Malware redirects webpage & Dcom processor terminated

[hoidris]

I have run HJT on my PC and attached is the log result

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:56 PM, on 2/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\REBATE~1\REBATE~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80228
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80228
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80228
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80228
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {CCB69577-088B-4004-9ED8-FF5BCC83A039} - C:\PROGRA~1\REBATE~1\RebateI.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1308.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1308.0\msneshellx.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe"
O4 - HKLM\..\Run: [Lexmark S300-S400 Series Fax Server] "C:\Program Files\Lexmark S300-S400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [RebateInformer] C:\PROGRA~1\REBATE~1\REBATE~1.EXE /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1202660629-583907252-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-583907252-682003330-1003\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-583907252-682003330-1003\..\Run: [RebateInformer] C:\PROGRA~1\REBATE~1\REBATE~1.EXE /STARTUP (User '?')
O4 - HKUS\S-1-5-21-1202660629-583907252-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - S-1-5-21-1202660629-583907252-682003330-1003 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\PROGRA~1\REBATE~1\RebateI.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: lxea_device -   - C:\WINDOWS\system32\lxeacoms.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8263 bytes

[Derek]

step1

downlad & run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

post back with its log and we can go from there

[hoidris]

I ran tdss killer and below is the log

15:02:43:593 3980   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
15:02:43:593 3980   ================================================================================
15:02:43:593 3980   SystemInfo:

