0

Hi all!!

This is my first post here (but I've been on other forums for many a year now), so please feel free to correct any discrepancies I may put up here.

Anyway, I've got a 'problem' - of sorts - that I'm hoping someone here can help me with. My own research into fixing my issue brought me to this website - and my post.

My laptop recently got what I believe to be a rather nasty virus/hijack this past week. I'm sure this was partly because my wife had disabled my virus protection programs (her way of trying to make my computer run faster - but I digress).

While I'm reasonably certain that after running my virus/spyware removal after the fact got rid of the foreign invader, I'm sure that it left a little 'parting gift' somewhere in my system. Here's a rundown of the symptoms:

  • Cannot change the background (except by actually bringing up a picture in Windows Picture Viewer, right-clicking the pic, and setting it as the background)
  • Cannot get online (either by direct connection to my Clearwire modem or wirelessly through my Linksys router)
  • No USB drives are being recognized (I've got two 2gb thumb drives and a couple of Iomega external drives)

In reading what I thought was a related thread from someone with similar symptoms:

http://www.daniweb.com/forums/thread36931.html

...I've attempted the following:

  • Tried to d/l the smitfraud.reg file, but got a 404 (page cannot be found) error
  • Ran the HijackThis utility (thankfully, I'd previously downloaded this, so it was already in place), had it "scan only", and saved a log in my Documents folder. Since I had no way of getting online to post it, I'm currently in the process of manually typing it out to post it from my desktop (whew!!)
  • Also (thankfully) had the following pre-downloaded to my HD: ATF Cleaner, Spybot S&D, Glary Utilities, and Registry Mechanic (of which, only the first two were installed prior to this issue)
  • Per another post I read, ran ATF Cleaner
  • Tried to run Spybot S&D, but it will not run until I connect to the internet to get any recent updates it may have (and since I have no internet access, that becomes an epic FAIL)
  • Also ran MalwareBytes Anti-Malware and AVG Anti-Virus again, but since I've had no internet access, it won't let me get too far until it gets an update, also.
  • Removed all previous system restore points (probably not the best move at this point, but still another troubleshooting step I read about in another post)

At this point, I'm kinda at an impasse. I've got full functionality of all of the programs on the computer, but this issue is a great inconvenience, as I use my laptop for music engineering projects.

I've read the "Read me before posting a request for assistance" stickie, and am in the process of trying some of the other suggestions listed therein - although, since I don't have any internet, some of the suggestions (i.e., Kapersky Online Scanner, Panda Active Scan, etc..) won't work.

I initially considered an erase & install of the HD, but 1) I no longer (through moving, mostly) have the original disks that came with the computer, and 2) I also no longer have some of the more 'esoteric' - and expensive - programs I've got on the computer.

In any case, I just thought I'd post this to see if anyone has any suggestions as to what I should (or should NOT) do next. I'll post my HJT log as soon as I finish typing it up. And thanks in advance for your patience with this "NoOb".

2
Contributors
17
Replies
20
Views
8 Years
Discussion Span
Last Post by jholland1964
0

The thread you have noted is well over 4 years old so very possible the infection and things done wouldn't be the same. To Update MBA-M you can go to http://www.gt500.org/malwarebytes/database.jsp download an update. Save it to a disk or flash drive and then when you hit update MBA-M just choose to update FROM that location. It won't be the most recent update but current enough to do the job, rather than running a program without updates. Do a Full Scan and choose to Remove every thing that is found.
Reboot the computer and run another HJT scan. Since you HAVE the log do as below.
Open your HJT log, go up to Edit, Select All, Copy
Then come back here and hit reply. Paste the log. We prefer them to be copy/pasted anyway.
Judy

0

Hello again,

Thanks for the reply, jholland. However, since my laptop - for some unknown reason thus far - was not able to recognize any of my flash drives or external hard drives, I could not use those as an option to download any update.

However, taking another part of your advice, I tried the same theory using my disk drive. Initially, I didn't consider this because I didn't have any 'burnable' media (broke and under-employed will do that to a fella). But the computer gods decided to smile upon me in the form of a neighbor that was nice enough to 'loan' me a CD-RW.

So, I did what you said and downloaded the database update for MBA-M to the disk, took that to my laptop, and hit 'update'. However, based on what you were saying in your post, I was ASSuming that MBA-M would display some option as to where I wanted to pull the update from. But nothing came up except the following 'fail' alert:

"Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet."

Now, my thought at this point was that maybe I'm running an older version (mine, at that point, was 1.19, with the database on 1930-something).

At this point, I should note which versions of what software I have currently loaded up on the laptop:

So, now that I know I have some way to get stuff IN and OUT of the computer, I went ahead and uploaded version 1.36 of MBA-M, as well as the newer database (2110, IIRC). I also saved a copy of my HJT log, which is copied and pasted at the end of this post.

I haven't run anything else at this point, because I didn't want to do anything that would impede any assistance I'd get. So, let me know - if possible - if the log looks suspect, and what steps I should take from this point forward to clear things up.

Thanks again, in advance.
----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:18:31 PM, on 5/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Reimage\rei_agent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\G. Rick\Application Data\DigiFast\digifast.exe
C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {ca2a2062-0499-455a-b723-5ee3ccc8d522} - C:\WINDOWS\system32\dufujuto.dll
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Jcore\Jcore2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ReimageAgent] C:\Program Files\Reimage\rei_agent.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [tapebomudu] Rundll32.exe "C:\WINDOWS\system32\gehosenu.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DigiFast] C:\Documents and Settings\G. Rick\Application Data\DigiFast\digifast.exe
O4 - HKCU\..\Run: [sSgURl] C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F24F002-6749-4FCB-A2ED-5D9E92394F3F}: NameServer = 85.255.113.108,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B825E89-8A7C-4CFB-9EC4-D426B3C4B2FE}: NameServer = 85.255.113.108,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6E0B44-0A5E-46FA-B97E-39E178DC1162}: NameServer = 85.255.113.108,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB849ABE-BFA6-48E7-8774-E5F33814D205}: NameServer = 85.255.113.108,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{C789CAB5-0C63-4AF6-B84A-FD3226B1C407}: NameServer = 85.255.113.108,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\fafereza.dll c:\windows\system32\tejekuru.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O20 - Winlogon Notify: vtuvtus - vtuvtus.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bdmanager - {E25FB3D6-AFAD-4875-8ACB-D893E1570EBB} - (no file)
O21 - SSODL: admgcx - {8F2142E2-B754-46AF-9A53-FD96BF8D8D78} - (no file)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

0

With the exception of Spybot everything else you list there is way, way out of date.
One thing you must do first is Disable the Spybot TeaTimer. It will interfere with fixes which need to be done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Current version of HiJackThis is 2.0.2

AVG 7.5 is of course not longer current and your version of MBA-M is as you stated, also way out of date, the current version is 1.36 and database version is 2162. This would likely be the reason you got the message you did.

