:\documents and settings\Oxygen\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090414-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\evuguzit.ini

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 22:23 . 2009-04-14 22:23 -------- d-----w c:\documents and settings\Oxygen\Application Data\Malwarebytes
2009-04-14 22:23 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 22:22 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 22:22 . 2009-04-14 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 08:28 . 2009-04-14 08:28 -------- d-----w C:\VundoFix Backups
2009-04-14 03:38 . 2009-04-14 03:38 21615 ----a-w c:\windows\system32\AAWService_2009_04_13_23_38_18.dmp
2009-04-14 02:54 . 2009-04-14 02:54 24616 ----a-w c:\windows\system32\AAWService_2009_04_13_22_54_42.dmp
2009-04-14 02:35 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-14 02:28 . 2009-04-14 02:28 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 02:27 . 2009-04-14 02:35 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-23 01:47 . 2009-03-23 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-23 01:40 . 2009-03-23 01:46 -------- d-----w c:\windows\NV1026810272.TMP
2009-03-22 07:29 . 2009-03-22 07:29 -------- d-----w c:\documents and settings\Oxygen\Local Settings\Application Data\Criterion Games
2009-03-22 03:25 . 2009-03-22 03:25 4234 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-22 03:18 . 2009-03-22 03:18 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-22 03:17 . 2008-10-10 08:52 452440 ----a-w c:\windows\system32\d3dx10_40.dll
2009-03-22 03:17 . 2008-10-10 08:52 2036576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2009-03-22 03:17 . 2008-10-10 08:52 4379984 ----a-w c:\windows\system32\D3DX9_40.dll
2009-03-22 03:17 . 2008-10-27 14:04 514384 ----a-w c:\windows\system32\XAudio2_3.dll
2009-03-22 03:17 . 2008-10-27 14:04 70992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2009-03-22 03:17 . 2008-10-27 14:04 235856 ----a-w c:\windows\system32\xactengine3_3.dll
2009-03-22 03:17 . 2008-10-27 14:04 23376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2009-03-16 15:14 . 2009-03-16 15:14 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-03-16 15:14 . 2009-03-16 15:14 110592 ----a-w c:\windows\system32\OpenAL32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 23:08 . 2009-01-14 23:08 70144 --sha-w c:\windows\system32\zobubabe.dll
2009-04-14 23:08 . 2009-01-14 23:08 70144 --sha-w c:\windows\system32\zobubabe.dll
2009-04-14 22:23 . 2009-04-14 22:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 08:47 . 2009-04-14 08:47 -------- d-----w c:\program files\Trend Micro
2009-04-14 08:44 . 2009-04-14 08:28 136 ----a-w C:\VundoFix.txt
2009-04-14 03:15 . 2009-04-14 03:15 -------- d-----w c:\program files\CCleaner
2009-04-14 02:53 . 2009-04-14 02:20 -------- d-----w c:\program files\Exterminate It!
2009-04-14 02:27 . 2007-09-27 17:14 -------- d-----w c:\program files\Lavasoft
2009-04-14 02:23 . 2007-09-27 17:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-14 01:09 . 2009-01-14 01:09 63488 --sha-w c:\windows\system32\fehamito.exe
2009-04-14 01:09 . 2009-01-14 01:09 63488 --sha-w c:\windows\system32\fehamito.exe
2009-04-11 08:51 . 2008-05-15 14:47 -------- d-----w c:\program files\Digsby
2009-04-08 04:48 . 2007-10-15 21:50 -------- d-----w c:\documents and settings\Oxygen\Application Data\Move Networks
2009-04-05 22:40 . 2007-10-02 05:33 -------- d-----w c:\documents and settings\Oxygen\Application Data\uTorrent
2009-03-25 17:45 . 2009-03-25 17:45 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-23 01:40 . 2007-11-06 20:31 -------- d-----w c:\program files\AGEIA Technologies
2009-03-22 03:26 . 2007-09-27 00:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 03:26 . 2009-03-22 03:26 -------- d-----w c:\program files\Electronic Arts
2009-03-16 15:14 . 2009-03-16 15:14 -------- d-----w c:\program files\OpenAL
2009-03-15 21:55 . 2007-10-05 20:13 -------- d-----w c:\documents and settings\Oxygen\Application Data\IGN_DLM
2009-03-05 15:33 . 2009-03-05 15:33 -------- d-----w c:\program files\GPLGS
2009-03-05 15:32 . 2009-03-05 15:32 -------- d-----w c:\program files\Acro Software
2009-02-24 16:15 . 2008-06-27 14:06 -------- d-----w c:\program files\Waves
2009-02-23 13:20 . 2009-02-23 12:39 -------- d-----w c:\program files\InterActual
2009-02-22 19:48 . 2009-02-22 19:48 -------- d-----w c:\program files\DisplayFusion
2009-02-22 15:55 . 2009-02-22 15:54 594 ----a-w C:\updatedatfix.log
2009-02-22 15:55 . 2007-09-29 00:01 -------- d-----w c:\program files\HP
2009-02-22 15:54 . 2009-02-22 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-21 22:15 . 2007-09-29 04:29 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-15 10:26 . 2009-02-15 10:26 -------- d-----w c:\program files\ASRock Utility