15:02:43:593 3980   OS Version: 5.1.2600 ServicePack: 3.0
15:02:43:593 3980   Product type: Workstation
15:02:43:593 3980   ComputerName: SIGNATUR-289F20
15:02:43:593 3980   UserName: Bashiru Alabi
15:02:43:593 3980   Windows directory: C:\WINDOWS
15:02:43:593 3980   Processor architecture: Intel x86
15:02:43:593 3980   Number of processors: 2
15:02:43:593 3980   Page size: 0x1000
15:02:43:593 3980   Boot type: Normal boot
15:02:43:593 3980   ================================================================================
15:02:43:625 3980   UnloadDriverW: NtUnloadDriver error 2
15:02:43:625 3980   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:02:43:625 3980   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:02:43:671 3980   UtilityInit: KLMD drop and load success
15:02:43:671 3980   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
15:02:43:671 3980   UtilityInit: KLMD open success
15:02:43:671 3980   UtilityInit: Initialize success
15:02:43:671 3980   
15:02:43:671 3980   Scanning   Services ...
15:02:43:671 3980   CreateRegParser: Registry parser init started
15:02:43:671 3980   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:02:43:671 3980   CreateRegParser: DisableWow64Redirection error
15:02:43:671 3980   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:02:43:671 3980   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:02:43:671 3980   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:02:43:671 3980   wfopen_ex: Trying to KLMD file open
15:02:43:671 3980   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:02:43:671 3980   wfopen_ex: File opened ok (Flags 2)
15:02:43:671 3980   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264938
15:02:43:671 3980   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:02:43:671 3980   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:02:43:671 3980   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:02:43:671 3980   wfopen_ex: Trying to KLMD file open
15:02:43:671 3980   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:02:43:671 3980   wfopen_ex: File opened ok (Flags 2)
15:02:43:671 3980   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 2649E0
15:02:43:671 3980   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:02:43:671 3980   CreateRegParser: EnableWow64Redirection error
15:02:43:671 3980   CreateRegParser: RegParser init completed
15:02:44:281 3980   GetAdvancedServicesInfo: Raw services enum returned 322 services
15:02:44:281 3980   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:02:44:281 3980   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:02:44:281 3980   
15:02:44:296 3980   Scanning   Kernel memory ...
15:02:44:296 3980   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:02:44:296 3980   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 864EF910
15:02:44:296 3980   DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
15:02:44:296 3980   
15:02:44:296 3980   DetectCureTDL3: DEVICE_OBJECT: 8654BC68
15:02:44:296 3980   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8654BC68
15:02:44:296 3980   KLMD_ReadMem: Trying to ReadMemory 0x8654BC68[0x38]
15:02:44:296 3980   DetectCureTDL3: DRIVER_OBJECT: 864EF910
15:02:44:296 3980   KLMD_ReadMem: Trying to ReadMemory 0x864EF910[0xA8]
15:02:44:296 3980   KLMD_ReadMem: Trying to ReadMemory 0xE15145C8[0x18]
15:02:44:296 3980   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:02:44:296 3980   DetectCureTDL3: IrpHandler (0) addr: F7604BB0
15:02:44:296 3980   DetectCureTDL3: IrpHandler (1) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (2) addr: F7604BB0
15:02:44:296 3980   DetectCureTDL3: IrpHandler (3) addr: F75FED1F
15:02:44:296 3980   DetectCureTDL3: IrpHandler (4) addr: F75FED1F
15:02:44:296 3980   DetectCureTDL3: IrpHandler (5) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (6) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (7) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler ( addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (9) addr: F75FF2E2
15:02:44:296 3980   DetectCureTDL3: IrpHandler (10) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (11) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (12) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (13) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (14) addr: F75FF3BB
15:02:44:296 3980   DetectCureTDL3: IrpHandler (15) addr: F7602F28
15:02:44:296 3980   DetectCureTDL3: IrpHandler (16) addr: F75FF2E2
15:02:44:296 3980   DetectCureTDL3: IrpHandler (17) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (18) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (19) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (20) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (21) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (22) addr: F7600C82
15:02:44:296 3980   DetectCureTDL3: IrpHandler (23) addr: F760599E
15:02:44:296 3980   DetectCureTDL3: IrpHandler (24) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (25) addr: 804F4562
15:02:44:296 3980   DetectCureTDL3: IrpHandler (26) addr: 804F4562
15:02:44:296 3980   TDL3_FileDetect: Processing driver: Disk
15:02:44:296 3980   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:02:44:296 3980   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:02:44:328 3980   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:02:44:328 3980   
15:02:44:328 3980   DetectCureTDL3: DEVICE_OBJECT: 8650CAB8
15:02:44:328 3980   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8650CAB8
15:02:44:328 3980   DetectCureTDL3: DEVICE_OBJECT: 864F13A0