Uninstall BOTH HiJackThis and MBA-M and if you So if you can prevail on your neighbor once more this is what I would do. Download both of the new versions to that disk and install them on the infected computer. HJT wouldn't need an update but MBA-M will certainly be more current than the one you now have and even if it cannot be updated for the moment you certainly will get a more up to date version and should be able to run a Full Scan with it and remove problems.

Frankly I would also suggest you remove that AVG program also, it is doing no good really. You can also download a new Anti-virus program, I would recommend Avira this can't be updated either but you would definitely have a more up to date av than you do now.
Even with this log from the older version of HJT it is evident that you have the rogue Anti-Spyware Program Antispyware2008 on your system. The tool of choice for removal is MBA-M. So this should be your first step. Even with the inability to update it, if you install this on your computer this would definitely remove most of it.

Run even the non-updated versions of Avira and especially MBA-M and BE CERTAIN to have both programs REMOVE ALL ITEMS FOUND, then REBOOT. Run the new HJT save the logs of all and post those back here.

0

DISCLAIMER This post is about to become verrrry long, so bear with me. Thanks.

Hey all,

And thanks to your suggestions, jholland1964!! I finally got my desktop back!! And sorry I didn't post sooner - we're in the process of having a garage sale, and just about everything we're selling was sitting in front of my desktop. Ergo, no internet access through attrition. :P

So, here's where I stand:

So, I shut off TeaTimer and rebooted the computer to start (not too keen on that aspect of S&D anyway, so it'll probably stay off). Then I went to work.

First thing I did was delete HJT and MBA-M. I also went ahead and - per your recommendation - deleted AVG. I've relied heavily on that one for a while now, but I wasn't married to it. Then I went ahead and got Avira.

As a side note, I'm totally liking that Avira so far. Once I'm totally virus-free, we'll see how much I REALLY like it.

I also got the new version of HJT that you mentioned. But in looking for MBA-M, I ran into a bit of a snag. Although I easily found version 1.36, I could not for the life of me find the database version you mentioned. If you've got a link to that, let me know and I'll update accordingly. The nearest I found was version 2110. I even poked around a bit on MWB forums to see if I missed it somehow.

In any case, I got everything installed ok - even without the updates it was attempting to look for. First, I ran a scan with MBA-M. Here's the log for that:

Malwarebytes' Anti-Malware 1.36
Database version: 2110
Windows 5.1.2600 Service Pack 3

5/21/2009 5:22:19 PM
mbam-log-2009-05-21 (17-22-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214177
Time elapsed: 29 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 28
Registry Values Infected: 3
Registry Data Items Infected: 31
Folders Infected: 6
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dufujuto.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fafereza.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca2a2062-0499-455a-b723-5ee3ccc8d522} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ca2a2062-0499-455a-b723-5ee3ccc8d522} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca2a2062-0499-455a-b723-5ee3ccc8d522} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{26a98aa8-07fe-46e6-b6df-26704f3b895f} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2ff811e6-8925-4084-a649-c159955e67e8} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e1e1d3a0-66ea-46d2-bbcf-43730668e1eb} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{81f4697d-617d-40b4-85ba-c7684d9bc543} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2f479ad-17de-4f73-b844-7cf69003b916} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\digifast (Trojan.Dropper) -> No action taken.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcresj0enav (Rogue.AntivirusXP2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\BHO_CPV.DLL (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tapebomudu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigiFast (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fafereza.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fafereza.dll  -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2f24f002-6749-4fcb-a2ed-5d9e92394f3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6d6e0b44-0a5e-46fa-b97e-39e178dc1162}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ab849abe-bfa6-48e7-8774-e5f33814d205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dfdbbcf4-b149-4dcd-984c-4b1f6d85f8b3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2f24f002-6749-4fcb-a2ed-5d9e92394f3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6d6e0b44-0a5e-46fa-b97e-39e178dc1162}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ab849abe-bfa6-48e7-8774-e5f33814d205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{dfdbbcf4-b149-4dcd-984c-4b1f6d85f8b3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{2f24f002-6749-4fcb-a2ed-5d9e92394f3f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{4b825e89-8a7c-4cfb-9ec4-d426b3c4b2fe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{6d6e0b44-0a5e-46fa-b97e-39e178dc1162}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{ab849abe-bfa6-48e7-8774-e5f33814d205}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{c789cab5-0c63-4af6-b84a-fd3226b1c407}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{dfdbbcf4-b149-4dcd-984c-4b1f6d85f8b3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.10 -> No action taken.

Folders Infected:
C:\Documents and Settings\G. Rick\Application Data\ptidle (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\digifast (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard (Trojan.Agent) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\rhcresj0enav (Rogue.Multiple) -> No action taken.
C:\Program Files\Jcore (Trojan.BHO) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\Twain (Trojan.Matcash) -> No action taken.

Files Infected:
C:\WINDOWS\system32\dufujuto.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fafereza.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\Jcore\Jcore2.dll (Trojan.BHO) -> No action taken.
C:\REIPostRebootExecuter.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090521-092814-9BCFF2F5\ARKB.tmp (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090521-092814-9BCFF2F5\ARKC.tmp (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\digifast\DFUninstall.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\ptidle\ptidle.exe (Trojan.Downloader) -> No action taken.
C:\REI\PostRebootExecuter.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\digifast\config.cfg (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\nmsetup.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\Patch - Firas911.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\pure-network-magic.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\settings.ini (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\SetupWizard.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\unins000.dat (Trojan.Agent) -> No action taken.
C:\Program Files\Setup Wizard\unins000.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\G. Rick\Application Data\Twain\Twain.exe (Trojan.Matcash) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMff9885dd.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMff9885dd.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> No action taken.
--------------------------------------------------------------

I was sure I told the program to remove everything it found (even though the last part of that log suggests no action taken.  I'll run another scan to verify.

Next, came Avira.  Here's it's log:



Avira AntiVir Personal
Report file date: Thursday, May 21, 2009  17:26

Scanning for 1284893 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : RICK

Version information:
BUILD.DAT       : 9.0.0.394     17962 Bytes   4/17/2009 11:20:00
AVSCAN.EXE      : 9.0.3.5      466689 Bytes   4/17/2009 16:57:30
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 18:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 19:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 18:58:52
ANTIVIR0.VDF    : 7.1.0.0    15603712 Bytes  10/27/2008 20:30:36
ANTIVIR1.VDF    : 7.1.2.12    3336192 Bytes   2/11/2009 04:33:26
ANTIVIR2.VDF    : 7.1.2.105    513536 Bytes    3/3/2009 15:41:14
ANTIVIR3.VDF    : 7.1.2.127    110592 Bytes    3/5/2009 22:58:20
Engineversion   : 8.2.0.100
AEVDF.DLL       : 8.1.1.0      106868 Bytes   1/28/2009 01:36:42
AESCRIPT.DLL    : 8.1.1.56     352634 Bytes   2/27/2009 04:01:56
AESCN.DLL       : 8.1.1.7      127347 Bytes   2/12/2009 19:44:25
AERDL.DLL       : 8.1.1.3      438645 Bytes  10/30/2008 02:24:41
AEPACK.DLL      : 8.1.3.10     397686 Bytes    3/4/2009 21:06:10
AEOFFICE.DLL    : 8.1.0.36     196987 Bytes   2/27/2009 04:01:56
AEHEUR.DLL      : 8.1.0.100   1618295 Bytes   2/25/2009 23:49:16
AEHELP.DLL      : 8.1.2.2      119158 Bytes   2/27/2009 04:01:56
AEGEN.DLL       : 8.1.1.24     336244 Bytes    3/4/2009 21:06:10
AEEMU.DLL       : 8.1.0.9      393588 Bytes   10/9/2008 22:32:40
AECORE.DLL      : 8.1.6.6      176501 Bytes   2/17/2009 22:22:44
AEBB.DLL        : 8.1.0.3       53618 Bytes   10/9/2008 22:32:40
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 16:47:59
AVPREF.DLL      : 9.0.0.1       43777 Bytes   12/5/2008 18:32:15
AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 22:34:28
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 18:32:09
AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 23:05:41
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 18:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 23:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 16:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 18:32:10
RCIMAGE.DLL     : 9.0.0.21    2438401 Bytes    2/9/2009 19:45:45
RCTEXT.DLL      : 9.0.37.0      86785 Bytes   4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, May 21, 2009  17:26

Starting search for hidden objects.
c:\windows\system32\ovfstheqhggnuhujrmidcopqedcyyaqppuvjdx.dat
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4a7bf211.qua'  ( QUARANTINE )
c:\windows\system32\ovfsthjmhtkuvsiilvrliyyylbtessdtoqndlr.dll
    [INFO]      The file is not visible.
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [INFO]      No SpecVir entry was found!
    [NOTE]      A backup was created as '4b0d0572.qua'  ( QUARANTINE )
c:\windows\system32\ovfsthmkjhuiofupyurunhnmnbnvavufdjlrmk.dat
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4b02ed52.qua'  ( QUARANTINE )
c:\windows\system32\ovfsthwninqbykdgdmiduhybklibmvilwcwaea.dll
    [INFO]      The file is not visible.
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [INFO]      No SpecVir entry was found!
    [NOTE]      A backup was created as '4a7bf212.qua'  ( QUARANTINE )
c:\windows\system32\ovfsthxbjlgjojtnsojqbeplnokstmeepnapty.dll
    [INFO]      The file is not visible.
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [INFO]      No SpecVir entry was found!
    [NOTE]      A backup was created as '4b069d13.qua'  ( QUARANTINE )
c:\windows\system32\drivers\ovfsthdhboodplfdsbepiqghdjjvdoxheefyho.sys
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4b0464f3.qua'  ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthnnfvoqyexn.tmp
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '4bfa4cd3.qua'  ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthpecvbdmdbx.tmp
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '496585a3.qua'  ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthvpoyfejwav.tmp
    [INFO]      The file is not visible.
    [NOTE]      A backup was created as '495b6d83.qua'  ( QUARANTINE )
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\main
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\modules
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\start
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\type
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\group
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\imagepath
    [INFO]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\inst
    [INFO]      The registry entry is invisible.
'71520' objects were checked, '16' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090521-172614-224F7697\AVSCAN-0000000B.exe
    [DETECTION] Is the TR/Downloader.Gen Trojan
Scan process 'khoiondj.exe' - '1' Module(s) have been scanned
  Module is infected -> 'C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe'
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'robotaskbaricon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rei_agent.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'EKDiscovery.exe' - '1' Module(s) have been scanned
Scan process 'WasherSvc.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'VESMgr.exe' - '1' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'stacsv.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PDAgent.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'KodakSvc.exe' - '1' Module(s) have been scanned
Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'khoiondj.exe' has been terminated
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090521-172614-224F7697\AVSCAN-0000000C.exe
    [DETECTION] Is the TR/Downloader.Gen Trojan
C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
    [DETECTION] Is the TR/Downloader.Gen Trojan
    [WARNING]   The file could not be opened!
    [NOTE]      The file was deleted!

50 processes with 49 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\Documents and Settings\G. Rick\My Documents\Incomplete\T-4320425-hata sickle [256k quality].mp3
    [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\ccsetup205.exe
  [0] Archive type: NSIS
    --> ProgramFilesDir/[PluginsDir]/LangDLL.dll
      [WARNING]   No further files can be extracted from this archive. The archive will be closed
    [WARNING]   No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\G. Rick\My Documents\Zipped Files\WGAValidator.zip
  [0] Archive type: ZIP
    --> WGAValidator/keyfinder.exe
    --> WGAValidator/keyfinder.exe
      [1] Archive type: RAR SFX (self extracting)
      --> findkey.exe
        [DETECTION] Is the TR/Agent.542720.C Trojan
C:\WINDOWS\system32\userinit.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1UN41IR\lsp[1].exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\dllcache\userinit.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\G. Rick\My Documents\Incomplete\T-4320425-hata sickle [256k quality].mp3
    [DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
    [NOTE]      The file was moved to '4a4a3c76.qua'!
C:\Documents and Settings\G. Rick\My Documents\Zipped Files\WGAValidator.zip
    [NOTE]      The file was moved to '4a573c90.qua'!
C:\WINDOWS\system32\userinit.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was moved to '4a7b3cbc.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1UN41IR\lsp[1].exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was moved to '4a863cbc.qua'!
C:\WINDOWS\system32\dllcache\userinit.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE]      The file was moved to '495cfadd.qua'!


End of the scan: Thursday, May 21, 2009  22:46
Used time: 51:06 Minute(s)

The scan has been done completely.

  12200 Scanned directories
 471083 Files were scanned
     10 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      1 files were deleted
      0 Viruses and unwanted programs were repaired
     14 Files were moved to quarantine
      0 Files were renamed
      3 Files cannot be scanned
 471070 Files not concerned
  10443 Archives were scanned
      5 Warnings
     17 Notes
  71520 Objects were scanned with rootkit scan
     16 Hidden objects were found

--------------------------------------------------------------------

Once again, I asked the program to remove all items found.  But since this was my first time using that program, I wasn't yet certain it complied to my request.

Then, after a reboot, I noted that I was able to change my desktop now.  Progress!!  Still can't get on the internet yet, and it still won't recognize any USB-based drives.

