Viruses Eating my Newb Face - HijackT Log, A little help?

Dare

Howdy. Reffered here by a buddy.
Totally clueless as most hardware and software things go.

Been having massive slowdowns recently, my computer is ancient and has been thoroughly abused. I noticed a bunch of not normal svchost.exe's in my task manager (I ritually open that and close anything I can get away with to try and play WoW with a tiny bit less major lag on this beast.)

I went "Woah. Must be a virus."

And then I made it mad. I ctrl+alt+deleted a few, just hoping I was guessing at the right ones and not the ones that would start "Computer will reboot in X amount of time" fail.

Next thing I notice, I open my browser and google's mainpage has been mostly hijacked, Im having severe severe lag problems. So I pop out AVG, wondering why It hadnt been running.. It wont run. At all.

I try Ad-aware. Its definition database is gone.

I had Spyware doctor on here as well, and ran it before remembering it asks me to pay after showing me the problems, to fix them.

A friend recommended Avast! So I waded through the lag, downloaded it, and rebooted, running the scan. It found countless viruses. (Perhaps I should have been more careful with that whole porn dowloading action of mine. >.>) Numerous of them in the windows folder, and my windows XP install CD is about 75 miles away currently.

I gambled, and chose delete all.

My computer, ooooohhh so slowly boots up, svchost strangeness is still continuing on. I open msconfig and notice quite a few messy named programs set up in my startup. Tried to change them, they keep resetting themselves.

But the Avast! run allowed me to boot up AVG... Its definition database is missing as well. And for some reason neither it nor ad-aware is capable of downloading updates now.

So I go to AVG's site and try to download their free trial proffesional edition, no success, Cant access any of the download sites.

At my wits end, I start spamming buddies in AIM. One directed me here. I read the "Idiots, this is what you do" forum bit, and have ran trend. Heres my hijack this log, as I think that about covers it.

Any help would be appreciated, and thanks much in advance. Im far to broke due to extenuating circumstances of emo failsauce, to buy a straight up anti-virus suite.

Im getting a new barebones PC kit in the next few days with some stuff to make it a far better gaming rig than this, a friend took pity on my sadsack life and bought me the barebones kit, but I'll still need this old clunker so my fiance can watch toons and whatnot on it, as her eyesights so effed she cant watch it on the monitors. This will become my new TV machine.

Again, Any help appreciated.

Trogan

Hi,

Sorry for the delay. Do you still need help with this? If so, post a new HijackThis log in the forum and not as an attachment.

Dare

No worries mate. Hope I'm followin' directions properly. ^_^



Teh logz:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:26 AM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\folding\Folding@home-Win32-x86.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\folding\FahCore_7c.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0DC5084A-7FF8-4C87-A271-4DDDD002570A} - (no file)
O2 - BHO: (no name) - {12938a4a-492f-452d-9180-7f94ff668023} - (no file)
O2 - BHO: searchersmart search enhancer - {2190E623-8759-0A61-6004-ABEAAD6F9024} -

C:\WINDOWS\system32\vdskljsgpynbwjsd.dll
O2 - BHO: (no name) - {2DA75092-6A3D-7EAE-16A5-99DF4071D937} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {66469A42-1243-4823-99CB-3ABBCF1EDAF8} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {1394f475-ca6d-5b99-e3a4-c798e12fa448} - {844af21e-897c-4a3e-99b5-d6ac574f4931} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp

Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\nokanoza.dll,c:\windows\system32\natulevo.dll,vbcruo.dll,avgrsstx.dll
O20 - Winlogon Notify: qoMghGyy - qoMghGyy.dll (file missing)
O20 - Winlogon Notify: yayxvtqr - yayxvtqr.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Folding@home-CPU-[1] - Unknown owner - C:\folding\Folding@home-Win32-x86.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5973 bytes

Trogan

Hi,

Almost got it right, accept you created a new thread instead of replying to the original one . I've merged together now.

---

I don't see any Anti-Virus or Firewall on the computer, and the computer has gone a bit messy because of this.