15:02:44:328 3980   KLMD_GetLowerDeviceObject: Trying to get lower device object for 864F13A0
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x864F13A0[0x38]
15:02:44:328 3980   DetectCureTDL3: DRIVER_OBJECT: 8647C838
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x8647C838[0xA8]
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x864F0030[0x38]
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x865C6E40[0xA8]
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0xE1002988[0x1A]
15:02:44:328 3980   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:02:44:328 3980   DetectCureTDL3: IrpHandler (0) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (1) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (2) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (3) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (4) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (5) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (6) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (7) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler ( addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (9) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (10) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (11) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (12) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (13) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (14) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (15) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (16) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (17) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (18) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (19) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (20) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (21) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (22) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (23) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (24) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (25) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: IrpHandler (26) addr: 86484856
15:02:44:328 3980   DetectCureTDL3: All IRP handlers pointed to one addr: 86484856
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x86484856[0x400]
15:02:44:328 3980   TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
15:02:44:328 3980   Driver "atapi" Irp handler infected by TDSS rootkit ... 15:02:44:328 3980   KLMD_WriteMem: Trying to WriteMemory 0x864848CF[0xD]
15:02:44:328 3980   cured
15:02:44:328 3980   KLMD_ReadMem: Trying to ReadMemory 0x86484701[0x400]
15:02:44:328 3980   TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
15:02:44:328 3980   Driver "atapi" StartIo handler infected by TDSS rootkit ... 15:02:44:328 3980   TDL3_StartIoHookCure: Number of patches 1
15:02:44:328 3980   KLMD_WriteMem: Trying to WriteMemory 0x8648480A[0x6]
15:02:44:328 3980   cured
15:02:44:328 3980   TDL3_FileDetect: Processing driver: atapi
15:02:44:328 3980   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:02:44:328 3980   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:02:44:343 3980   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
15:02:44:343 3980   File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:02:44:343 3980   TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:02:44:343 3980   ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:02:44:359 3980   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
15:02:44:546 3980   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
15:02:44:593 3980   CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
15:02:44:625 3980   CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
15:02:44:703 3980   CabinetCallback: File extracted successfully: C:\DOCUME~1\BASHIR~1\LOCALS~1\Temp\bck28.tmp
15:02:44:703 3980   ValidateDriverFile: Stage 1 passed
15:02:44:718 3980   ValidateDriverFile: Stage 2 passed
15:02:44:828 3980   DigitalSignVerifyByHandle: Embedded DS result: 800B0100
15:02:45:093 3980   DigitalSignVerifyByHandle: Cat DS result: 00000000
15:02:45:093 3980   ValidateDriverFile: Stage 3 passed
15:02:45:093 3980   CabinetCallback: File validated successfully, restore information prepared
15:02:45:093 3980   FindDriverFileBackup: Backup copy found in cab-file
15:02:45:093 3980   TDL3_FileCure: Backup copy found, using it..
15:02:45:093 3980   TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk29.tmp
15:02:45:171 3980   TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk29.tmp, system32\drivers\atapi.sys)
15:02:45:171 3980   TDL3_FileCure: KLMD jobs schedule success
15:02:45:171 3980   will be cured on next reboot
15:02:45:171 3980   UtilityBootReinit: Reboot required for cure complete..
15:02:45:171 3980   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
15:02:45:203 3980   UtilityBootReinit: KLMD drop success
15:02:45:203 3980   KLMD_ApplyPendList: Pending buffer(40E_5B1A, 608) dropped successfully
15:02:45:203 3980   UtilityBootReinit: Cure on reboot scheduled successfully
15:02:45:203 3980   
15:02:45:203 3980   Completed
15:02:45:203 3980   
15:02:45:203 3980   Results:
15:02:45:203 3980   Memory objects infected / cured / cured on reboot:   2 / 2 / 0
15:02:45:203 3980   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
15:02:45:203 3980   File objects infected / cured / cured on reboot:   1 / 0 / 1
15:02:45:203 3980   
15:02:45:203 3980   UnloadDriverW: NtUnloadDriver error 1
15:02:45:203 3980   KLMD_Unload: UnloadDriverW(klmd21) error 1
15:02:45:203 3980   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:02:45:203 3980   UtilityDeinit: KLMD(ARK) unloaded successfully