Finally, I ran HJT and saved the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:12 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Reimage\rei_agent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ReimageAgent] C:\Program Files\Reimage\rei_agent.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sSgURl] C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - [url]http://cdnrep.reimage.com/reix1225.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =  
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs:  c:\windows\system32\tejekuru.dll
O20 - Winlogon Notify: vtuvtus - vtuvtus.dll (file missing)
O21 - SSODL: bdmanager - {E25FB3D6-AFAD-4875-8ACB-D893E1570EBB} - (no file)
O21 - SSODL: admgcx - {8F2142E2-B754-46AF-9A53-FD96BF8D8D78} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 13397 bytes
-------------------------------------------------------------------

So, in my mind, it appears we've made progress (of which I'm grateful). So, tell me what do my logs say, in regards to taking care of my USB issues. And where do I go from here, in regards to internet access?

Once again, thanks and I'll wait for your reply.

Edited by Reverend Jim: Fixed formatting

0

Yes, progress is being made BUT as you said your MBA-M log shows NO ACTION TAKEN on all objects found.
You will need to run it again to be certain.
The database version you had on there was pretty close. Since you are using the Offline Update option that one is somewhat behind the online updates. Once you are able to actually get this computer online you will be able to update via the program itself accessing the update files and then you would be up to date.
Go HERE and get another offline update, take it to the computer and update your MBA-M program and then run a FULL Scan again. This time once the scan is complete be sure there are check marks in all items found and then click the Remove Selected button.
Then REBOOT the COMPUTER...this is an absolute MUST. Some items cannot be completely removed unless the computer is rebooted because they will be removed during the early boot process before these infected files can be turned on.
There ARE still signs of infection showing in the HJT log and there is another step we can try but let's go on with this first to see what can be removed using MBA-M. I also would recommend you UNINSTALL AdAware, this newer version isn't what the old one was and it too adds some unneeded options which can interfere with fixes.
I also note you day you Deleted the HJT and AVG...hope you mean Uninstalled. Just deleting doesn't remove the program just the entries in various places and that makes it really difficult to actually uninstall.
Update and run MBA-M again, run your Avira again to see what it shows, won't need the full log from Avira, just infections found and locations if there are any. Do need the full MBA-M log and then of course reboot and run a new HJT scan and save the log.
Then we'll decide the next course of action.
Judy

0

Thanks again, Judy, for assisting me - and for the pointers. And I'm sorry for the misunderstanding about the delete vs. uninstall thing. Usually, I'm sooo eloquent.

To clarify things I actually uninstalled both HJT and AVG. I actually use a program called Revo Uninstaller for that task - which has proven VERY effective in removing just about anything I throw at it. But since some of the terminology in the program mentions 'delete', I think that's why I said it. Sorry.

In any case, here's my update on what I've done:

First, before I got a chance to read your reply, I went ahead on my own and poked around in MBA-M and found 66 files that were quarantined in the program. So, I guess I really DIDN'T remove those pesky things after all, huh? So I went ahead and removed them via the remove selected button.

That's when I finally got to your reply and said, 'dang, I probably should've waited'. In any case, it gave me a chance to download that update you linked to. So, currently, MBA-M is up to definition version 2162! :cool:

After that, I ran another scan on MBA-M, which came up with an additional 6 items. I removed those items and saved the following log:

Malwarebytes' Anti-Malware 1.36
Database version: 2162
Windows 5.1.2600 Service Pack 3

5/24/2009 6:31:55 PM
mbam-log-2009-05-24 (18-31-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 216520
Time elapsed: 28 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Setup Wizard (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Setup Wizard\pure-network-magic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Setup Wizard\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Setup Wizard\SetupWizard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Setup Wizard\unins000.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Setup Wizard\unins000.exe (Trojan.Agent) -> Quarantined and deleted successfully.
============================================

After that, I went ahead and deleted AdAware (which, like you said, really didn't stack up to the previous versions) using my Revo Uninstaller program.

Then, I rebooted the computer, ran Avira (twice, by accident), found and removed/deleted 18 files, and saved the following log:

Avira AntiVir Personal
Report file date: Sunday, May 24, 2009 19:09

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : RICK

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 16:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 15:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 22:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 01:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 04:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 19:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 21:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 23:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 21:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 22:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, May 24, 2009 19:09

Starting search for hidden objects.
c:\windows\system32\ovfstheqhggnuhujrmidcopqedcyyaqppuvjdx.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4a7ffebf.qua' ( QUARANTINE )
c:\windows\system32\ovfsthjmhtkuvsiilvrliyyylbtessdtoqndlr.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4bf334b0.qua' ( QUARANTINE )
c:\windows\system32\ovfsthmkjhuiofupyurunhnmnbnvavufdjlrmk.dat
[INFO] The file is not visible.
[NOTE] A backup was created as '4bf10c90.qua' ( QUARANTINE )
c:\windows\system32\ovfsthwninqbykdgdmiduhybklibmvilwcwaea.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4beee4f0.qua' ( QUARANTINE )
c:\windows\system32\ovfsthxbjlgjojtnsojqbeplnokstmeepnapty.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4becbcd0.qua' ( QUARANTINE )
c:\windows\system32\drivers\ovfsthdhboodplfdsbepiqghdjjvdoxheefyho.sys
[INFO] The file is not visible.
[NOTE] A backup was created as '4bea9730.qua' ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthnnfvoqyexn.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4be86f10.qua' ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthpecvbdmdbx.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4be64770.qua' ( QUARANTINE )
c:\documents and settings\g. rick\local settings\temp\ovfsthvpoyfejwav.tmp
[INFO] The file is not visible.
[NOTE] A backup was created as '4949d448.qua' ( QUARANTINE )
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthwlpvaopauamqcqkwvaotspvbvecoboxo\inst
[INFO] The registry entry is invisible.
'71442' objects were checked, '16' hidden objects were found.

The scan of running processes will be started
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'iTunes.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'revouninstaller.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'robotaskbaricon.exe' - '1' Module(s) have been scanned
Scan process 'nmapp.exe' - '1' Module(s) have been scanned
Scan process 'nmctxth.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'nmsrvc.exe' - '1' Module(s) have been scanned
Scan process 'EKDiscovery.exe' - '1' Module(s) have been scanned
Scan process 'WasherSvc.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'VESMgr.exe' - '1' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'stacsv.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PDAgent.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'KodakSvc.exe' - '1' Module(s) have been scanned
Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

50 processes with 50 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\ccsetup205.exe
[0] Archive type: NSIS
--> ProgramFilesDir/[PluginsDir]/LangDLL.dll
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed


End of the scan: Sunday, May 24, 2009 19:59
Used time: 49:58 Minute(s)

The scan has been done completely.

12034 Scanned directories
451266 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
9 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
451261 Files not concerned
10431 Archives were scanned
4 Warnings
11 Notes
71442 Objects were scanned with rootkit scan
16 Hidden objects were found

============================================

Then, I rebooted the computer once again, ran HJT, and saved the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:49 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sSgURl] C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\tejekuru.dll
O20 - Winlogon Notify: vtuvtus - vtuvtus.dll (file missing)
O21 - SSODL: bdmanager - {E25FB3D6-AFAD-4875-8ACB-D893E1570EBB} - (no file)
O21 - SSODL: admgcx - {8F2142E2-B754-46AF-9A53-FD96BF8D8D78} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 13563 bytes
============================================

Now, while poring over the HJT log, I noticed this:

O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing

And I'm sorry if I'm kinda 'jumping the gun', but would this be why I can't get on the internet? And if so, how do we go about looking into that?