Please download and install one AntiVirus from the list below - They are Free!

AntiVir
AVG Free Edition
avast! 4 Home Edition

Then download one Firewall from the list below - They are Free!

Comodo
PC Tools
Zone Alarm
Outpost Firewall

Update your chosen AntiVirus and run a full system scan. Let it remove whatever it finds.

Once completed, create a new HijackThis log and post it in this thread.

Dare

Trogan wrote:

Hi,

Almost got it right, accept you created a new thread instead of replying to the original one . I've merged together now.

---

I don't see any Anti-Virus or Firewall on the computer, and the computer has gone a bit messy because of this.

Please download and install one AntiVirus from the list below - They are Free!

AntiVir
AVG Free Edition
avast! 4 Home Edition

Then download one Firewall from the list below - They are Free!

Comodo
PC Tools
Zone Alarm
Outpost Firewall

Update your chosen AntiVirus and run a full system scan. Let it remove whatever it finds.

Once completed, create a new HijackThis log and post it in this thread.

Heh.. I labeled myself Noob for an honest and true reason! XD
...I r noob. XD

Yar, When I last f-disked I had no net, had to run to a buddies to complete the windows authorization with the whole PC. AVG was running the whole time, up until recently, now it refuses to run at all, virus probably activated during one of the times I had it disabled to run WoW, which was the only time I'd turn it off... and wasn't always quick to turn it back on.

Never did put up a firewall as I hate windows built in stuff. >.< And was too lazy to download a good one.

AVG still wont run and I still cant get any modern install of it to run, not even in safe mode. Avast was the only anti-virus I managed to get to run on here, and it had been run prior to my last HijackThis! log.

Im currently downloading Avira AntiVir, and will give that one a shot, hopefully with more success.

As to the firewall and antivirus proggies...

what are the lightest on system resources? This thing is like 8 years old with a blown graphics card. Heh. >.<

Anyways, will post update later with new HijackThis log, or an update to state that its another anti-virus proggy I cant get to work right on here, like StopZilla, AdAware, Spyware Doctor, etc.

Oh, RegScrubXP and CCleaner both worked like always, but they dont fix viruses sadly.

Sorry to be such a pain. >.< Seems to be my nature. Heh.


-Edit- A bit later..


AntiVir did indeed download and install.

I continually get this when I try to update the virus database though:
06.02.2009 10:23:19 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\
06.02.2009 10:23:19 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\
06.02.2009 10:23:19 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_498c63f6\
06.02.2009 10:23:19 - Using System's global Proxy settings
06.02.2009 10:23:19 - Launching GUI... display mode: 0
06.02.2009 10:23:19 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll
06.02.2009 10:23:19 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll
06.02.2009 10:23:19 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\
06.02.2009 10:23:19 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\
06.02.2009 10:23:19 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_498c63f6\
06.02.2009 10:23:19 - Using System's global Proxy settings
06.02.2009 10:23:19 - Launching GUI... display mode: 0
06.02.2009 10:23:19 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll
06.02.2009 10:23:19 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll
06.02.2009 10:23:19 - Avira AntiVir Personal - Free Antivirus
06.02.2009 10:23:21 - Connection failed while downloading via the system proxy the file http://dl5.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:21 - Switching to next update server
06.02.2009 10:23:24 - Connection failed while downloading via the system proxy the file http://dl2.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:24 - Switching to next update server
06.02.2009 10:23:26 - Connection failed while downloading via the system proxy the file http://dl9.freeav.net/upd/idx/master.idx.
06.02.2009 10:23:26 - Switching to next update server
06.02.2009 10:23:29 - Connection failed while downloading via the system proxy the file http://dl7.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:29 - Switching to next update server
06.02.2009 10:23:31 - Connection failed while downloading via the system proxy the file http://dl10.freeav.net/upd/idx/master.idx.
06.02.2009 10:23:31 - Switching to next update server
06.02.2009 10:23:35 - Connection failed while downloading via the system proxy the file http://dl4.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:35 - Switching to next update server
06.02.2009 10:23:37 - Connection failed while downloading via the system proxy the file http://dl8.freeav.net/upd/idx/master.idx.
06.02.2009 10:23:37 - Switching to next update server
06.02.2009 10:23:40 - Connection failed while downloading via the system proxy the file http://dl1.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:40 - Switching to next update server
06.02.2009 10:23:42 - Connection failed while downloading via the system proxy the file http://dl6.avgate.net/upd/idx/master.idx.
06.02.2009 10:23:42 - Switching to next update server
06.02.2009 10:23:49 - Registry entry created successfully: Software\Avira\AntiVir PersonalEdition Classic |UpdateInProgress
06.02.2009 10:23:50 - Critical error: Connection failed while downloading via the system proxy the file http://dl3.avgate.net/upd/idx/master.idx.



And without that update, I keep getting an error message same as I did with AVG during the few safe mode bootups I could get, saying "No database found". Also had a similiar problem with ad-aware.

Bleh. I done cluster****ered myself. XD I'd just F-disk but the install disc is currently very far away, and I have no handy means of backing up files. >.<
Anyways, Attempting to install Comodo Firewall.

Okay, Avira is running a scan and finding viruses, so clearly, its database isn't missing as the popup warns. Very odd.

Will update more later.


-Edit-
Ran both AntiVir and the AV program that comes with Comodo Firewall.

Antivir found 3 viruses, Comodo found nada. Still having strange issues of massiveness, of course. So, the most recent HijackThis log for your perousing pain. XD



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:38 PM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\folding\Folding@home-Win32-x86.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\folding\FahCore_78.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0DC5084A-7FF8-4C87-A271-4DDDD002570A} - (no file)
O2 - BHO: (no name) - {12938a4a-492f-452d-9180-7f94ff668023} - (no file)
O2 - BHO: searchersmart search enhancer - {2190E623-8759-0A61-6004-ABEAAD6F9024} -

C:\WINDOWS\system32\vdskljsgpynbwjsd.dll
O2 - BHO: (no name) - {2DA75092-6A3D-7EAE-16A5-99DF4071D937} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {66469A42-1243-4823-99CB-3ABBCF1EDAF8} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {1394f475-ca6d-5b99-e3a4-c798e12fa448} - {844af21e-897c-4a3e-99b5-d6ac574f4931} - (no file)
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp

Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{0ACACD9C-ED25-4F21-8C9D-41EF5C51F9DB}: NameServer =

85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91,85.255.112.234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:

C:\WINDOWS\system32\nokanoza.dll,c:\windows\system32\natulevo.dll,vbcruo.dll,C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: qoMghGyy - qoMghGyy.dll (file missing)
O20 - Winlogon Notify: yayxvtqr - yayxvtqr.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir

PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir

PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program

Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Folding@home-CPU-[1] - Unknown owner - C:\folding\Folding@home-Win32-x86.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6521 bytes

Trogan

Hey,

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

• Double-click ATF Cleaner.exe to open it.
• Under Main select the following:
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

2. Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

3. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

4. Please post the following...

Malwarebytes log
Uninstall list
New HijackThis log

Dare

Trogan wrote:

Hey,

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

• Double-click ATF Cleaner.exe to open it.
• Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

2. Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

3. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

4. Please post the following...

Malwarebytes log
Uninstall list
New HijackThis log

You got it boss, and seriously, thanks for all the help and effort yer puttin' into all this, its muchly appreciated.

Will update with edits as I get each step finished.
-Edit 1-

ATF Cleaner -
Done Cleaning!! ATF Cleaner has freed 43.398 Megabytes.
> I use CCleaner to clear up temp stuff usually.

On to stage two.

Malwarebytes' Anti-Malware
As with each other Anti-Virus program I've used so far, incapable of receiving an update with it. Running Scan.
> Woot, So far, only a bit into the scan, its already found 8 infected files. Better track record than most AV programs already tried!
> A whoppin' 35 problems found. My poor PC. XD

MalwareBytes' Logfile
-New Edit- Recopied and pasted out of notepad. The Copy and paste out of OpenOffice was painful on the eyes. /edit

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/8/2009 6:26:22 AM
mbam-log-2009-02-08 (06-26-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 98576
Time elapsed: 1 hour(s), 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2190e623-8759-0a61-6004-abeaad6f9024} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2190e623-8759-0a61-6004-abeaad6f9024} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0acacd9c-ed25-4f21-8c9d-41ef5c51f9db}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0acacd9c-ed25-4f21-8c9d-41ef5c51f9db}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0acacd9c-ed25-4f21-8c9d-41ef5c51f9db}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.91,85.255.112.234 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gaopdxkrwxyqjp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxqppkbnyn.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdskljsgpynbwjsd.dll (Adware.BHO) -> Quarantined and deleted successfully.


HijackThis!

> Uninstall Logfile


7-Zip 4.57
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop CS2
Adobe Reader 8.1.3
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
avast! Antivirus
Avira AntiVir Personal - Free Antivirus
Azureus Vuze
BCM V.92 56K Modem
Belkin 54g USB Network Adapter
Bonjour
CCleaner (remove only)
COMODO Firewall Pro
Curse Client
Dell ResourceCD
Easy MP3 Alarm Clock 1.0
GOM Player
GTK+ Runtime 2.12.8 rev a (remove only)
GuitarFX 3
HijackThis 2.0.2
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 4
K-Lite Codec Pack 4.4.2 (Standard)
Lexmark 3400 Series
Lexmark Fax Solutions
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft Reader
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.6)
MP3 Converter Simple
Network Stumbler 0.4.0 (remove only)
Nostromo Array Programming Software
Oblivion
Oblivion - The Fighter's Stronghold
OpenOffice.org 2.4
Picasa 2
Pidgin
PowerISO
QuickTime
RegScrubXP 3.25
RON Tool Offersfortoday
Search Assistant Searchersmart
Skypeâ„¢ 3.8
Ventrilo Client
Viewpoint Media Player
VLC media player 0.9.6
Wacom Tablet
WD Diagnostics
Winamp Toolbar for Internet Explorer
Windows Media Format Runtime
WinRAR archiver
World of Warcraft


HijackThis! New General Log:
-New Edit- Also recopied and pasted this. Same problem. Yer helpin' me, least I can do is post a copy that doesnt make you kill your eyes trying to figure out where the dang lines end.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:55 AM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\folding\Folding@home-Win32-x86.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\folding\FahCore_78.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Reader\MSReader.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0DC5084A-7FF8-4C87-A271-4DDDD002570A} - (no file)
O2 - BHO: (no name) - {12938a4a-492f-452d-9180-7f94ff668023} - (no file)
O2 - BHO: (no name) - {2DA75092-6A3D-7EAE-16A5-99DF4071D937} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {66469A42-1243-4823-99CB-3ABBCF1EDAF8} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {1394f475-ca6d-5b99-e3a4-c798e12fa448} - {844af21e-897c-4a3e-99b5-d6ac574f4931} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\nokanoza.dll,c:\windows\system32\natulevo.dll,vbcruo.dll,C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: qoMghGyy - qoMghGyy.dll (file missing)
O20 - Winlogon Notify: yayxvtqr - yayxvtqr.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Folding@home-CPU-[1] - Unknown owner - C:\folding\Folding@home-Win32-x86.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5902 bytes


Sorry this is turnin' out to be such a pain for ya, but again, it's much appreciated. Thanks. ^_^

-Update-

After the reboot, Im now able to install updates for AntiVir and Comodo. Will attempt to update Malwarebytes and give it another run through after the update if it works.

> Nothing new found by Malwarebytes, but AntiVir picked up 2 more viruses last scan, ones name Identical to the one imbedded in my firefox folder, that I had to restart over.

Google is still hijacked and I've still got strange things going on. But it is improved. Windows doesnt take 5 minutes to boot up, it only takes like 2 and a half, which is awesome. XD

Trogan

Hey,

Looking better, but still some work to be done. Please don't run any additional scans or fixes cause that may complicate things.

