TrojanClicker, Pop Ups...oh my. Hijakckthis log included.

Unknown · November 2008

I seem to have a bad malware, spyware...something! I use AVG for anti-virus. It has detected a few times the TrojanHorseClicker virus. I moved to vault as power user...but then the pop ups started. I use Firefox exclusively as a browser, pop ups were coming up in IE. I blocked all IE pop ups, it started taking over Firefox. They are mostly ads, from what I can see...I marked a bunch as unsafe so FF doesn't let them through, the but tab is created. I run Ad-Aware and Spy-Bot regularly, Ad-Aware tends to find tracker cookies, Spy-Bot finds spyware/malware (including trojans), I always clean up but they return. I've run all in Safe mode, turned off system restore, run each, shut down, restarted and restored system restore. They keep coming back. Spy-Bot is constantly popping up asking if I want to allow a registry change, I deny change, it continues to happen over and over. I have never had such a problem!! Can anyone please help? The hijackthis logs are another language to me, and by reading through this forum I'm amazed at how knowledgeable and helpful you all are. This is my most recent log: Thanks so much in advance to whomever (hopefully) can help me out...

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:03:25 PM, on 11/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Search Settings\SearchSettings.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\x7T8yHbX.exe c:\program files\internet explorer\iexplore.exe C:\Documents and Settings\Katie\Desktop\HijackThis.exe O2 - BHO: (no name) - {b268d197-3b53-4a15-9d41-77a998c90253} - C:\WINDOWS\system32\boyimeta.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "c:\windows\system32\lobuzosi.dll",a O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'NETWORK SERVICE') O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\boyimeta.dll c:\windows\system32\gudosaho.dll c:\windows\system32\lobuzosi.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lobuzosi.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lobuzosi.dll -- End of file - 3588 bytes

Katana · November 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

2scorpios · November 2008

Hi Katana, thank you for your help. Below are the two logs you requested: (how can I keep this from wrapping around so it's easier for you to read?)