Oh, and also, it's worth noting that I still am not able to get the laptop to recognize ANY USB drive. Now, keep in mind that I can plug in a wired mouse into any of the ports, and it works fine. However, in my analysis, I noted that when I do plug in any of my USB drives, they never seem to get a drive letter assigned to them. However, I can hear the 'tone' which lets me know that they were connected. And I can use the Safely Remove Hardware icon on the taskbar to 'un-mount' it.

Anyway, thanks for looking into this.

0

And I'm sorry if I'm kinda 'jumping the gun', but would this be why I can't get on the internet? And if so, how do we go about looking into that?
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing

You are not jumping the gun at all, very observant. I saw that one myself in your last log. It likely IS the reason you cannot get online. That entry indicates the rogue Anti-Spyware Program Antispyware2008 was on the system for sure and possibly some of it still remains.
Try running LSPFix, using the directions given on the link to repair.

There are still infected files showing in the log. But first I would like you to Uninstall the following programs:
Pure Networks-several of the infected files removed were from this program. Best to Uninstall ALL of it.
Also remove Webroot Window Washer. As you say, you have installed ATF-Cleaner, the Webroot program isn't needed and certainly shouldn't be running all the time. Same goes for PerfectDisk10. While neither of these programs are bad, there is no reason for them to run constantly.
RoboForms also runs all the time and can easily be run manually when needed.
Empty the Quarantine of Avira. Run the LSPFix program and do all of the above.
Then run HJT again and place check marks next to the following entries if they remain:
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O20 - Winlogon Notify: vtuvtus - vtuvtus.dll (file missing)
O21 - SSODL: bdmanager - {E25FB3D6-AFAD-4875-8ACB-D893E1570EBB} - (no file)
O21 - SSODL: admgcx - {8F2142E2-B754-46AF-9A53-FD96BF8D8D78} - (no file)
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer
Update both Avira and MBA-M and run Full Scans with both. Fix anything found and save the logs.
Reboot the computer and run a new HJT scan and save the log.
There will be at least one more fix but will need to see the logs first.
Judy

0

Hey Judy,

So, after reading your thread, a couple of 'interesting' things happened to my laptop. So, here's what I did:

Went to empty my Avira quarantine, but there was nothing there. I'm ASSuming that I deleted that stuff the last time I ran Avira. Which - IMHO - is a good thing, I'm thinking.

Anyway, I went ahead and downloaded the LSPFix to my CD-RW (neighbor let me have the disk to keep out of 'pity' - LOL ), loaded it up to my laptop and ran it per it's instructions. Lo and behold, I had internet!! WhooHoo!!! However, it wasn't 'internet' in the true sense of the word. To summarize, once the program finished running and I rebooted the computer, my Windows Update kicked in. So, per the instructions again, I checked to see if I could get to Google's website. Now, while none of my desktop links nor my favorites links would take me there, I could type in the address manually to get there. And in using any of my desktop links to websites or my Favorites links, the pages would be in a 'loading...' status for what seemed like forever. So, I'll follow some of the other instructions in the 'readme' for that program in a bit to see if I can make any headway.

Next thing on my agenda was to uninstall/delete Windows Washer. Now, while I wasn't necessarily married to that program, I've had some version or another of that for a few years now, and have run it every month for quite some time. So it was sad to see it go, but if it helps me to get full functionality of my computer again, I'll live with it.

Then I went and uninstalled/deleted Pure Networks. However, since it was the parent name of Network Magic, I immediately lost communication with my router AND my home network. Now, since I haven't had communicaion with my home network for a few weeks now (a whole different subject involving rebuilding my desktop that I won't bore you with), communication with the router WAS a big issue for me. So, in that regard, I had to re-install an old version of Network Magic from the install disk that came with my router. Not as functional as the newer version they have out, but it at least got me communicating with the router - and the internet - again. However, if you think that it will invariably cause issues with what we're doing, I guess I can go ahead and manually configure my wireless home network (a true PITA, but not nothing I'm unfamiliar with).

I also uninstalled/deleted Perfect Disk 10 (it was something I was trying at some point in order to fix this issue, so I definately wasn't attached to that one).

And I reconfigured RoboForms so that I will now have to manually run it, if needed.

Then, I ran HJT as directed. Now, while I didn't see the "O10" entry we talked about, I did see the other entries, checked them off, and clicked Fix Checked.

I then rebooted the computer, updated both Avira (now on 9.0.0.394) and MBA-M (definitions are now at 2181), ran full scans of both programs, fixed all the entries found, and saved the logs. Here's the one for Avira first:

Avira AntiVir Personal
Report file date: Tuesday, May 26, 2009 06:20

Scanning for 1423150 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : RICK

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 16:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26
ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 12:50:23
ANTIVIR3.VDF : 7.1.4.18 150528 Bytes 5/26/2009 12:50:25
Engineversion : 8.2.0.168
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/26/2009 12:50:38
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/26/2009 12:50:37
AESCN.DLL : 8.1.2.3 127347 Bytes 5/26/2009 12:50:36
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/26/2009 12:50:35
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/26/2009 12:50:33
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:01:56
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/26/2009 12:50:27
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/26/2009 12:50:26
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, May 26, 2009 06:20

Starting search for hidden objects.
The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\AVSCAN-20090526-062355-48194F8C.avp'.
c:\windows\system32\drivers\ovfsthdhboodplfdsbepiqghdjjvdoxheefyho.sys
[INFO] The file is not visible.
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a81ede1.qua'!
c:\windows\system32\ovfstheqhggnuhujrmidcopqedcyyaqppuvjdx.dat
[INFO] The file is not visible.
c:\windows\system32\ovfsthjmhtkuvsiilvrliyyylbtessdtoqndlr.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthmkjhuiofupyurunhnmnbnvavufdjlrmk.dat
[INFO] The file is not visible.
c:\windows\system32\ovfsthwninqbykdgdmiduhybklibmvilwcwaea.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\windows\system32\ovfsthxbjlgjojtnsojqbeplnokstmeepnapty.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[INFO] No SpecVir entry was found!
c:\documents and settings\g. rick\local settings\temp\ovfsthnnfvoqyexn.tmp
[INFO] The file is not visible.
[DETECTION] Is the TR/TDss.ycp Trojan
[INFO] No SpecVir entry was found!
c:\documents and settings\g. rick\local settings\temp\ovfsthpecvbdmdbx.tmp
[INFO] The file is not visible.
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Neakse.JF back-door program
[INFO] No SpecVir entry was found!
c:\documents and settings\g. rick\local settings\temp\ovfsthvpoyfejwav.tmp
[INFO] The file is not visible.
[DETECTION] Is the TR/Patched.GE Trojan
[INFO] No SpecVir entry was found!


End of the scan: Tuesday, May 26, 2009 06:24
Used time: 03:48 Minute(s)

The scan has been done completely.

0 Scanned directories
9 Files were scanned
7 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
71433 Objects were scanned with rootkit scan
16 Hidden objects were found
============================================

Next, is the log for MBA-M:

Malwarebytes' Anti-Malware 1.36
Database version: 2181
Windows 5.1.2600 Service Pack 3

5/26/2009 7:00:24 AM
mbam-log-2009-05-26 (07-00-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198090
Time elapsed: 31 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c00E77B9.dat (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e77b9 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1bee35.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\glsetup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00E77B9.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Temp\_A00F1BEE35.exe (Trojan.Agent) -> Quarantined and deleted successfully.
=============================================

Then, I rebooted the computer again, ran HJT, and saved the log ONLY. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:55 AM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GBA0F~1.RIC\LOCALS~1\Temp\3243440976.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\had73sfdfd.dll - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O2 - BHO: Microsoft copyright - {F30B5E7E-CFBB-44fb-A947-226E5A7A4290} - jhxm32.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sSgURl] C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\GBA0F~1.RIC\LOCALS~1\Temp\3243440976.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\dax6fq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\dax6fq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3367347226.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\dax6fq.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\tejekuru.dll
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 12746 bytes
===========================================

Now, here's the 'interesting' part I talked about at the beginning of this post. As soon as I finished running HJT, but before saving the log to the disk, the following message popped up on my screen:

Your computer remains infected by threats! They can cause data loss and file damages and need to be cured as soon as possible. Return to Persona Antivirus and download it secure to your PC.

Now, since I currently am in training as an Apple tech support rep (guess I should've mentioned this at the beginning, huh?? ), one of the first things we talked about in class was about 'scare-ware' tactics - which I'm ASSuming this is. So, taking that into consideration, I turned off my network card on my laptop and shut the computer down. I was gonna run Avira at this point, but I figured I'd check in with you, with this new batch of info, to see what the next course of action.

Oh, and I probably should also mention that I still have no access to any USB devices that I plug in - except my wired mouse. But I can update my programs, which means that I at least have SOME internet access.

0

You ARE making progress, that is for sure. Let me explain WHY I had you remove Pure Networks, because some of the infected files were Pure Networks files.
Note these from previous log:
C:\Program Files\Setup Wizard\pure-network-magic.exe
I was hesitant earlier to note something, but I will now,
It seems that MOST of the infected files were/are located in this folder:
C:\Program Files\Setup Wizard\
I knew the pure network magic had to do with your ability to go through your router and if the "new"/old files work then there obviously was infection in the "new" ones you removed. Did you download these directly from THEIR website or someplace else?

Now this pop-up warning you received:

Your computer remains infected by threats! They can cause data loss and file damages and need to be cured as soon as possible. Return to Persona Antivirus and download it secure to your PC.

is an indication there is STILL infection on there, obviously by an rogue anti-spy/anti-virus. You did ABSOLUTELY the right thing by going off line immediately and shutting down.


Your MBA-M database IS the most current available so I am going to recommend once more that you do another scan with it....BUT stay OFFLINE, in fact disconnect the internet line completely to the computer and go to the Task Scheduler.

This entry in the HJT log concerns me also:
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
As I am sure you will agree...this is a very strange listing. Check in Scheduled Tasks, if you see this, REMOVE it. Then follow these next instructions.
Staying OFFLINE, run another MBA-M Full System Scan and REMOVE everything it finds.

Reboot, but this time into SAFE MODE.
Run a Full Scan with your Avira and again remove everything found.

Shut down the computer, reconnect the internet and then reboot back to normal mode and go to the ESET Online Scanner
# You will need to use Internet Explorer to to complete this scan.
# You will need to temporarily Disable your current Anti-virus program.

# Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
# When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us along with the MBA-M log, unless it showed nothing and the Avira log, unless it showed nothing.
I may want you to run another program shortly but I want to see what these additional scans will show. You are doing great and you ARE making progress!
Judy

0

Hey,

Just thought I'd chime in while I'm going forward with your advice. In addition to the entry you mentioned in the HJT log, one of the entries I took note of was the following:

O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe

Now, to my knowledge, I've never downloaded or used Avast. And the whole 'unknown owner' thing caused me to raise an eyebrow. Is this something that I should also be concerned with, or should I just 'let it ride', so to speak??

0

Hey,

Just thought I'd chime in while I'm going forward with your advice. In addition to the entry you mentioned in the HJT log, one of the entries I took note of was the following:

Now, to my knowledge, I've never downloaded or used Avast. And the whole 'unknown owner' thing caused me to raise an eyebrow. Is this something that I should also be concerned with, or should I just 'let it ride', so to speak??

You have a VERY KEEN EYE. That is a BRAND NEW entry in the log, it also shows as a running process. This obviously is NOT AVAST

Go to http://virusscan.jotti.org/en
and upload this file:
C:\WINDOWS\System32\avast!Antivirus.exe
It will be scanned by multiple scanners and give you a reading on what this file is exactly.
Post back here with the full information.

0

Hey again,

I would've posted sooner, but one of my kids 'moved' the CD-RW that had my logs on it - so I didn't have anything to show. In any case, I finally tracked it down. So, here's a rundown - albiet 3 days late - of where I'm at thus far:

Thanks for explaining to me the reasoning behind you wanting me to delete my Pure Networks. Now, something I noted - but failed to mention because I wasn't sure it was relevant until now - what that in my research, I found that the "C:\Program Files\Setup Wizard\pure-network-magic.exe" file was not in the "Network Magic" folder. In fact, one of the things I found peculiar was that Network Magic had it's own setup wizard - which I found to be a different color from the suspect file (blue - which was consistant with all the other files in that folder - as opposed to orange). As I said, I wasn't sure it was important at the time, so I didn't mention it. Which begged the question as to WHERE did I get it? I thought I got it from the actual company's website, but at this point, I'm not sure.

So, I started off working on my lspfix issue I mentioned, as I was still having the same internet access issues. First thing I did was to reboot the computer. Then, as I opened up an explorer window, I noted that everything was moving a LOT slower than normal. Task Manager showed me that CPU usage was at a consistant 50% to 60% - far above my 'normal' 3% to 5%. At this point, I also notices something new on my tool bar - something called "live info search", or some such. I was able to find - and remove - it using my Revo Uninstaller, which brought my CPU usage back to normal.