2009-02-09 10:19 . 2002-08-29 02:14 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-29 10:47 . 2007-09-27 16:50 72224 -c--a-w c:\documents and settings\Oxygen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-28 09:46 . 2009-01-28 09:46 194936 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-01-27 10:10 . 2009-01-27 10:10 152793 ----a-w C:\GoogleChromeLogo.png
2009-01-24 23:47 . 2007-10-07 05:52 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-16 22:24 . 2009-01-16 22:24 70936 ----a-w c:\windows\system32\PhysXLoader.dll
2009-01-15 13:19 . 2007-11-09 09:05 453152 -c--a-w c:\windows\system32\nvudisp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4078dbfa-ec75-47de-87a4-bd59bf539d9b}]
2009-01-14 23:09 70144 --sha-w c:\windows\system32\mikomuyo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2009-02-22 569008]
"Google Update"="c:\documents and settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-24 133104]
"Steam"="v:\steam\steam.exe" [2008-10-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2007-08-29 1662976]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\Oxygen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Stardock ObjectDock.lnk - e:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-11-2 3446512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-6-26 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\vidomovo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbkt1x1.dll
"Midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\vidomovo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Steam\\steamapps\\reiayanami676\\team fortress 2\\hl2.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Program Files\\Steam\\steam.exe"=
"e:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Steam\\steamapps\\reiayanami676\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Digsby\\digsby.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.6.game"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"v:\\Steam\\steamapps\\common\\rainbow six vegas\\Binaries\\runme.exe"=
"v:\\Steam\\steamapps\\common\\uplink\\Uplink.exe"=
"v:\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"v:\\Steam\\steamapps\\reiayanami676\\team fortress 2\\hl2.exe"=
"v:\\Steam\\Steam.exe"=
"v:\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"e:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"v:\\Steam\\steamapps\\common\\burnout(tm) paradise the ultimate box\\BurnoutParadise.exe"=
"v:\\Steam\\steamapps\\common\\burnout(tm) paradise the ultimate box\\BurnoutConfigTool.exe"=
"v:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"v:\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"v:\\Steam\\steamapps\\common\\company of heroes\\help.htm"=
"v:\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe [2007-08-02 352338]
R3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);c:\windows\system32\DRIVERS\mausb.sys [2008-03-11 143624]
R3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);c:\windows\system32\DRIVERS\mausb.sys [2008-03-11 143624]
R3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2007-09-28 13504]
R3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2007-09-28 22304]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-14 16384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2007-05-24 547744]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2007-07-06 57376]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13475ee8-e95e-11dd-adae-0019668af8d4}]
\Shell\AutoRun\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c9766ce-6c66-11dc-b019-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be0f9246-e931-11dd-ada8-806d6172696f}]
\Shell\AutoRun\command - G:\install.EXE id= ver=1.0.0.0
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-963894560-725345543-1003.job
- c:\documents and settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-24 09:33]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - e:\program files\Winamp\winampa.exe
HKLM-Run-mafosulevu - c:\windows\system32\wuvajepe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/
uInternet Settings,ProxyOverride = *.local
IE: Copy to Semagic - e:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Semagic - e:\program files\Semagic\link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Oxygen\Application Data\Mozilla\Firefox\Profiles\8ula11ra.default\
FF - plugin: c:\documents and settings\Oxygen\Application Data\Mozilla\Firefox\Profiles\8ula11ra.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Oxygen\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: e:\program files\Download Manager\npfpdlm.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: e:\program files\Real Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 02:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-963894560-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d7,36,67,6c,13,f1,6a,d0,b3,7b,d0,54,3a,b6,0c,fd,a7,9c,f6,94,5d,85,63,
8a,bb,a7,80,d9,d7,dd,5e,97,89,fc,26,7d,86,cb,fe,5a,ad,79,30,3c,5b,f9,6d,88,\
"??"=hex:f1,42,49,73,a4,b4,8b,22,77,dd,69,bc,52,95,ad,ee