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

avast! Antivirus <-- since you have AntiVir, uninstall Avast, or keep Avast and uninstall AntiVir. Basically, you should have only one AntiVirus program.
Java(TM) 6 Update 4
Search Assistant Searchersmart

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {0DC5084A-7FF8-4C87-A271-4DDDD002570A} - (no file)
O2 - BHO: (no name) - {12938a4a-492f-452d-9180-7f94ff668023} - (no file)
O2 - BHO: (no name) - {2DA75092-6A3D-7EAE-16A5-99DF4071D937} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {66469A42-1243-4823-99CB-3ABBCF1EDAF8} - (no file)
O2 - BHO: {1394f475-ca6d-5b99-e3a4-c798e12fa448} - {844af21e-897c-4a3e-99b5-d6ac574f4931} - (no file)

O20 - Winlogon Notify: qoMghGyy - qoMghGyy.dll (file missing)
O20 - Winlogon Notify: yayxvtqr - yayxvtqr.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

4. Please post the following...

GooredFix log
New HijackThis log

Dare

Trogan wrote:

Hey,

Looking better, but still some work to be done. Please don't run any additional scans or fixes cause that may complicate things.

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

avast! Antivirus <-- since you have AntiVir, uninstall Avast, or keep Avast and uninstall AntiVir. Basically, you should have only one AntiVirus program.
Java(TM) 6 Update 4
Search Assistant Searchersmart

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {0DC5084A-7FF8-4C87-A271-4DDDD002570A} - (no file)
O2 - BHO: (no name) - {12938a4a-492f-452d-9180-7f94ff668023} - (no file)
O2 - BHO: (no name) - {2DA75092-6A3D-7EAE-16A5-99DF4071D937} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {66469A42-1243-4823-99CB-3ABBCF1EDAF8} - (no file)
O2 - BHO: {1394f475-ca6d-5b99-e3a4-c798e12fa448} - {844af21e-897c-4a3e-99b5-d6ac574f4931} - (no file)

O20 - Winlogon Notify: qoMghGyy - qoMghGyy.dll (file missing)
O20 - Winlogon Notify: yayxvtqr - yayxvtqr.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

4. Please post the following...

GooredFix log
New HijackThis log

You got it Boss. Workin' on the aforementioned now.
Should I also uninstall Bonjour and RON Tool Offersfortoday at a later date, as I have no idea what the eff they are or how they ended up in my uninstall list? Anyways.

Followin' directions, as best as I can. :bigggrin: Seriously can't thank ya enough for all the help.
As always, will update edits as I get each step done.

Uninstall:
The Java removal went fine.

Problem / Question: Attempting to remove the searchsmart crap one, and my firewall is going crazy.
vdskljsgpynbwjsd.dll-uninst.exe is trying to execute Lu_.exe
I keep getting those.. My first instinct was to block them. They keep popping up, the execturable its trying to run keeps changing alphabetically, Like Eu_.exe Fu_.exe so on and so forth.

Should I continue to block them? Or allow one?

Trogan

Yes, uninstall RON Tool Offersfortoday as it is a rogue program. Bonjour is safe and I say leave it.

Dare

Trogan wrote:

Yes, uninstall RON Tool Offersfortoday as it is a rogue program. Bonjour is safe and I say leave it.

Mate, yer bloody awesome.
Didja catch the error I'm runnin to on the end of that last post? If not, attempting to uninstall has triggered a flood on my firewall, the filename details are up above. Not sure what to do. Im at the Uu_.exe's now. >.> Keep getting annoyed at the screen being up and clicking block. >.>

Trogan

What you can do is switch Comodo off temporarily. Right-click -> Exit on Comodo in the system tray. Once the uninstall is complete, turn Comodo back on from Start > All Programs > Comodo. This is what I usually do.

Dare

Trogan wrote:

What you can do is switch Comodo off temporarily. Right-click -> Exit on Comodo in the system tray. Once the uninstall is complete, turn Comodo back on from Start > All Programs > Comodo. This is what I usually do.