[Derek]

that cleared part of it next

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[hoidris]

I ran combofix and below is the log report

ComboFix 10-02-01.05 - Bashiru Alabi 02/02/2010  15:45:46.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.482 [GMT -5:00]
Running from: c:\documents and settings\Bashiru Alabi\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\02022010_TIS17_SfFniAU.log
c:\windows\system32\service\19122009_TIS17_SfFniAU.log
c:\windows\system32\service\31012010_TIS17_SfFniAU.log

.
(((((((((((((((((((((((((   Files Created from 2010-01-02 to 2010-02-02  )))))))))))))))))))))))))))))))
.

2010-02-02 16:13 . 2010-02-02 16:13   --------   d-----w-   c:\documents and settings\Kazeem Alabi\Application Data\Malwarebytes
2010-02-02 15:22 . 2010-02-02 15:22   --------   d-sh--w-   c:\documents and settings\Kazeem Alabi\IECompatCache
2010-02-02 15:22 . 2010-02-02 16:11   --------   d-----w-   c:\documents and settings\Kazeem Alabi\Application Data\RebateInformer
2010-02-02 15:21 . 2010-02-02 15:21   --------   d-----w-   c:\documents and settings\Kazeem Alabi\Application Data\S300-S400 Series
2010-02-01 10:49 . 2010-02-01 10:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-31 23:23 . 2010-01-31 23:23   --------   d-----w-   c:\documents and settings\Bashiru Alabi\Application Data\Malwarebytes
2010-01-31 23:23 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 23:23 . 2010-01-31 23:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 23:23 . 2010-01-31 23:23   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-31 23:23 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-29 13:14 . 2010-01-29 13:14   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-01-24 23:55 . 2010-01-24 23:55   --------   d-----w-   c:\documents and settings\islamiah Alabi\Application Data\S300-S400 Series
2010-01-24 23:15 . 2010-01-24 23:31   --------   d-----w-   c:\documents and settings\Bashiru Alabi\Application Data\S300-S400 Series
2010-01-24 23:12 . 2001-08-18 03:36   87040   -c--a-w-   c:\windows\system32\dllcache\wiafbdrv.dll
2010-01-24 23:12 . 2001-08-18 03:36   87040   ----a-w-   c:\windows\system32\wiafbdrv.dll
2010-01-24 23:12 . 2008-04-13 19:45   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-01-24 23:12 . 2008-04-13 19:45   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-01-24 23:11 . 2010-01-24 23:11   --------   d-----w-   c:\program files\Abbyy FineReader 6.0 Sprint
2010-01-24 23:10 . 2009-04-17 10:52   49152   ----a-w-   c:\windows\system32\LXEAPMON.DLL
2010-01-24 23:10 . 2009-04-17 10:52   32768   ----a-w-   c:\windows\system32\LXEAFXPU.DLL
2010-01-24 23:10 . 2009-01-13 13:15   4485120   ----a-w-   c:\windows\system32\LXEAoem.dll
2010-01-24 23:10 . 2008-03-05 03:12   98345   ----a-w-   c:\windows\system32\IMHOST32.DLL
2010-01-24 23:10 . 2008-03-05 03:12   339968   ----a-w-   c:\windows\system32\IMGMAN32.DLL
2010-01-24 23:09 . 2010-01-24 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\S300-S400 Series
2010-01-24 23:09 . 2010-01-24 23:09   --------   d-----w-   c:\program files\Lexmark Tools for Office
2010-01-24 23:09 . 2009-04-24 19:47   213672   ----a-w-   c:\windows\system32\LXEAwupd.exe
2010-01-24 23:09 . 2009-03-25 07:46   372736   ----a-w-   c:\windows\system32\LXEAwupd.dll
2010-01-24 23:07 . 2010-01-24 23:07   --------   d-----w-   c:\program files\Lexmark
2010-01-24 23:06 . 2010-01-31 23:21   --------   d-----w-   c:\program files\Lexmark Toolbar
2010-01-24 23:02 . 2010-01-24 23:02   --------   d-----w-   c:\program files\Lexmark Printable Web
2010-01-24 23:00 . 2010-01-24 23:30   --------   d-----w-   c:\program files\Lexmark S300-S400 Series
2010-01-24 23:00 . 2009-02-20 13:48   23552   ----a-w-   c:\windows\system32\lxeasmr.dll
2010-01-24 23:00 . 2009-02-20 13:48   299008   ----a-w-   c:\windows\system32\lxeasm.dll
2010-01-23 11:09 . 2010-01-23 11:09   --------   d-----w-   c:\documents and settings\islamiah Alabi\Local Settings\Application Data\Citrix
2010-01-23 11:08 . 2010-01-23 11:08   --------   d-sh--w-   c:\documents and settings\islamiah Alabi\IECompatCache
2010-01-14 11:01 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 20:04 . 2004-08-04 05:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-02-02 18:30 . 2009-11-29 20:44   --------   d-----w-   c:\program files\Trend Micro
2010-02-02 18:14 . 2009-05-26 04:56   --------   d-----w-   c:\program files\Google
2010-02-02 18:09 . 2009-08-04 03:30   --------   d-----w-   c:\program files\iWin.com
2010-02-01 12:03 . 2009-05-07 04:27   51808   ----a-w-   c:\documents and settings\Bashiru Alabi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 01:37 . 2009-09-27 21:00   --------   d-----w-   c:\program files\AVG
2010-01-29 04:59 . 2009-05-26 05:32   --------   d-----w-   c:\program files\Yahoo!
2010-01-29 04:48 . 2009-09-27 21:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-01-29 04:48 . 2009-12-27 23:00   --------   d-----w-   c:\program files\Norton Security Scan
2010-01-29 04:48 . 2009-10-30 22:02   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-24 23:14 . 2009-08-11 02:15   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-08 14:45 . 2009-08-14 12:02   --------   d-----w-   c:\program files\Yahoo! Games
2010-01-08 14:40 . 2009-08-01 02:37   --------   d-----w-   c:\program files\RealArcade
2010-01-08 02:08 . 2010-01-24 23:01   324264   ----a-w-   c:\windows\system32\lxeaih.exe
2010-01-08 02:08 . 2010-01-24 23:01   598696   ----a-w-   c:\windows\system32\lxeacoms.exe
2010-01-08 02:08 . 2010-01-24 23:01   373416   ----a-w-   c:\windows\system32\lxeacfg.exe