[HKEY_USERS\S-1-5-21-1957994488-963894560-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,a8,2f,5f,9d,0b,f8,92,0a,ae,fe,20,17,3d,1b,a1,a1,06,dc,36,56,
35,2f,fd,d8,80,13,d8,08,03,01,cb,13,db,7f,c2,ed,5f,dd,d1,6e,75,aa,9a,45,84,\
"rkeysecu"=hex:87,45,5b,9e,f2,8b,36,3f,b3,9f,37,cb,a6,3c,38,7d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1060)
c:\windows\system32\vidomovo.dll

- - - - - - - > 'explorer.exe'(2808)
e:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\vidomovo.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\DisplayFusion\DisplayFusionHookx86.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
e:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2009-04-15 2:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-15 06:52

Pre-Run: 2,464,342,016 bytes free
Post-Run: 2,488,643,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

283 --- E O F --- 2009-03-23 09:44

Thanks for the, once again, very timely reply.

0

You did wonderfully. Combofix ran exactly as it was supposed to do.
Now you need to do the following:
· Make sure that combofix.exe is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

C:\WINDOWS\system32\vidomovo.dll
C:\WINDOWS\system32\wuvajepe.dll
C:\WINDOWS\system32\wuvajepe.dll
c:\windows\system32\zobubabe.dll
c:\windows\system32\zobubabe.dll
c:\windows\system32\mikomuyo.dll
c:\windows\system32\vidomovo.dll
c:\windows\system32\migirega.dll
c:\windows\system32\fehamito.exe
c:\windows\system32\fehamito.exe

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt

Post back here with that new combofix log.

0

It worked out all right. I'm posting from my laptop, so I continually shut-down the infected PC, if that changes things. Wasn't sure if it did, but I kind of do it instinctively (like, every post I've made so far has also included me shutting down the infected). I usually don't leave it running cuz it makes the room hot as hell. If it doesn't matter, then cool.

Here's the new combofix log:

ComboFix 09-04-15.08 - Oxygen 04/15/2009 11:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2860 [GMT -4:00]
Running from: c:\documents and settings\Oxygen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Oxygen\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090414-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\fehamito.exe
c:\windows\system32\migirega.dll
c:\windows\system32\mikomuyo.dll
c:\windows\system32\vidomovo.dll
c:\windows\system32\wuvajepe.dll
c:\windows\system32\zobubabe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fehamito.exe
c:\windows\system32\mikomuyo.dll
c:\windows\system32\tiwurufe.dll
c:\windows\system32\uyusanus.ini
c:\windows\system32\vidomovo.dll
c:\windows\system32\zobubabe.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 15:31 . 2009-04-15 15:31 0 ----a-w c:\windows\system32\uyusanus.tmp
2009-04-15 15:31 . 2009-04-15 15:31 1409203 --sh--w c:\windows\system32\uyusanus.ini
2009-04-14 22:23 . 2009-04-14 22:23 -------- d-----w c:\documents and settings\Oxygen\Application Data\Malwarebytes
2009-04-14 22:23 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 22:22 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 22:22 . 2009-04-14 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 08:28 . 2009-04-14 08:28 -------- d-----w C:\VundoFix Backups
2009-04-14 03:38 . 2009-04-14 03:38 21615 ----a-w c:\windows\system32\AAWService_2009_04_13_23_38_18.dmp
2009-04-14 02:54 . 2009-04-14 02:54 24616 ----a-w c:\windows\system32\AAWService_2009_04_13_22_54_42.dmp
2009-04-14 02:35 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-14 02:28 . 2009-04-14 02:28 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 02:27 . 2009-04-14 02:35 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-23 01:47 . 2009-03-23 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-23 01:40 . 2009-03-23 01:46 -------- d-----w c:\windows\NV1026810272.TMP
2009-03-22 07:29 . 2009-03-22 07:29 -------- d-----w c:\documents and settings\Oxygen\Local Settings\Application Data\Criterion Games
2009-03-22 03:25 . 2009-03-22 03:25 4234 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-22 03:18 . 2009-03-22 03:18 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-22 03:17 . 2008-10-10 08:52 452440 ----a-w c:\windows\system32\d3dx10_40.dll
2009-03-22 03:17 . 2008-10-10 08:52 2036576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2009-03-22 03:17 . 2008-10-10 08:52 4379984 ----a-w c:\windows\system32\D3DX9_40.dll
2009-03-22 03:17 . 2008-10-27 14:04 514384 ----a-w c:\windows\system32\XAudio2_3.dll
2009-03-22 03:17 . 2008-10-27 14:04 70992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2009-03-22 03:17 . 2008-10-27 14:04 235856 ----a-w c:\windows\system32\xactengine3_3.dll
2009-03-22 03:17 . 2008-10-27 14:04 23376 ----a-w c:\windows\system32\X3DAudio1_5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 15:18 . 2009-01-15 15:18 99840 --sha-w c:\windows\system32\sunasuyu.dll
2009-04-15 15:18 . 2009-01-15 15:18 99840 --sha-w c:\windows\system32\sunasuyu.dll
2009-04-14 22:23 . 2009-04-14 22:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 08:47 . 2009-04-14 08:47 -------- d-----w c:\program files\Trend Micro
2009-04-14 08:44 . 2009-04-14 08:28 136 ----a-w C:\VundoFix.txt
2009-04-14 03:15 . 2009-04-14 03:15 -------- d-----w c:\program files\CCleaner
2009-04-14 02:53 . 2009-04-14 02:20 -------- d-----w c:\program files\Exterminate It!
2009-04-14 02:27 . 2007-09-27 17:14 -------- d-----w c:\program files\Lavasoft
2009-04-14 02:23 . 2007-09-27 17:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-11 08:51 . 2008-05-15 14:47 -------- d-----w c:\program files\Digsby
2009-04-08 04:48 . 2007-10-15 21:50 -------- d-----w c:\documents and settings\Oxygen\Application Data\Move Networks
2009-04-05 22:40 . 2007-10-02 05:33 -------- d-----w c:\documents and settings\Oxygen\Application Data\uTorrent
2009-03-25 17:45 . 2009-03-25 17:45 -------- d-----w c:\program files\Microsoft Xbox 360 Accessories
2009-03-23 01:40 . 2007-11-06 20:31 -------- d-----w c:\program files\AGEIA Technologies
2009-03-22 03:26 . 2007-09-27 00:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 03:26 . 2009-03-22 03:26 -------- d-----w c:\program files\Electronic Arts
2009-03-16 15:14 . 2009-03-16 15:14 -------- d-----w c:\program files\OpenAL
2009-03-16 15:14 . 2009-03-16 15:14 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-03-16 15:14 . 2009-03-16 15:14 110592 ----a-w c:\windows\system32\OpenAL32.dll
2009-03-15 21:55 . 2007-10-05 20:13 -------- d-----w c:\documents and settings\Oxygen\Application Data\IGN_DLM
2009-03-05 15:33 . 2009-03-05 15:33 -------- d-----w c:\program files\GPLGS
2009-03-05 15:32 . 2009-03-05 15:32 -------- d-----w c:\program files\Acro Software
2009-02-24 16:15 . 2008-06-27 14:06 -------- d-----w c:\program files\Waves
2009-02-23 13:20 . 2009-02-23 12:39 -------- d-----w c:\program files\InterActual
2009-02-22 19:48 . 2009-02-22 19:48 -------- d-----w c:\program files\DisplayFusion
2009-02-22 15:55 . 2009-02-22 15:54 594 ----a-w C:\updatedatfix.log
2009-02-22 15:55 . 2007-09-29 00:01 -------- d-----w c:\program files\HP
2009-02-22 15:54 . 2009-02-22 15:54 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-21 22:15 . 2007-09-29 04:29 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-15 10:26 . 2009-02-15 10:26 -------- d-----w c:\program files\ASRock Utility
2009-02-09 10:19 . 2002-08-29 02:14 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-29 10:47 . 2007-09-27 16:50 72224 -c--a-w c:\documents and settings\Oxygen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-28 09:46 . 2009-01-28 09:46 194936 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-01-27 10:10 . 2009-01-27 10:10 152793 ----a-w C:\GoogleChromeLogo.png
2009-01-24 23:47 . 2007-10-07 05:52 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-16 22:24 . 2009-01-16 22:24 70936 ----a-w c:\windows\system32\PhysXLoader.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-15_06.48.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 15:29 . 2009-04-15 15:29 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat
+ 2009-01-15 15:18 . 2009-04-15 15:18 99840 c:\windows\system32\sunasuyu.dll
+ 2001-08-23 14:00 . 2009-04-15 06:52 68608 c:\windows\system32\perfc009.dat
- 2001-08-23 14:00 . 2009-04-15 06:40 68608 c:\windows\system32\perfc009.dat
+ 2001-08-23 14:00 . 2009-04-15 06:52 436090 c:\windows\system32\perfh009.dat
- 2001-08-23 14:00 . 2009-04-15 06:40 436090 c:\windows\system32\perfh009.dat
+ 2009-04-15 15:28 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-15 06:45 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2009-02-22 569008]
"Google Update"="c:\documents and settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-24 133104]
"Steam"="v:\steam\steam.exe" [2008-10-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2007-08-29 1662976]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2008-05-15 356864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"mafosulevu"="c:\windows\system32\wuvajepe.dll" [BU]
"e4dfef14"="c:\windows\system32\sunasuyu.dll" [2009-04-15 99840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\Oxygen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Stardock ObjectDock.lnk - e:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-11-2 3446512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-6-26 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbkt1x1.dll
"Midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Steam\\steamapps\\reiayanami676\\team fortress 2\\hl2.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Program Files\\Steam\\steam.exe"=
"e:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Steam\\steamapps\\reiayanami676\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Digsby\\digsby.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.6.game"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"v:\\Steam\\steamapps\\common\\rainbow six vegas\\Binaries\\runme.exe"=
"v:\\Steam\\steamapps\\common\\uplink\\Uplink.exe"=
"v:\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"v:\\Steam\\steamapps\\reiayanami676\\team fortress 2\\hl2.exe"=
"v:\\Steam\\Steam.exe"=
"v:\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"e:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"v:\\Steam\\steamapps\\common\\burnout(tm) paradise the ultimate box\\BurnoutParadise.exe"=
"v:\\Steam\\steamapps\\common\\burnout(tm) paradise the ultimate box\\BurnoutConfigTool.exe"=
"v:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"v:\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"v:\\Steam\\steamapps\\common\\company of heroes\\help.htm"=
"v:\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=

R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe [2007-08-02 352338]
R3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);c:\windows\system32\DRIVERS\mausb.sys [2008-03-11 143624]
R3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);c:\windows\system32\DRIVERS\mausb.sys [2008-03-11 143624]
R3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2007-09-28 13504]
R3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2007-09-28 22304]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-14 16384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2007-05-24 547744]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2007-07-06 57376]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13475ee8-e95e-11dd-adae-0019668af8d4}]
\Shell\AutoRun\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c9766ce-6c66-11dc-b019-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be0f9246-e931-11dd-ada8-806d6172696f}]
\Shell\AutoRun\command - G:\install.EXE id= ver=1.0.0.0
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-963894560-725345543-1003.job
- c:\documents and settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-24 09:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4078dbfa-ec75-47de-87a4-bd59bf539d9b} - c:\windows\system32\mikomuyo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/
uInternet Settings,ProxyOverride = *.local
IE: Copy to Semagic - e:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Semagic - e:\program files\Semagic\link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Oxygen\Application Data\Mozilla\Firefox\Profiles\8ula11ra.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 11:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\uyusanus.ini 1409212 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-963894560-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d7,36,67,6c,13,f1,6a,d0,b3,7b,d0,54,3a,b6,0c,fd,a7,9c,f6,94,5d,85,63,
8a,bb,a7,80,d9,d7,dd,5e,97,89,fc,26,7d,86,cb,fe,5a,ad,79,30,3c,5b,f9,6d,88,\
"??"=hex:f1,42,49,73,a4,b4,8b,22,77,dd,69,bc,52,95,ad,ee

[HKEY_USERS\S-1-5-21-1957994488-963894560-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,a8,2f,5f,9d,0b,f8,92,0a,ae,fe,20,17,3d,1b,a1,a1,06,dc,36,56,
35,2f,fd,d8,80,13,d8,08,03,01,cb,13,db,7f,c2,ed,5f,dd,d1,6e,75,aa,9a,45,84,\
"rkeysecu"=hex:87,45,5b,9e,f2,8b,36,3f,b3,9f,37,cb,a6,3c,38,7d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4008)
e:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\sunasuyu.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\DisplayFusion\DisplayFusionHookx86.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
e:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-04-15 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-15 15:36

Pre-Run: 2,472,017,920 bytes free
Post-Run: 2,448,461,824 bytes free

287 --- E O F --- 2009-03-23 09:44

0

Oh yeah, real quick, i shut down a lot of my visible systray programs (adaware, steam, shut off the avast On-Access, daemon tools, and a few others... the infected PC is off, now) before running combofix again. Forgot to mention that.

