nid help! ~I can't remove this adware/virus!

Name: Trojan.Win32.Obfuscated.gx Type: Trojan Risk impact: Extremely High [SIZE=1]Fake critical system error warning[/SIZE]

Lets get a HJT log.

Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in sniper.exe and press Enter.
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HiackThis.
• If using Windows Vista, be sure to Run As Administrator
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the log in your post.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

Next post please add
Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:52 PM, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5867 bytes

The log doesn't show any malware at all.

Run this and post the log afterwards.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc)
• Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
  • Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.

Thats not the whole log.

If you need to go to C:\combofix.txt and post the whole log.

ComboFix 08-01-15.4 - Jomel 2008-01-15 22:29:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT -8:00]
Running from: C:\Downloads\Software\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-15 22:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 14:46 . 2008-01-15 14:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 13:35 . 2008-01-15 13:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-15 12:08 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-15 12:08 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-15 12:08 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-15 12:08 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-15 12:08 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-15 12:08 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-15 12:08 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-15 12:08 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-15 12:08 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-15 09:09 . 2004-08-03 08:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-15 08:13 . 2008-01-15 08:13 <DIR> d-------- C:\Program Files\Fraps
2008-01-15 01:15 . 2008-01-15 12:49 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-15 01:15 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-15 00:59 . 2008-01-15 00:59 <DIR> d-------- C:\Program Files\IObit
2008-01-15 00:55 . 2008-01-15 00:55 1,167 --a------ C:\WINDOWS\mozver.dat
2008-01-15 00:00 . 2008-01-15 00:01 1,074 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-14 23:05 . 2008-01-14 23:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-14 23:04 . 2008-01-14 23:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 22:39 . 2008-01-14 23:00 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-14 22:31 . 2008-01-14 22:31 <DIR> d-------- C:\Downloads
2008-01-13 13:51 . 2008-01-13 13:54 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\NCH Swift Sound
2008-01-13 13:51 . 2008-01-13 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-01-13 13:50 . 2008-01-13 17:35 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-01-13 08:30 . 2008-01-13 08:30 <DIR> d-------- C:\Program Files\HELP
2008-01-13 08:10 . 2008-01-13 08:10 <DIR> d-------- C:\Program Files\Free Download Manager
2008-01-13 08:10 . 2008-01-15 22:29 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\Free Download Manager
2008-01-13 08:10 . 2008-01-13 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-01-12 20:03 . 2008-01-12 20:03 <DIR> d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2008-01-12 18:38 . 2008-01-12 18:39 26 --a------ C:\WINDOWS\system32\satsukidecodersettings.ini
2008-01-08 06:45 . 2008-01-14 19:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-08 06:44 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-01-08 06:44 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-01-08 06:44 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-08 06:44 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-08 06:44 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-07 21:59 . 2008-01-07 21:59 <DIR> d---s---- C:\Documents and Settings\Jomel\UserData
2008-01-06 20:56 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-05 18:55 . 2008-01-05 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-05 09:16 . 2008-01-05 09:16 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-01-04 16:13 . 2008-01-04 16:13 <DIR> d-------- C:\Program Files\ZillaSoft.ws
2008-01-04 16:13 . 2004-02-05 13:53 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-01-04 16:13 . 2004-01-09 04:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-01-04 16:12 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-01-04 16:12 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-01-04 16:12 . 2000-05-22 04:00 1,066,176 --a------ C:\WINDOWS\system32\mscomctl.ocx
2008-01-04 16:12 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-01-04 16:12 . 2001-07-28 12:50 265,753 --a------ C:\WINDOWS\system32\AS-Exp2.ocx
2008-01-04 16:12 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-01-04 16:12 . 2000-07-14 23:00 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2008-01-04 16:12 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-04 16:12 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2007-12-31 20:24 . 2007-12-31 20:24 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\Ahead
2007-12-31 17:07 . 2007-12-31 17:07 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\Yahoo!
2007-12-31 17:07 . 2007-12-31 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-30 22:27 . 2007-12-30 22:27 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\WebCompiler3
2007-12-30 22:00 . 2008-01-15 08:21 49 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-30 21:58 . 2007-12-30 21:58 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\FDRLab
2007-12-29 20:21 . 2007-12-29 20:21 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-12-29 14:40 . 2007-12-29 14:40 <DIR> d-------- C:\Documents and Settings\Jomel\Incomplete
2007-12-29 14:39 . 2008-01-12 19:10 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\LimeWire
2007-12-29 14:39 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 14:37 . 2007-12-29 14:38 <DIR> d-------- C:\Program Files\Java
2007-12-29 14:36 . 2007-12-29 14:36 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-29 11:25 . 2008-01-01 20:43 <DIR> d-------- C:\Program Files\LimeWire
2007-12-28 23:32 . 2007-12-29 21:36 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2007-12-28 23:28 . 2007-12-29 20:15 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-28 22:36 . 2007-12-28 22:36 <DIR> d-------- C:\Program Files\uTorrent
2007-12-28 22:36 . 2008-01-14 22:12 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\uTorrent
2007-12-28 22:13 . 2007-12-28 22:13 <DIR> d-------- C:\Program Files\CCleaner
2007-12-28 19:48 . 2007-12-28 19:50 <DIR> d-------- C:\WINDOWS\nview
2007-12-28 19:48 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-12-28 19:48 . 2008-01-15 21:49 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2007-12-28 19:48 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2007-12-28 19:47 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-12-28 15:05 . 2007-12-28 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-28 14:55 . 2007-12-28 15:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-28 10:39 . 2008-01-14 23:05 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\SUPERAntiSpyware.com
2007-12-28 10:39 . 2007-12-28 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-28 09:13 . 2007-12-28 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-27 21:37 . 2008-01-08 11:43 <DIR> d-------- C:\Program Files\EA SPORTS
2007-12-27 21:05 . 2006-09-29 20:42 <DIR> d-------- C:\Program Files\Support
2007-12-27 21:05 . 2006-09-29 20:42 <DIR> d-------- C:\Program Files\main
2007-12-27 21:05 . 2007-12-29 21:36 <DIR> d-------- C:\Program Files\Macromedia
2007-12-27 21:05 . 2006-09-29 20:42 <DIR> d-------- C:\Program Files\IE
2007-12-27 21:03 . 2006-09-29 20:42 <DIR> d-------- C:\Program Files\DirectX
2007-12-27 19:59 . 2008-01-10 22:39 <DIR> d-------- C:\Documents and Settings\Jomel\Application Data\AVG7
2007-12-27 19:58 . 2007-12-27 19:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-27 19:58 . 2007-12-27 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-27 19:58 . 2008-01-07 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-27 19:58 . 2007-12-27 19:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-27 19:58 . 2007-12-27 19:58 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-27 18:48 . 2007-12-27 18:48 <DIR> d-------- C:\NVIDIA
2007-12-27 18:44 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-12-27 18:44 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-12-27 18:44 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-12-27 18:44 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-12-27 18:37 . 2001-11-22 20:08 712,704 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-15 07:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 01:28 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 10:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 07:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 07:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 11:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 11:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2004-07-07 17:28 155648]
"Cmaudio"="cmicnfg.cpl" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-27 19:58 579072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2006-10-22 12:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 19:58 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R2 SetupNT;SetupNT;C:\WINDOWS\system32\SetupNT.sys [2000-10-25 04:27]
*Newly Created Service* - PROCEXP90
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:31:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2008-01-15 22:32:38
.
2008-01-15 20:49:48 --- E O F ---