Logfile of random's system information tool 1.04 (written by random/random) Run by Katie at 2008-11-09 10:34:03 Microsoft Windows XP Professional Service Pack 3 System drive C: has 9 GB (49%) free of 19 GB Total RAM: 510 MB (18% free)  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:35:09 AM, on 11/9/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal  Running processes: <br>
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\Program Files\Ahead\InCD\InCDsrv.exe 
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe 
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe 
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe 
C:\WINDOWS\system32\svchost.exe 
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 
C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe 
C:\PROGRA~1\AVG\AVG8\avgemc.exe 
C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe 
C:\Program Files\iTunes\iTunesHelper.exe 
C:\Program Files\Search Settings\SearchSettings.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\system32\x7T8yHbX.exe c:\program files\internet explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Katie\Desktop\RSIT.exe C:\Documents and Settings\Katie\Desktop\Katie.exe  O2 - BHO: (no name) - {b268d197-3b53-4a15-9d41-77a998c90253} - C:\WINDOWS\system32\boyimeta.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "c:\windows\system32\warewabe.dll",a O4 - HKLM\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'NETWORK SERVICE') O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -  O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\boyimeta.dll c:\windows\system32\gudosaho.dll c:\windows\system32\warewabe.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\warewabe.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\warewabe.dll  -- End of file - 3772 bytes  ======Scheduled tasks folder======  C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\At1.job C:\WINDOWS\tasks\At2.job C:\WINDOWS\tasks\At3.job C:\WINDOWS\tasks\At4.job C:\WINDOWS\tasks\At5.job C:\WINDOWS\tasks\At6.job C:\WINDOWS\tasks\At7.job C:\WINDOWS\tasks\At8.job C:\WINDOWS\tasks\At9.job C:\WINDOWS\tasks\At10.job C:\WINDOWS\tasks\At11.job C:\WINDOWS\tasks\At12.job C:\WINDOWS\tasks\At13.job C:\WINDOWS\tasks\At14.job C:\WINDOWS\tasks\At15.job C:\WINDOWS\tasks\At16.job C:\WINDOWS\tasks\At17.job C:\WINDOWS\tasks\At18.job C:\WINDOWS\tasks\At19.job C:\WINDOWS\tasks\At20.job C:\WINDOWS\tasks\At21.job C:\WINDOWS\tasks\At22.job C:\WINDOWS\tasks\At23.job C:\WINDOWS\tasks\At24.job C:\WINDOWS\tasks\At25.job C:\WINDOWS\tasks\At26.job C:\WINDOWS\tasks\At27.job C:\WINDOWS\tasks\At28.job C:\WINDOWS\tasks\At29.job C:\WINDOWS\tasks\At30.job C:\WINDOWS\tasks\At31.job C:\WINDOWS\tasks\At32.job C:\WINDOWS\tasks\At33.job C:\WINDOWS\tasks\At34.job C:\WINDOWS\tasks\At35.job C:\WINDOWS\tasks\At36.job C:\WINDOWS\tasks\At37.job C:\WINDOWS\tasks\At38.job C:\WINDOWS\tasks\At39.job C:\WINDOWS\tasks\At40.job C:\WINDOWS\tasks\At41.job C:\WINDOWS\tasks\At42.job C:\WINDOWS\tasks\At43.job C:\WINDOWS\tasks\At44.job C:\WINDOWS\tasks\At45.job C:\WINDOWS\tasks\At46.job C:\WINDOWS\tasks\At47.job C:\WINDOWS\tasks\At48.job  ======Registry dump======  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b268d197-3b53-4a15-9d41-77a998c90253}] C:\WINDOWS\system32\boyimeta.dll [2008-08-07 60928]  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648] ""= [] "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712] "NWEReboot"= [] "AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064] "SearchSettings"=C:\Program Files\Search Settings\SearchSettings.exe [2008-06-12 991584] "CPM1eb32f3f"=C:\WINDOWS\system32\gudosaho.dll []  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472] "NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-12-07 1884160] "PhotoShow Deluxe Media Manager"=C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe [] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="C:\WINDOWS\system32\boyimeta.dll c:\windows\system32\gudosaho.dll c:\windows\system32\warewabe.dll"  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler] STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\warewabe.dll [2008-11-09 92212]  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "notification packages"=scecli C:\WINDOWS\system32\boyimeta.dll  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE"="C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE:*:Enabled:Yahoo! Messenger" "C:\PROGRA~1\YAHOO!\MESSEN~1\yserver.exe"="C:\PROGRA~1\YAHOO!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server" "C:\PVSW\Bin\W3DBSMGR.EXE"="C:\PVSW\Bin\W3DBSMGR.EXE:*:Disabled:Database Service Manager" "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Disabled:Dreamweaver MX" "C:\Program Files\Symantec\pcAnywhere\awhost32.exe"="C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Disabled:pcAnywhere Host Service" "C:\Program Files\Symantec\pcAnywhere\WINAW32.EXE"="C:\Program Files\Symantec\pcAnywhere\WINAW32.EXE:*:Disabled:pcAnywhere Main Program" "C:\Program Files\Symantec\pcAnywhere\awrem32.exe"="C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Disabled:pcAnywhere Remote Service" "C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealOne Player" "C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019" "C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe" "C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe" "C:\Program Files\Retrospect\Retrospect 7.5\Retrospect.exe"="C:\Program Files\Retrospect\Retrospect 7.5\Retrospect.exe:*:Enabled:Retrospect" "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:Explorer" "C:\Program Files\AVG\AVG8\avgtray.exe"="C:\Program Files\AVG\AVG8\avgtray.exe:*:Enabled:avgtray" "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:SpybotSD" "C:\WINDOWS\System32\winlogon.exe"="C:\WINDOWS\System32\winlogon.exe:*:Enabled:winlogon"  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] shell\AutoRun\command - F:\LaunchU3.exe -a   ======File associations======  .js - open -   ======List of files/folders created in the last 1 months======  2008-11-09 10:34:03 ----D---- C:\rsit 2008-11-09 08:02:16 ----SH---- C:\WINDOWS\system32\akogisuf.ini 2008-11-08 16:07:08 ----SH---- C:\WINDOWS\system32\edajafis.ini 2008-11-07 12:25:12 ----SH---- C:\WINDOWS\system32\anuwibon.ini 2008-11-05 16:34:51 ----A---- C:\WINDOWS\ntbtlog.txt 2008-11-04 17:07:09 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-11-04 17:07:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-04 10:20:06 ----A---- C:\WINDOWS\system32\x7T8yHbX.exe_ 2008-11-04 10:20:06 ----A---- C:\WINDOWS\system32\x7T8yHbX.exe.a_a 2008-11-04 10:20:06 ----A---- C:\WINDOWS\system32\x7T8yHbX.exe 2008-11-03 08:58:50 ----SHD---- C:\Config.Msi 2008-11-02 11:03:06 ----D---- C:\Program Files\Lavasoft 2008-11-02 11:03:05 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-11-02 11:02:29 ----D---- C:\Program Files\Common Files\Wise Installation Wizard 2008-11-01 15:49:47 ----A---- C:\WINDOWS\system32\1JD22Hwo.exe.a_a 2008-11-01 15:49:40 ----A---- C:\WINDOWS\system32\1JD22Hwo.exe 2008-10-26 14:14:38 ----D---- C:\WINDOWS\Prefetch 2008-10-26 13:36:36 ----A---- C:\WINDOWS\setuplog.txt 2008-10-26 13:34:37 ----D---- C:\WINDOWS\system32\en-us 2008-10-26 13:34:36 ----D---- C:\WINDOWS\system32\scripting 2008-10-26 13:34:34 ----D---- C:\WINDOWS\l2schemas 2008-10-26 13:34:33 ----D---- C:\Program Files\msn 2008-10-26 13:34:32 ----D---- C:\WINDOWS\system32\en 2008-10-26 13:34:32 ----D---- C:\WINDOWS\system32\bits 2008-10-26 13:26:19 ----D---- C:\WINDOWS\network diagnostic  ======List of files/folders modified in the last 1 months======  2008-11-09 08:02:06 ----ASH---- C:\WINDOWS\system32\fusigoka.dll 2008-11-09 08:02:00 ----ASH---- C:\WINDOWS\system32\warewabe.dll 2008-11-08 20:39:12 ----A---- C:\WINDOWS\SchedLog.Txt 2008-11-08 16:07:02 ----ASH---- C:\WINDOWS\system32\sifajade.dll 2008-11-08 16:07:00 ----ASH---- C:\WINDOWS\system32\lobuzosi.dll 2008-11-07 16:40:02 ----A---- C:\WINDOWS\WinInit.ini 2008-11-07 12:25:10 ----ASH---- C:\WINDOWS\system32\nobiwuna.dll 2008-11-07 12:25:08 ----N---- C:\WINDOWS\system32\gudosaho.dll_old 2008-11-02 17:11:00 ----A---- C:\WINDOWS\NeroDigital.ini 2008-10-26 14:19:12 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-26 14:16:00 ----A---- C:\WINDOWS\OEWABLog.txt 2008-10-26 14:15:56 ----A---- C:\WINDOWS\Reg Save Log.txt 2008-10-26 13:45:22 ----A---- C:\WINDOWS\imsins.BAK 2008-10-15 09:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll  ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======  R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-08-04 26824] R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-11-26 28928] R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2004-11-26 27648] R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-08-04 76040] R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2005-07-02 8413] R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys [] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-08-22 98752] R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2002-02-25 139776] R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-02-10 681469] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-08-23 549672] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-11-26 98176] S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [] S3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS [] S3 RIOXDRV;SONICblue Rio generic driver XP+; C:\WINDOWS\System32\Drivers\RIOXDRV.sys [2003-02-06 18304] S3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]  ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======  R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-11-02 611664] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040] R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288] R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-09-30 96341] R2 InCDsrvR;InCD Helper (read only); C:\Program Files\Ahead\InCD\InCDsrv.exe [2004-11-26 812032] R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-07-15 45056] R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-01-27 1174152] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]  -----------------EOF----------------- 
 info.txt logfile of random's system information tool 1.04 2008-11-09 10:35:15  ======Uninstall list======  -->"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT -->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->C:\WINDOWS\UNAheadManual.exe /UNINSTALL -->C:\WINDOWS\unmrw.exe /UNINSTALL -->C:\WINDOWS\UNNeroVision.exe /UNINSTALL -->C:\WINDOWS\UNNMP.exe /UNINSTALL -->C:\WINDOWS\UNNVEContent.exe /UNINSTALL -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Absolute Poker-->C:\Program Files\_uninstallation_info\Absolute Poker\CasinoUninstall.exe Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Photoshop 6.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll" Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002} Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log Apple Mobile Device Support-->MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3} Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F} AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL BookSmartâ„¢ 1.9.5 1.9.5-->C:\Program Files\BookSmart\uninstall.exe Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini" Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini" Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini" Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini" Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini" Canon CanoScan Toolbox 4.9-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9BCD4D-B782-4637-8F1F-F9A328D3C244}\setup.exe" -l0x9 anything Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini" Canon i560-->C:\WINDOWS\system32\CNMCP58.exe "-PRINTERNAMECanon i560" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i560 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i560 Installer\Inst2\cnmi0409.dll" Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini" Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini" Canon ScanGear Starter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything Canon Utilities Easy-PhotoPrint-->C:\WINDOWS\ISUNINST.EXE  -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL" Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini" Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\Program\Uninst.ini" Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu" Family Tree Legends-->MsiExec.exe /I{1ED6CA46-633C-46CD-9D0F-2A8AE225E8A6} Free Mp3 Wma Converter V 1.7.3-->"C:\Program Files\Free Audio Pack\unins000.exe" HijackThis 2.0.2-->"C:\Documents and Settings\Katie\Desktop\HijackThis.exe" /uninstall Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70} Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562 Intel(R) PRO Ethernet Adapter and Software-->Prounstl.exe iTunes-->MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E} Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000} Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5 Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf Microsoft Office 2000 SR-1 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7} Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft XML Parser and SDK-->MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07} Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} Nero Suite-->C:\Program Files\Common Files\Ahead\Uninstall\Setupx.exe /uninstall ExtraUninstallID="" Pervasive.SQL 2000i Workstation-->C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mif Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe" Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5} QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175} RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Search Settings 1.2-->MsiExec.exe /X{D0C73318-7B4A-4D16-A0C4-3B83F075EA88} Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" SONICblue Real Service Providers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34A02CB-6E66-4B23-BBBC-139C2EF8E850}\setup.exe"  SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"  Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68} Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91} Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinZip-->"C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall  =====HijackThis Backups=====  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll (file missing) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: Leondll - Leondll.dll (file missing) O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -  O2 - BHO: (no name) - {b268d197-3b53-4a15-9d41-77a998c90253} - C:\WINDOWS\system32\boyimeta.dll O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "C:\WINDOWS\system32\gudosaho.dll",a O4 - HKLM\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "C:\WINDOWS\system32\gudosaho.dll",a O2 - BHO: (no name) - {b268d197-3b53-4a15-9d41-77a998c90253} - C:\WINDOWS\system32\boyimeta.dll O4 - HKLM\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s O4 - HKUS\S-1-5-20\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'NETWORK SERVICE') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gudosaho.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gudosaho.dll  ======Hosts File======  127.0.0.1    www.007guard.com 127.0.0.1    007guard.com 127.0.0.1    008i.com 127.0.0.1    www.008k.com 127.0.0.1    008k.com 127.0.0.1    www.00hq.com 127.0.0.1    00hq.com 127.0.0.1    010402.com 127.0.0.1    www.032439.com 127.0.0.1    032439.com  ======Security center information======  AV: AVG Anti-Virus Free FW: Norton Internet Worm Protection (disabled)  ======Environment variables======  "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=C:\PVSW\BIN;%SYSTEMROOT%\system32;%SYSTEMROOT%;%SYSTEMROOT%\system32\WBEM;C:\Program Files\QuickTime\QTSystem\ "windir"=C:\WINDOWS "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 3, GenuineIntel "PROCESSOR_REVISION"=0103 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=C:\windows\TEMP "TMP"=c:\windows\TEMP "PROMPT"=$p$g "winbootdir"=C:\WINDOWS "VSL"=C:\PVSW\BIN "CLASSPATH"=.;C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JAR;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip  -----------------EOF-----------------

Katana · November 2008

2scorpios wrote:

(how can I keep this from wrapping around so it's easier for you to read?)

I'm not sure why it is doing that ?

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 2

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 3

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
ComboFix Log
Installed Programs List
How are things running now ?

2scorpios · November 2008

Below are the logs you requested - you seem to have fixed it! No pop ups at all in the last two hours and the CPU usage is back to normal (no longer 99%). THANK YOU!!

Malwarebytes' Anti-Malware 1.30
Database version: 1377
Windows 5.1.2600 Service Pack 3

11/9/2008 12:42:19 PM
mbam-log-2008-11-09 (12-42-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87890
Time elapsed: 33 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:

ComboFix 08-11-09.01 - Katie 2008-11-09 13:11:55.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.171 [GMT -8:00]
Running from: c:\documents and settings\Katie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\start.exe
c:\windows\system32\mdm.exe
c:\windows\system32\ps.exe
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-09 12:02 . 2008-11-09 12:02 <DIR> d

c:\documents and settings\Katie\Application Data\Malwarebytes
2008-11-09 12:02 . 2008-10-22 16:10 38,496 --a

c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-09 12:02 . 2008-10-22 16:10 15,504 --a

c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-09 12:01 . 2008-11-09 12:02 <DIR> d

c:\program files\Malwarebytes' Anti-Malware
2008-11-09 12:01 . 2008-11-09 12:02 <DIR> d

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-09 10:34 . 2008-11-09 10:34 <DIR> d

C:\rsit
2008-11-05 08:00 . 2008-11-05 08:00 <DIR> d

c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings
2008-11-04 17:07 . 2008-11-04 17:07 <DIR> d

c:\program files\Spybot - Search & Destroy
2008-11-04 17:07 . 2008-11-04 17:07 <DIR> d

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 10:20 . 2008-11-09 11:25 41,986 --a

c:\windows\SYSTEM32\x7T8yHbX.exe
2008-11-02 11:03 . 2008-11-02 11:03 <DIR> d

c:\program files\Lavasoft
2008-11-02 11:03 . 2008-11-02 11:03 <DIR> d

c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-02 11:02 . 2008-11-02 11:02 <DIR> d

c:\program files\Common Files\Wise Installation Wizard
2008-11-01 15:49 . 2008-11-01 15:48 31,744 --a

c:\windows\SYSTEM32\1JD22Hwo.exe
2008-10-26 13:34 . 2008-10-26 13:34 <DIR> d

c:\windows\SYSTEM32\scripting
2008-10-26 13:34 . 2008-10-26 13:34 <DIR> d

c:\windows\SYSTEM32\en
2008-10-26 13:34 . 2008-10-26 13:34 <DIR> d

c:\windows\SYSTEM32\bits
2008-10-26 13:34 . 2008-10-26 13:34 <DIR> d

c:\windows\l2schemas
2008-10-23 17:39 . 2008-10-15 09:34 337,408

c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-23 17:18 . 2008-10-23 17:18 2,302,017 --a

c:\windows\SYSTEM32\GPhotos.scr
2008-10-15 20:01 . 2008-08-14 03:11 2,189,184

c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2008-10-15 20:01 . 2008-08-14 03:09 2,145,280

c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2008-10-15 20:01 . 2008-08-14 02:33 2,023,936

c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2008-10-15 20:01 . 2008-09-15 05:12 1,846,400

c:\windows\SYSTEM32\dllcache\win32k.sys
2008-10-15 20:01 . 2008-09-08 03:41 333,824

c:\windows\SYSTEM32\dllcache\srv.sys
2008-10-15 20:00 . 2008-08-14 02:33 2,066,048

c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 00:07 92,212 --sha-w c:\windows\SYSTEM32\lobuzosi.dll
2008-09-15 13:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-14 03:57

d

w c:\documents and settings\Katie\Application Data\Search Settings
2008-09-14 00:43

d

w c:\program files\Search Settings
2008-09-14 00:42

d

w c:\program files\Free Audio Pack
2008-09-14 00:42

d

w c:\program files\Dealio
2008-08-20 06:30 666,112 ----a-w c:\windows\SYSTEM32\wininet.dll
2008-08-20 06:30 666,112

w c:\windows\SYSTEM32\dllcache\wininet.dll
2008-08-20 06:30 619,520

w c:\windows\SYSTEM32\dllcache\urlmon.dll
2008-08-20 06:30 3,067,904

w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-08-20 06:30 1,499,136

w c:\windows\SYSTEM32\dllcache\shdocvw.dll
2008-08-14 11:11 2,189,184 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2008-08-14 11:04 138,496

w c:\windows\SYSTEM32\dllcache\afd.sys
2008-08-14 10:33 2,066,048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2005-06-03 19:04 161 ---ha-w c:\documents and settings\Katie\hpothb07.dat
2005-05-24 22:16 28 ----a-w c:\documents and settings\Katie\deltemp.bat
2002-11-01 05:13 266 --sh--w c:\program files\desktop.ini
2002-11-01 05:13 11,079 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-04-13 17:12 8461312 --a

c:\windows\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-12-07 1884160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2008-06-12 991584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\WINDOWS\\System32\\winlogon.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-04 76040]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\Drivers\RIOXDRV.sys [2003-02-06 18304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-11-01 c:\windows\Tasks\At1.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At2.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At3.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At4.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At5.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At6.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At7.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At8.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-05 c:\windows\Tasks\At9.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At10.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At11.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At12.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At13.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At14.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-07 c:\windows\Tasks\At15.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-07 c:\windows\Tasks\At16.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-08 c:\windows\Tasks\At17.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At18.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At19.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At20.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-09 c:\windows\Tasks\At21.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-04 c:\windows\Tasks\At22.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-04 c:\windows\Tasks\At23.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-01 c:\windows\Tasks\At24.job
- c:\windows\system32\1JD22Hwo.exe [2008-11-01 15:48]

2008-11-02 c:\windows\Tasks\At25.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At26.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At27.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At28.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At29.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At30.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At31.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At32.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-05 c:\windows\Tasks\At33.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At34.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At35.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At36.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At37.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At38.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-07 c:\windows\Tasks\At39.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-07 c:\windows\Tasks\At40.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-08 c:\windows\Tasks\At41.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At42.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At43.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At44.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-09 c:\windows\Tasks\At45.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-04 c:\windows\Tasks\At46.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-04 c:\windows\Tasks\At47.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]

2008-11-02 c:\windows\Tasks\At48.job
- c:\windows\system32\x7T8yHbX.exe [2008-11-09 11:25]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
HKLM-Run-CPM1eb32f3f - c:\windows\system32\gudosaho.dll
HKLM-Run-NWEReboot - (no file)
HKLM-Run-<NO NAME> - (no file)

.

Supplementary Scan

.
FireFox -: Profile - c:\documents and settings\Katie\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPUploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 13:18:29
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
c:\program files\AHEAD\INCD\INCDSRV.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-09 13:20:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-09 21:20:16

Pre-Run: 9,645,604,864 bytes free
Post-Run: 9,604,923,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

286 --- E O F --- 2008-10-29 03:29:02

Absolute Poker
Ad-Aware
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
BookSmartâ„¢ 1.9.5 1.9.5
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon CanoScan Toolbox 4.9
Canon G.726 WMP-Decoder
Canon i560
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
Easy-WebPrint
Family Tree Legends
Free Mp3 Wma Converter V 1.7.3
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Memories Disc
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
iTunes
Java 2 Runtime Environment, SE v1.4.2
Macromedia Extension Manager
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser and SDK
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Pervasive.SQL 2000i Workstation
Picasa 3
Quicken 2006
QuickTime
RealPlayer
Search Settings 1.2
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SONICblue Real Service Providers
SoundMAX
Spybot - Search & Destroy
Symantec KB-DocID:2003093015493306
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinZip

Katana · November 2008

It looks like the MalwareBytes log got cut off, please can you post it again
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

2scorpios · November 2008

Here you go - still no pop ups, but Spy-Bot has detected a couple attempted registry changes (which were denied).

Malwarebytes' Anti-Malware 1.30
Database version: 1377
Windows 5.1.2600 Service Pack 3

11/9/2008 12:42:19 PM
mbam-log-2008-11-09 (12-42-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87890
Time elapsed: 33 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\fusigoka.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\warewabe.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b268d197-3b53-4a15-9d41-77a998c90253} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b268d197-3b53-4a15-9d41-77a998c90253} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fomadupane (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\warewabe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\warewabe.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\sifajade.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\edajafis.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nobiwuna.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\anuwibon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fusigoka.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\akogisuf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\boyimeta.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\warewabe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\1JD22Hwo.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\x7T8yHbX.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yuhasifo.dll (Trojan.Agent) -> Delete on reboot.

Katana · November 2008

Information

Since Teatimer was still active, please rerun MalwareBytes again after you do step 1

Step 1

Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Step 2

OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
:Files
c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings
c:\windows\SYSTEM32\x7T8yHbX.exe
c:\windows\SYSTEM32\1JD22Hwo.exe
c:\windows\SYSTEM32\lobuzosi.dll
c:\documents and settings\Katie\Application Data\Search Settings
c:\Program Files\Search Settings
c:\windows\Tasks\At*.job
:Commands
[Purity]
[EmptyTemp]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Now download and install Java Runtime Environment (JRE) .

Step 4

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Step 5

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

OTMI Log
Kaspersky Log

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

2scorpios · November 2008

OK, have done all of the above, two logs requested below(thanks for all your continued help!):

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SearchSettings deleted successfully.
========== FILES ==========
c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings\kb127\res moved successfully.
c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings\kb127\temp moved successfully.
c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings\kb127 moved successfully.
c:\windows\SYSTEM32\config\systemprofile\Application Data\Search Settings moved successfully.
c:\windows\SYSTEM32\x7T8yHbX.exe moved successfully.
c:\windows\SYSTEM32\1JD22Hwo.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\SYSTEM32\lobuzosi.dll
c:\windows\SYSTEM32\lobuzosi.dll NOT unregistered.
c:\windows\SYSTEM32\lobuzosi.dll moved successfully.
c:\documents and settings\Katie\Application Data\Search Settings\kb127\res moved successfully.
Folder move failed. c:\documents and settings\Katie\Application Data\Search Settings\kb127\temp scheduled to be moved on reboot.
Folder move failed. c:\documents and settings\Katie\Application Data\Search Settings\kb127 scheduled to be moved on reboot.
Folder move failed. c:\documents and settings\Katie\Application Data\Search Settings scheduled to be moved on reboot.
c:\Program Files\Search Settings\kb127\temp moved successfully.
c:\Program Files\Search Settings\kb127\res moved successfully.
c:\Program Files\Search Settings\kb127 moved successfully.
c:\Program Files\Search Settings moved successfully.
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Katie\LOCALS~1\Temp\etilqs_mGnl0Hf7Zp5mQcRZ07jM scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\XUL.mfl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11092008_163011

Files moved on Reboot...
c:\documents and settings\Katie\Application Data\Search Settings\kb127\temp moved successfully.
c:\documents and settings\Katie\Application Data\Search Settings\kb127 moved successfully.
c:\documents and settings\Katie\Application Data\Search Settings moved successfully.
File C:\DOCUME~1\Katie\LOCALS~1\Temp\etilqs_mGnl0Hf7Zp5mQcRZ07jM not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\XUL.mfl moved successfully.
C:\Documents and Settings\Katie\Local Settings\Application Data\Mozilla\Firefox\Profiles\pw1w72xq.default\urlclassifier3.sqlite moved successfully.

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 23:45:28
Records in database: 1377382

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 44609
Threat name: 5
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 01:12:36

File name / Threat name / Threats count
C:\WINDOWS\SYSTEM32\x7T8yHbX.exe_ Infected: Trojan-Downloader.Win32.Agent.aogx 1
C:\_OTMoveIt\MovedFiles\11092008_163011\windows\SYSTEM32\x7T8yHbX.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\741F3B32.dll Infected: Trojan-Downloader.Win32.ConHook.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06AE5CC6.tmp Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FC67DD7.exe Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B383A82.dll Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B1827D4.def Infected: not-a-virus:AdWare.Win32.180Solutions.ax 1
C:\System Volume Information\_restore{178D073D-AC41-43FB-A1AE-49EAF8F6915D}\RP3\A0001041.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1
C:\System Volume Information\_restore{178D073D-AC41-43FB-A1AE-49EAF8F6915D}\RP3\A0001070.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1
C:\System Volume Information\_restore{178D073D-AC41-43FB-A1AE-49EAF8F6915D}\RP4\A0001173.exe Infected: Trojan-Downloader.Win32.Agent.aogx 1

The selected area was scanned.

Katana · November 2008

OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )

:Files
C:\WINDOWS\SYSTEM32\x7T8yHbX.exe_

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please re-run RSIT, and post the log it produces.

2scorpios · November 2008

Here you go - MoveIt log is first, then RSIT

========== FILES ==========
C:\WINDOWS\SYSTEM32\x7T8yHbX.exe_ moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11102008_092656

Logfile of random's system information tool 1.04 (written by random/random)
Run by Katie at 2008-11-10 09:27:28
Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (48%) free of 19 GB
Total RAM: 510 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:32 AM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Katie\Desktop\RSIT.exe
C:\Documents and Settings\Katie\Desktop\Katie.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "C:\WINDOWS\system32\gudosaho.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\lobuzosi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lobuzosi.dll (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3482 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-09 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-09 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-09 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]
"CPM1eb32f3f"=C:\WINDOWS\system32\gudosaho.dll []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-09 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1 []
"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-12-07 1884160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\lobuzosi.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-02-10 339968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lobuzosi.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealOne Player"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgtray.exe"="C:\Program Files\AVG\AVG8\avgtray.exe:*:Enabled:avgtray"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:SpybotSD"
"C:\WINDOWS\System32\winlogon.exe"="C:\WINDOWS\System32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\LaunchU3.exe -a