0

Thanks again! Oh, just a BTW, I'm still getting that rundll error message that says something about not find wuvajepe.dll. Dunno if that was supposed to be fixed or not, yet. Just though I'd tell you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:48 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
V:\steam\steam.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\wuvajepe.dll",s
O4 - HKLM\..\Run: [e4dfef14] rundll32.exe "C:\WINDOWS\system32\sunasuyu.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "v:\steam\steam.exe" -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Copy to Semagic - E:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - E:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10425 bytes

0

Run HiJackThis again.
This time place check marks next to the following entries if they remain:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/
O4 - HKLM\..\Run: [mafosulevu] Rundll32.exe "C:\WINDOWS\system32\wuvajepe.dll",s
O4 - HKLM\..\Run: [e4dfef14] rundll32.exe "C:\WINDOWS\system32\sunasuyu.dll",b

Click the Fix Checked button.
Exit HJT.
Boot to safe mode.
Click Start.

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Now you need to do a File Search for the following files:
C:\WINDOWS\system32\wuvajepe.dll
C:\WINDOWS\system32\sunasuyu.dll

If you find the two above noted in RED Delete them.

Then reboot the computer. Run a new HJT scan and post back here with that new log.

0

Went smoothly, I might say. Also, I just noticed that it says that the sunasuyu.dll entry is still there, but I deleted it the first time I ran HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:23 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
V:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [e4dfef14] rundll32.exe "C:\WINDOWS\system32\sunasuyu.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "v:\steam\steam.exe" -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Copy to Semagic - E:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - E:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10330 bytes

0

I just noticed that it says that the sunasuyu.dll entry is still there, but I deleted it the first time I ran HJT.

Yes, I was afraid of that. There may be more lurking in there. Before I give you other steps do this; Go to http://virusscan.jotti.org/ and upload that file C:\WINDOWS\system32\sunasuyu.dll
It will be scanned by multiple antivirus scanners and then give a read out of what that may be. Post back here with the results and then we can decide what step, or steps, to take next.
Judy

0

Probably should've mentioned also that I got that error message from rundll that said it couldn't find sunasuyu.dll that it was doing with wuvajepe.dll. Also, when I went into safemode, wuvajepe.dll wasn't there in the system32 folder, but sunasuyu was, which was when I deleted these files. I suppose the reason i was getting that rundll error was because wuvajepe wasn't there when the registry called for it. So, I got the error message after deleting sunasuyu and the registry entry was still there.

I re-did the instructions you left above, though. I figure I might've missed deleting something the first time and wanted to make sure I did it all correctly. So, I went back into safemode to find the files and couldn't find them. After rebooting into normal, looked for it again in this mode, in case it had written itself in or something. Once again, though, none of the *.dll files that you had me delete from post #11 were in there.

C:\WINDOWS\system32\wuvajepe.dll
C:\WINDOWS\system32\sunasuyu.dll

I didn't upload anything to virusscan.jotti.org as there was nothing to upload.

Did an HJT, and went ahead and deleted the entry again in case I was stupid and forgot to check it for whatever reason.

After deleting the HJT entry, it's not showing up in there. Did a reboot, just in case. Performed another HJT and came out with a non-weird-*.dll-entry log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:22 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
V:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] E:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Oxygen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "v:\steam\steam.exe" -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Copy to Semagic - E:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - E:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10124 bytes

0

Looks good this time. Now your Java program is WAY out of date so you should install the newest update. Go HERE and download the Offline install, save it to the Desk top.
After the download then go to Add/Remove and Uninstall ALL previous versions of Java you find there. Once the uninstalls are completed then double click on the new install file you downloaded. After it is installed then go back to the download link and click Verify Now in order to test to be sure the dupgrade was successful
I would also recommend that you uninstall AdAware. It just isn't as good as it used to be.
Install SpywareBlaster. Truly a MUST have program. It is Free and good thing is it Does Not run in the back ground. I wouldn't run my computer without having it installed. Download, install, enable all, including the Restricted Sites portion and then close the program. Manually check for updates weekly and enable all new protection.
Judy

0

Awesome. Thanks for the advice on adaware; i'll switch over to spywareblaster. I truly appreciate your help. I'll go ahead do the java stuff, too, right now.

Again, thanks a bunch!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.