First go to this tutorial and install the recovery console.

----------

• Download FixIEDef by ShadowPuterDude to the Desktop.
• Double-click FixIEDef.exe
  • if running Vista, click OK on the FixIEDef is running as Administrator popup

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

FixIEDef will return everything to normal; when it has finished the removal process.

• Click Exit once FixIEDef displays the All Finished message.
• Attach the FixIEDef.log to your next message. The log will be on your desktop.

----------

Run a new Hijackthis scan and post the log.

----------

Next post please add
FixIEDef log
New Hijackthis log

************************************************** ******************************
* *
* FixIEDef Log *
* Version 1.0.0.875 *
* *
************************************************** ******************************
Created at 08:12:02 on Wednesday, January 16, 2008
Operating System : Windows XP
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
--------------------------------------------------------------------------------
!!! Files that have been deleted !!!
No malicious files found
--------------------------------------------------------------------------------
!!! Directories that have been removed !!!
No malicious directories to be removed
--------------------------------------------------------------------------------
!!! Registry entries that have been removed !!!
HKEY_CLASSES_ROOT\toprates.Video
HKEY_CLASSES_ROOT\AppID\toprates.dll
HKEY_CLASSES_ROOT\AppID\{038F228B-EED3-4A87-A565-F88FC99EBA91}
HKEY_CLASSES_ROOT\Interface\{48D78BE5-CFB9-4B66-9AC4-96D4CF21DE06}
HKEY_CLASSES_ROOT\TypeLib\{74D46BBA-5638-473A-83B6-97E7804A7411}
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\DateTime
================================================== ==============================
All Done :)
ShadowPuterDude
Safe Surfing!!!

<!-------------------------------------------------------------->
<!-------------------------------------------------------------->

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:36 AM, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5838 bytes

Your Java is out of date leaving your system vulnerable.
Older versions of Java have vulnerabilities that malware can use to infect your system.

Go to >> http://java.sun.com/javase/downloads/index.jsp
On the Sun Java page scroll to the 4th download Java Runtime Environment (JRE) 6 Update 4 to install the new version.
Next go to add/remove programs and remove all older versions.
Don't uninstall Java (JRE) 6 Update 4.
Then go to C:\Program Files\Java and delete the old folders.
Be sure to keep jre1.6.0_04


The log looks fine now.

How is the computer now?

wow! finally! i dismantled 4 adware-trojans!!!

A big Thanks to you sir!
more power!

this site is so cool! _m/

I'm glad we could help. Still a few more steps.

Delete FixIEDef and its log.

Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

----------

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let us know if anything else comes up.