Then, I turned off my wireless card on my laptop, ran a quick MBA-M, and reboote the computer (Windows installed 2 updates on reboot, BTW). Nothing showed up, unbelieveably. Then, I tried to track down the following entries in my last HJT log that we mentioned:

O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll

and

O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe

Unfortunately, I couldn't find a trace of either of them - either by looking directly in the locations they showed, checking 'Scheduled Tasks', or by using the "search" function. So, going forward, I went ahead and ran a full scan with MBA-M. I believe I found and removed 22 files. Here's the log from that:

Malwarebytes' Anti-Malware 1.36
Database version: 2181
Windows 5.1.2600 Service Pack 3

5/27/2009 7:52:46 AM
mbam-log-2009-05-27 (07-52-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198939
Time elapsed: 29 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
C:\Documents and Settings\G. Rick\Local Settings\Temp\3243440976.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\had73sfdfd.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Winwebsec) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nzdflkioezncfiunfindiuchiuenfcdc (Trojan.Winwebsec) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\had73sfdfd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\G. Rick\Local Settings\Temp\3243440976.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\G. Rick\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dax6fq.exe (Trojan.Winwebsec) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3367347226.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\G. Rick\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3140628476.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3158440976.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sfdef9834j.exe (Trojan.Winwebsec) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\G. Rick\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\G. Rick\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\service-466.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
==========================================

Next, I rebooted the computer, started up in SAFE MODE, then ran a full scan with Avira. Here's the results of that scan:

Avira AntiVir Personal
Report file date: Wednesday, May 27, 2009 07:56

Scanning for 1423150 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Administrator
Computer name : RICK

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 16:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26
ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 12:50:23
ANTIVIR3.VDF : 7.1.4.18 150528 Bytes 5/26/2009 12:50:25
Engineversion : 8.2.0.168
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/26/2009 12:50:38
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/26/2009 12:50:37
AESCN.DLL : 8.1.2.3 127347 Bytes 5/26/2009 12:50:36
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/26/2009 12:50:35
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/26/2009 12:50:33
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:01:56
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/26/2009 12:50:27
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/26/2009 12:50:26
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, May 27, 2009 07:56

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Avenger\autochk.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
C:\Avenger\ChkDisk.dll
[WARNING] The file could not be opened!
C:\Avenger\had73sfdfd.dll
[DETECTION] Is the TR/Dldr.Suurch.SO Trojan
C:\Avenger\protect.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
C:\cfe52b25010904d3e7000f958860fe46\admparse.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\advpack.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\browseui.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\corpol.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\custsat.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\dxtmsft.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\dxtrans.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\extmgr.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\hmmapi.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\icardie.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ie4uinit.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieakeng.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieaksie.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieakui.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieapfltr.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iedkcs32.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iedw.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieencode.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieframe.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iepeers.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieproxy.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iernonce.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iertutil.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iesetup.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieudinit.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\ieui.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\iexplore.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\imgutil.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\inseng.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\jscript.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\jsproxy.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\licmgr10.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\msfeeds.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\msfeedsbs.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\msfeedssync.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\mshta.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\mshtml.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\mshtmled.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\mshtmler.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\msls31.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\msrating.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\mstime.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\occache.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\pngfilt.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\shdocvw.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\shlwapi.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\spmsg.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\spuninst.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\spupdsvc.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\url.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\urlmon.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\vbscript.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\vgx.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\webcheck.dll
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\winfxdocobj.exe
[WARNING] The file could not be opened!
C:\cfe52b25010904d3e7000f958860fe46\wininet.dll
[WARNING] The file could not be opened!
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\ccsetup205.exe
[0] Archive type: NSIS
--> ProgramFilesDir/[PluginsDir]/LangDLL.dll
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\Patch.exe
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\92Z6DRZS\f466[1].exe
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
C:\Program Files\Folder Guard Pro\Patch.exe
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
C:\Program Files\Google\GoogleToolbarNotifier\swg-5.1.1309.3572\SearchWithGoogleUpdate.exe
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\riomgr.exe
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\riorad.dll
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\rioradrt.dll
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\riormgr.exe
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\sendto.exe
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Riorad Explorer\sendtort.exe
[WARNING] The file could not be opened!
C:\Program Files\Red Chair Software\Shared\SmallParser.dll
[WARNING] The file could not be opened!
C:\WINDOWS\system32\jhxm32.dll
--> Object
[DETECTION] Is the TR/Agent.cane.2 Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IP986VCV\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1UN41IR\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W16N09IB\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)

Beginning disinfection:
C:\Avenger\autochk.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
[NOTE] The file was moved to '4a916165.qua'!
C:\Avenger\had73sfdfd.dll
[DETECTION] Is the TR/Dldr.Suurch.SO Trojan
[NOTE] The file was moved to '4a816151.qua'!
C:\Avenger\protect.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
[NOTE] The file was moved to '4a8c6162.qua'!
C:\Documents and Settings\G. Rick\My Documents\PcSetup\Maintenance\Patch.exe
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
[NOTE] The file was moved to '4a916151.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\92Z6DRZS\f466[1].exe
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
[NOTE] The file was moved to '4a536124.qua'!
C:\Program Files\Folder Guard Pro\Patch.exe
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
[NOTE] The file was moved to '49d23122.qua'!
C:\WINDOWS\system32\jhxm32.dll
[NOTE] The file was moved to '4a956158.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IP986VCV\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4a786154.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1UN41IR\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4923dc65.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W16N09IB\cd[1].htm
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '490dad9d.qua'!


End of the scan: Wednesday, May 27, 2009 08:49
Used time: 44:26 Minute(s)

The scan has been done completely.

10718 Scanned directories
445455 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
66 Files cannot be scanned
445379 Files not concerned
10318 Archives were scanned
68 Warnings
11 Notes

==========================================

So, after rebooting the computer to normal, and with the wireless card turned back on, Avira started up on it's own where it did a 'hidden object search'. Not exactly sure what that entailed, but it found - and deleted - at least 1 error. I say "at least 1", because (since you probably know more about this program than I do, I'm sure you'll understand the following) I heard Avira "chime" at least 6-7 times.

One interesting thing I did notice, though, was that on reboot, my screen resolution had changed from it's normal 1920X1200 down to 1024x768. No biggie, as I was able to change it back to normal with no issues.

Next, I went to the ESET Online Scanner and ran that using the parameters you said. Here's it's scan log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=37125
esets_scanner_update returned -1 esets_gle=41217
# version=6
# iexplore.exe=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=072e101a4e8537489ac1e9323c23971a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-05-27 06:03:04
# local_time=2009-05-27 11:03:04 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 1051459218750
# scanned=97900
# found=5
# cleaned=5
# scan_time=4297
C:\Documents and Settings\G. Rick\My Documents\PcSetup\FL Studio 8.0.0 XXL Producer RC3 (NEW)\FL Studio 8.0.0 XXL Producer RC3 (NEW).rar probably a variant of Win32/Delf trojan (deleted - quarantined) 00000000000000000000000000000000
C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll probably a variant of Win32/Delf trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\system32\ututv.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\system32\ututv.ini2 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GP6R41YV\warning[1].gif Win32/TrojanDownloader.FakeAlert.ACR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
=============================================

So, here's where I am - for the most part. I'll check back with you and see what info you've got for me. Thanks again.