Ah. So I want this to run. Gotcha. Here I was all thinking it had some tricky little thing built in so if it got uninstalled, it'd execute another program to replace itself.

>.> I'm a little paranoid. XD

Now I'm a little more paranoid. The VU_.exe tried to access the internet after the uninstall was done. I'd just flipped comodo to "Install mode" but it still caught that. I blocked it. It hasn't reappeared.


Goored Log:

GooredFix v1.83 by jpshortstuff
Log created at 15:25 on 08/02/2009 running Option #1 (Dare)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"






New HijackThis! Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:29 PM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\folding\Folding@home-Win32-x86.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\folding\FahCore_78.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pufiroderu] Rundll32.exe "C:\WINDOWS\system32\neresazi.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\nokanoza.dll,c:\windows\system32\natulevo.dll,vbcruo.dll,C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Folding@home-CPU-[1] - Unknown owner - C:\folding\Folding@home-Win32-x86.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5180 bytes

Trogan

>.> I'm a little paranoid. XD

Lol!

You can delete GooredFix from your Desktop.

You still have some malware showing in your HijackThis log, but before we use any powerful tools, I'd like you to update and run Malwarebytes again. Post the log back here.

I'll check this thread tomorrow now. Going to sleep shortly - gotta be up at 6am.

Dare

Trogan wrote:

Lol!

You can delete GooredFix from your Desktop.

You still have some malware showing in your HijackThis log, but before we use any powerful tools, I'd like you to update and run Malwarebytes again. Post the log back here.

I'll check this thread tomorrow now. Going to sleep shortly - gotta be up at 6am.

You got it. And have a good sleep. Early mornin's do so suck, when you arent getting up to go fishing or hunting. :bigggrin:

...hell, even then sometimes.

Malwarebytes had another update though I'd updated after that last run when I -could- finally update. Runnin it, will post thing up when done.

Malwarebytes Log: Sadly, Nothing new.

Malwarebytes' Anti-Malware 1.33
Database version: 1738
Windows 5.1.2600 Service Pack 2

2/8/2009 5:05:56 PM
mbam-log-2009-02-08 (17-05-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 86400
Time elapsed: 1 hour(s), 13 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Trogan

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT!!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Dare

I finally got a hold of my XP install discs, and have my new PC built as well, so I'll be reformatting the one with massive problems.

Thank you so much for all your help with this.

Trogan

You're welcome! I will close this thread.

Follow these simple steps in order to keep your computer clean and secure:

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

• AntiSpyware is not the same thing as Antivirus.
  Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
  You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
  Most of the programs in this list have a free (for Home Users ) and paid versions,
  it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  
  
• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A new and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• SUPERAntiSpyware <<< A good "realtime" or "on demand" scanner

Prevention

• These programs don't detect malware, they help stop it getting on your machine in the first place.
  Each does a different job, so you can have more than one
  
  
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
  
  
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  
  
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
  
  
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  
  
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    
    
    
    
    
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Windows Updates (a must!)
It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there


Internet Browsers

• Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
  Using a different web browser can help stop malware getting on your machine.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       • Change the Download signed ActiveX controls to Prompt
       • Change the Download unsigned ActiveX controls to Disable
       • Change the Initialise and script ActiveX controls not marked as safe to Disable
       • Change the Installation of desktop items to Prompt
       • Change the Launching programs and files in an IFRAME to Prompt
       • Change the Navigate sub-frames across different domains to Prompt
       • When all these settings have been made, click on the OK button.
       • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  
  If you are still using IE6 then either update, or get one of the following.
  
  
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
    
    
  • Opera
    • Another popular alternative
    
    
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

• Temporary Internet Files are mainly the files that are downloaded when you open a web page.
  Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
  It is a good idea to empty the Temporary Internet Files folder on a regular basis.
  
  Tracking Cookies are files that websites use to monitor which sites you visit and how often.
  A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
  CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
  
  Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
  
  
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read these articles: So How Did I Get Infected In The First Place and Malware Prevention: Prevent Re-infection

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again