======File associations======

.js - open -

======List of files/folders created in the last 1 months======

2008-11-09 16:42:44 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-09 16:42:44 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-09 16:42:44 ----A---- C:\WINDOWS\system32\java.exe
2008-11-09 16:42:44 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-09 16:38:09 ----D---- C:\unzipped
2008-11-09 16:30:11 ----D---- C:\_OTMoveIt
2008-11-09 13:20:29 ----D---- C:\WINDOWS\temp
2008-11-09 13:20:25 ----A---- C:\ComboFix.txt
2008-11-09 13:10:58 ----A---- C:\Boot.bak
2008-11-09 13:10:54 ----RASHD---- C:\cmdcons
2008-11-09 13:08:07 ----A---- C:\WINDOWS\zip.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\VFIND.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\SWSC.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\SWREG.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\sed.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\grep.exe
2008-11-09 13:08:07 ----A---- C:\WINDOWS\fdsv.exe
2008-11-09 13:08:02 ----D---- C:\WINDOWS\ERDNT
2008-11-09 13:08:02 ----D---- C:\Qoobox
2008-11-09 12:02:12 ----D---- C:\Documents and Settings\Katie\Application Data\Malwarebytes
2008-11-09 12:01:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-09 12:01:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-09 10:34:03 ----D---- C:\rsit
2008-11-05 16:34:51 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-04 17:07:09 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-04 17:07:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 11:03:06 ----D---- C:\Program Files\Lavasoft
2008-11-02 11:03:05 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-02 11:02:29 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-26 14:14:38 ----D---- C:\WINDOWS\Prefetch
2008-10-26 13:36:36 ----A---- C:\WINDOWS\setuplog.txt
2008-10-26 13:34:37 ----D---- C:\WINDOWS\system32\en-us
2008-10-26 13:34:36 ----D---- C:\WINDOWS\system32\scripting
2008-10-26 13:34:34 ----D---- C:\WINDOWS\l2schemas
2008-10-26 13:34:33 ----D---- C:\Program Files\msn
2008-10-26 13:34:32 ----D---- C:\WINDOWS\system32\en
2008-10-26 13:34:32 ----D---- C:\WINDOWS\system32\bits
2008-10-26 13:26:19 ----D---- C:\WINDOWS\network diagnostic

======List of files/folders modified in the last 1 months======

2008-11-09 21:40:56 ----A---- C:\WINDOWS\SchedLog.Txt
2008-11-09 13:18:26 ----A---- C:\WINDOWS\system.ini
2008-11-09 13:11:00 ----RASH---- C:\boot.ini
2008-11-07 16:40:02 ----A---- C:\WINDOWS\WinInit.ini
2008-11-07 12:25:08 ----N---- C:\WINDOWS\system32\gudosaho.dll_old
2008-11-02 17:11:00 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-26 14:19:12 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-26 14:16:00 ----A---- C:\WINDOWS\OEWABLog.txt
2008-10-26 14:15:56 ----A---- C:\WINDOWS\Reg Save Log.txt
2008-10-26 13:45:22 ----A---- C:\WINDOWS\imsins.BAK
2008-10-15 09:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-08-04 26824]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-11-26 28928]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2004-11-26 27648]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-08-04 76040]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2005-07-02 8413]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-08-22 98752]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2002-02-25 139776]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-02-10 681469]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-08-23 549672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-11-26 98176]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys []
S3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS []
S3 RIOXDRV;SONICblue Rio generic driver XP+; C:\WINDOWS\System32\Drivers\RIOXDRV.sys [2003-02-06 18304]
S3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-11-02 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-09-30 96341]
R2 InCDsrvR;InCD Helper (read only); C:\Program Files\Ahead\InCD\InCDsrv.exe [2004-11-26 812032]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-09 152984]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-07-15 45056]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-01-27 1174152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]

EOF

Katana · November 2008

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O4 - HKLM\..\Run: [CPM1eb32f3f] Rundll32.exe "C:\WINDOWS\system32\gudosaho.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fomadupane] Rundll32.exe "C:\WINDOWS\system32\yuhasifo.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Katie\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O20 - AppInit_DLLs: c:\windows\system32\lobuzosi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lobuzosi.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
```
File::
C:\WINDOWS\system32\gudosaho.dll_old
```
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

2scorpios · November 2008

Here you go - thank you

ComboFix 08-11-09.04 - Katie 2008-11-10 12:59:49.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.210 [GMT -8:00]
Running from: c:\documents and settings\Katie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Katie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\gudosaho.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\system32\gudosaho.dll_old

.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-09 16:42 . 2008-11-09 16:42 410,976 --a

c:\windows\SYSTEM32\deploytk.dll
2008-11-09 16:42 . 2008-11-09 16:42 73,728 --a

c:\windows\SYSTEM32\javacpl.cpl
2008-11-09 16:38 . 2008-11-09 16:38 <DIR> d

C:\unzipped
2008-11-09 16:30 . 2008-11-09 16:30 <DIR> d

C:\_OTMoveIt
2008-11-09 12:02 . 2008-11-09 12:02 <DIR> d