0

What you have done is fine, though not what I requested that you do in my last post to you, which was upload that file to http://virusscan.jotti.org/en
I realize you say you searched for this file and couldn't find it but you did other things prior to the search. So I don't know if it is still there now but now using a different name.

By NOT doing that when I requested it does NOT mean that the file is gone, though your scans have removed a lot of infection. If you had done that immediately BEFORE the other steps then we would have known if whatever infection that was/is that had NAMED ITSELF avast was finally removed by all your scans. But we don't know that.
The main rule here is follow instructions as given, not other steps, the ones given. You are obviously very computer savy which is a great benefit when working on these problems, but you have to keep us up to date. The other rule is ANY TIME scans are done after notations of infections in an HJT log then AFTER those scans are done and infections are removed then Immediately after rebooting the computer again then a NEW HJT scan must be run and posted along with all those scan logs.
Hopefully the computer has been cleaned, but there is no way to know unless I see another HJT log.
You state you worked on the Internet Connection problems...but you don't say if they were solved.
I really can't help anymore unless I get full info and at this point I don't have it.
Judy

0

Hi again,

First, I want to apologize. In my zeal to get this bit of nastiness taken care of, I feel as though I've put myself back to 'square one' by doing some extra steps - which wasn't my intended purpose. For this, I'm sorry.

Since I'm on my way out the door to work right now, I won't be able to post what I did in regards to the internet connection issue, except to say that the same problem I've had before in regards to only being able to get to some websites (and only after having to type in the addresses manually) still exist. I'll delve into that with you once I get back home.

In the meanwhile, I went ahead and did an HJT scan to start things back off again. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:55 AM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\ld08.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\GBA0F~1.RIC\LOCALS~1\Temp\536431756.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\had73sfdfd.dll - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O2 - BHO: 504139 helper - {D2CADE3F-B3E0-4B74-B338-71D70910BBCA} - C:\WINDOWS\system32\sysloc\sysloc.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [sSgURl] C:\Documents and Settings\G. Rick\Application Data\Microsoft\Windows\khoiondj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\GBA0F~1.RIC\LOCALS~1\Temp\536431756.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\GBA0F~1.RIC\protect.dll,_IWMPEvents@16
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yzs0xjt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\yzs0xjt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\2397986964.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\windows\system32\tejekuru.dll,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: __c00742F4 - C:\WINDOWS\system32\__c00742F4.dat
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 14026 bytes

===========================================

Once again, I'm sorry for jumping ahead of things. And rest assured, that won't happen again. I'll be looking forward to your assessment of my log, and I'll post this evening more about the internet connectivity thing. Thanks in advance.

0

Well I hate to break it to you but I really feel your system is much more infected NOW than it was before. There are MULTIPLE trojans showing, new ones, which were not in the log before. One is especially worrisome, indicated by this NEW entry in the HJT log which was not there before:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
This one is a strong indication of Infostealer.Banker.C Trojan, which is exactly as it sounds...an information stealer, including passwords, banking information, etc. There are now also multiple other ones which weren't there before you began your own steps.
Troj/Agent-IUK, W32/Koobfa-Gen malware, Trojan-Downloader.Win32.Agent (this one is part of a family of malware that consist of the executable dropper and its dropped files. It attempts to connect to certain websites and possibly download other malware. It also disables System Restore.)
There are other new ones also. The majority were NOT present in the other logs.
I realize the way you are having to connect to websites is an irritant but that can be fixed ONCE the multiple infections are removed. I asked you to upload that file immediately to the scan site, which you didn't do but instead followed other steps on your own without telling me. This gave the infections time to change their names, so no wonder you couldn't find that one.
Now THIS is the step I wanted you to run AFTER you had done that upload of the file, but since we can no longer do that I want you to continue with this one...ONLY THIS ONE, NOTHING ELSE except a new HJT scan AFTER this tool is run. Follow these instructions TO THE LETTER...NOTHING MORE until directed to do so.

download ComboFix Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. DO NOT RUN IT YET.
At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
You may receive a security warning as Combofix prepares to run, Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. when you see this screen, press the OK button and you will now see the Disclaimer screen, press the Yes button to continue.
ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report. This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file.
Please Copy/Paste this log back here along with a new HJT scan.
Judy

0

Hey again,

So, after reading your post, here's what I went to do:

First thing I did was to go ahead with the download of ComboFix. Based on how you wrote in your post, I can only ASSume that you wanted me to d/l it from the laptop. Now, since I haven't touched the laptop in the past couple of days, my wife - being the kindly soul she is - went ahead and closed the screen of the laptop up (to conserve energy, she said), promptly shutting it down.

Now, at this point, I'm not sure if it's as a result of the laptop being shut down, or the malware, or both. But, as of now, I could not get back on the internet in ANY capacity.

That being the case, I resorted to downloading the program to my CD-RW from my desktop computer. I don't know if this was what you intended by having to get the file, but it was the only way at this point.

So, I got the file, took it over to the laptop, and saved it to my laptop's desktop screen.

After that, I went ahead and disable my firewall and disabled Avira. No problems there.

Then, I went ahead and double-clicked the ComboFix icon, which started the program up. No hitches, except to report that the program wanted to connect to the Internet in order to download some update or another. However, since I have no internet access on the laptop, it didn't complete that part.

Except for that 'hiccup', the program went and ran. Or at least I thought it did, because most of the stuff you mentioned as far as the screens I would see and how the program would run, was there. However, I didn't notice any 'scan' taking place. And if it ran, then it looked like this process took probably anywhere from 5-7 min. This was followed by a screen that had me to write down what appeared to be a set of file locations. The body of the message said something to the effect that I'd need these locations later.

Afterwards, I clicked "OK", and the computer rebooted on it's own. Now, once the computer came back up, all that came up, was a 'My Documents' box displaying my folders and other downloads (sorta like what you would see once you open up Control Panel from the 'Start' button), as well as an empty desktop with nothing on it. And when I say 'nothing', I mean 'NOTHING' - no folders, no apps, and no taskbar.

Now, as of this writing, the program was left to run, per your request. But it really doesn't appear to be doing anything - no HDD movement, no noise. So, I'm not too sure what you want me to do, so I'll leave things as-is, and await what you have to say. Peace...

0

Is the computer booted to Normal Mode? Frankly I have never seen anything like this happen before. But I also honestly don't know what all that has occurred with all the other programs you ran either. IF there is a way you can get to "C" drive this would be where the combofix log would be C:\ComboFix.txt
I have to say I am not certain now what should be done. The lack of internet service you have now has to be related to either the computer being turned off, and the fixes you attempted to correct the problems. It sounds to me like there is a rootkit at work on the machine, otherwise these other entries wouldn't have appeared in that latest HJT log. I always hate to ask this...do you have the install disks for the OS? It truly may be the easiest thing to do is reformat and reload.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.