2009-12-27 23:00 . 2009-09-27 21:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-21 19:14 . 2006-03-03 22:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-16 21:12 . 2009-12-16 21:12   438272   ----a-w-   c:\windows\system32\lxeacoin.dll
2009-12-10 08:04 . 2009-05-07 04:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-10 00:47 . 2010-01-24 23:01   643072   ----a-w-   c:\windows\system32\lxeapmui.dll
2009-12-10 00:43 . 2010-01-24 23:01   1048576   ----a-w-   c:\windows\system32\lxeaserv.dll
2009-12-10 00:41 . 2010-01-24 23:01   688128   ----a-w-   c:\windows\system32\lxeahbn3.dll
2009-12-10 00:40 . 2010-01-24 23:01   847872   ----a-w-   c:\windows\system32\lxeausb1.dll
2009-12-10 00:37 . 2010-01-24 23:01   356352   ----a-w-   c:\windows\system32\lxeahcp.dll
2009-12-10 00:36 . 2010-01-24 23:01   577536   ----a-w-   c:\windows\system32\lxealmpm.dll
2009-12-10 00:35 . 2010-01-24 23:01   344064   ----a-w-   c:\windows\system32\lxeaiesc.dll
2009-12-10 00:35 . 2010-01-24 23:01   802816   ----a-w-   c:\windows\system32\lxeacomc.dll
2009-12-10 00:35 . 2010-01-24 23:01   364544   ----a-w-   c:\windows\system32\lxeainpa.dll
2009-12-08 16:13 . 2009-12-08 15:56   --------   d-----w-   c:\documents and settings\islamiah Alabi\Application Data\Inbox Toolbar
2009-12-08 15:56 . 2009-12-08 15:56   --------   d-----w-   c:\documents and settings\islamiah Alabi\Application Data\RebateInformer
2009-11-29 20:42 . 2009-11-29 20:42   1223832   ----a-w-   c:\windows\system32\drivers\vsapint.sys
2009-11-29 20:42 . 2009-11-29 20:45   50704   ----a-w-   c:\windows\system32\drivers\tmevtmgr.sys
2009-11-29 20:42 . 2009-11-29 20:45   158224   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2009-11-29 20:42 . 2009-11-29 20:42   89872   ----a-w-   c:\windows\system32\drivers\tmtdi.sys
2009-11-29 20:42 . 2009-11-29 20:42   36368   ----a-w-   c:\windows\system32\drivers\tmpreflt.sys
2009-11-29 20:42 . 2009-11-29 20:42   339984   ----a-w-   c:\windows\system32\drivers\TM_CFW.sys
2009-11-29 20:42 . 2009-11-29 20:42   225808   ----a-w-   c:\windows\system32\drivers\tmxpflt.sys
2009-11-29 20:42 . 2009-11-29 20:45   59920   ----a-w-   c:\windows\system32\drivers\tmactmon.sys
2009-11-26 13:52 . 2010-01-24 23:01   86186   ----a-w-   c:\windows\system32\lxeacfg.dll
2009-11-26 05:58 . 2009-11-26 05:58   1245321   ----a-w-   c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_DinerDash\IAF.dll
2009-11-21 15:51 . 2004-08-04 05:00   471552   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-11-09 13:06 . 2010-01-24 23:01   106496   ----a-w-   c:\windows\system32\lxeainsr.dll
2009-11-09 13:06 . 2010-01-24 23:01   36864   ----a-w-   c:\windows\system32\lxeacur.dll
2009-11-09 13:06 . 2010-01-24 23:01   57344   ----a-w-   c:\windows\system32\lxeajswr.dll
2009-11-09 13:06 . 2010-01-24 23:01   262144   ----a-w-   c:\windows\system32\lxeainsb.dll
2009-11-09 13:06 . 2010-01-24 23:01   90112   ----a-w-   c:\windows\system32\lxeacub.dll
2009-11-09 13:06 . 2010-01-24 23:01   208896   ----a-w-   c:\windows\system32\lxeagrd.dll
2009-11-09 13:06 . 2010-01-24 23:01   253952   ----a-w-   c:\windows\system32\lxeacu.dll
2009-11-09 13:05 . 2010-01-24 23:01   323584   ----a-w-   c:\windows\system32\lxeains.dll
2009-11-09 12:59 . 2009-11-09 12:59   86016   ----a-w-   c:\windows\system32\lxeagcfg.dll
2009-11-08 19:48 . 2009-05-13 00:50   52200   ----a-w-   c:\documents and settings\islamiah Alabi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-11-29 1020248]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2009-04-29 766632]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2009-04-29 139944]
"Lexmark S300-S400 Series Fax Server"="c:\program files\Lexmark S300-S400 Series\fm3032.exe" [2009-04-29 316072]

c:\documents and settings\Kazeem Alabi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Bashiru Alabi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-15 03:39   10536   ----a-w-   c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-31 00:00   162584   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-31 00:00   138008   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2008-08-20 20:09   1191936   ----a-w-   c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 14:57   128296   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-30 23:59   138008   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22   405504   ----a-w-   c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20   866584   ----a-w-   c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/29/2009 3:42 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/29/2009 3:42 PM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/29/2009 3:45 PM 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [11/29/2009 3:46 PM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [11/29/2009 3:46 PM 689416]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmd21
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\User_Feed_Synchronization-{DDF01372-B27E-4748-80DA-A4EC0E2C9519}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 15:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-02-02  15:50:42
ComboFix-quarantined-files.txt  2010-02-02 20:50

Pre-Run: 65,673,531,392 bytes free
Post-Run: 65,710,505,984 bytes free

- - End Of File - - 58131B365519BA1291E96206B4D9022B

[Derek]

looks clear from the logs

how is it now

[hoidris]

I looks good for now.  I will monitor for a few hours/days and update the forum

Thank you

[Derek]

if it is fine

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
*  Click START then RUN
*  Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated,  that will help to plug the security holes that let these pests on in the first place

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser