[TripartonChamps]

All I was doing was looking for sample letters of recommendation on About.com and then my screen went purple. Just like a "Blue Screen of Death", but all purple with no text. After a restart, I started getting random popups. I have Symantec AntiVirus but I guess it got through. Please help. HJT log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:23 PM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bumatuwim] Rundll32.exe "c:\windows\system32\yozuyosa.dll",a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Drew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: UmxSbxExw.dll bedihidu.dll c:\windows\system32\yozuyosa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysNet - {22015F69-C639-4941-A145-0A7B0A77681B} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (file missing)
O21 - SSODL: junedupad - {9aecc2f4-3dd7-45a4-8455-93ec0e183aaa} - c:\windows\system32\yozuyosa.dll
O22 - SharedTaskScheduler: kupuhivus - {9aecc2f4-3dd7-45a4-8455-93ec0e183aaa} - c:\windows\system32\yozuyosa.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://img395.imageshack.us/img395/3...oolwave9as.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Drew/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 14322 bytes

[TripartonChamps]

bump?

[TripartonChamps]

bump?

[NeonFx]

Hello there Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

• The fixes are specific to your problem and should only be used on this machine.
• Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
• It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - NetSvcs
  • Reg - Shell Spawning
  • Reg - Uninstall List
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5 

• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
• In the Write to log box select All items.
• Place a checkmark next to Hidden Objects Only
• Click on the Create Log button on the bottom right.
• After a few seconds a new Window should appear.
• Make sure Scan all drives is selected and click on the Start button.
  (Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
• When it is complete a new Window will appear to indicate that the scan is finished.
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

[TripartonChamps]

Thank you!
Here is the Drop.io link for the OST log:
http://drop.io/plyqivl

And below is the SysProt log:


SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************************************************** ***************
*************************************************************************** ***************

No Hidden Processes found

*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A9DC5000
Module End: A9DDD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8A0A000
Module End: F8A0C000
Hidden: Yes

*************************************************************************** ***************
*************************************************************************** ***************
SSDT:
Function Name: ZwAlertResumeThread
Address: 826F8F28
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 826F8008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 826F9B28
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 82713B80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: A9C7C6EA
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwCreateMutant
Address: 826F8C88
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSection
Address: AA197FD2
Driver Base: AA18E000
Driver End: AA1A1000
Driver Name: \SystemRoot\System32\DRIVERS\kmxagent.sys

Function Name: ZwCreateSymbolicLinkObject
Address: A9C7D40B
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwCreateThread
Address: 826FA148
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: AA3C2350
Driver Base: AA3AE000
Driver End: AA3D0000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwFreeVirtualMemory
Address: 826F9838
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 826F8D68
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 826F8E48
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMakeTemporaryObject
Address: A9C7D75C
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwMapViewOfSection
Address: 827019E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 826F8BA8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: A9C7C64E
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwOpenProcessToken
Address: 826F9BF8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: A9C7D130
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwOpenThreadToken
Address: 826F94F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryValueKey
Address: 826F8AB8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 827104F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 826F9410
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 826F95D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationThread
Address: 826F9330
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: A9C7D538
Driver Base: A9C72000
Driver End: A9C85000
Driver Name: \SystemRoot\System32\DRIVERS\KmxSbx.sys

Function Name: ZwSetValueKey
Address: AA3C2580
Driver Base: AA3AE000
Driver End: AA3D0000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 826F89D8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 826F9170
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 826FA218
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 826F9250
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 826F96B0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 826F9918
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
IRP Hooks:
Hooked Module: C:\WINDOWS\System32\Drivers\Modem.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: AA169040
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: AA169990
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: AA169AF0
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: AA16A5B0
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: AA16A570
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: AA169B50
Hooking Module: C:\WINDOWS\System32\DRIVERS\kmxfw.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: A9511480
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: A9511EC0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_READ
Jump To: A9512150
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: A9511F20
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: A95121A0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: A95114C0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

Hooked Module: C:\WINDOWS\System32\drivers\afd.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: A9511EF0
Hooking Module: C:\WINDOWS\System32\DRIVERS\KmxCF.sys

*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: ANDREW.MSHOME.NET:4468
Remote Address: 74.125.15.83:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4466
Remote Address: LAX04S01-IN-F137.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4465
Remote Address: PX-IN-F139.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4464
Remote Address: LAX04S01-IN-F103.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4463
Remote Address: LAX04S01-IN-F103.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4462
Remote Address: NUQ04S01-IN-F113.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4453
Remote Address: LAX04S01-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW.MSHOME.NET:4419
Remote Address: EC2-75-101-137-43.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: ANDREW.MSHOME.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ANDREW:27015
Remote Address: LOCALHOST:1061
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: ANDREW:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: ANDREW:8999
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
State: LISTENING

Local Address: ANDREW:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: ANDREW:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: ANDREW:4306
Remote Address: LOCALHOST:4305
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW:4305
Remote Address: LOCALHOST:4306
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW:4303
Remote Address: LOCALHOST:4302
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW:4302
Remote Address: LOCALHOST:4303
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: ANDREW:1061
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: ANDREW:1060
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
State: LISTENING

Local Address: ANDREW:1027
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: ANDREW.SSG5-SERIAL:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ANDREW:37935
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
State: LISTENING

Local Address: ANDREW:2967
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
State: LISTENING

Local Address: ANDREW:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ANDREW:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ANDREW:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ANDREW.MSHOME.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ANDREW.MSHOME.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW.MSHOME.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ANDREW.MSHOME.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ANDREW.MSHOME.NETOMAIN
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW:1030
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW.SSG5-SERIAL:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ANDREW.SSG5-SERIAL:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW.SSG5-SERIAL:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ANDREW.SSG5-SERIAL:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ANDREW:50490
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ANDREW:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ANDREW:1029
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ANDREW:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ANDREW:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ANDREW:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
Status: Access denied

[NeonFx]

It seems you beat it into submission before I got a chance at it haha.

You are using two security suites: CA and Symantec . They are both very large programs and you generally don't want to have more than one program performing the same function. I cannot tell if you have CA to only function as a firewall and symantec to only function as an Antivirus though. If both of them have active Antivirus or firewall components at the same time it can cause conflicts or false positives and the best solution would be to uninstall one or the other.


Let's do the following:

STEP 1

Run OTS

• Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "" [HKLM] -> Reg Error: Key error. []
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\] > -> HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\] > -> HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> bedihidu.dll -> 
YY -> c:\windows\system32\yozuyosa.dll -> C:\WINDOWS\System32\yozuyosa.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{22015F69-C639-4941-A145-0A7B0A77681B}" [HKLM] -> C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll [SysNet]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{9aecc2f4-3dd7-45a4-8455-93ec0e183aaa}" [HKLM] -> Reg Error: Key error. [kupuhivus]
[Files/Folders - Created Within 30 Days]
NY ->  C:\Program Files\Personal Guard 2009 -> C:\Program Files\Personal Guard 2009
NY -> Microsoft AData -> C:\Documents and Settings\All Users\Microsoft AData
[Files/Folders - Modified Within 30 Days]
NY ->  gehijaye -> C:\WINDOWS\System32\gehijaye
NY ->  spoov.exe -> C:\WINDOWS\spoov.exe
NY ->  certsystem.exe -> C:\WINDOWS\certsystem.exe
NY ->  regred.exe -> C:\WINDOWS\regred.exe
NY ->  usexplorer.exe -> C:\WINDOWS\usexplorer.exe
NY ->  securits.com -> C:\WINDOWS\securits.com
NY ->  microsoftdef.dll -> C:\WINDOWS\microsoftdef.dll
[Files - No Company Name]
NY ->  spoov.exe -> C:\WINDOWS\spoov.exe
NY ->  certsystem.exe -> C:\WINDOWS\certsystem.exe
NY ->  regred.exe -> C:\WINDOWS\regred.exe
NY ->  usexplorer.exe -> C:\WINDOWS\usexplorer.exe
NY ->  securits.com -> C:\WINDOWS\securits.com
NY ->  microsoftdef.dll -> C:\WINDOWS\microsoftdef.dll
NY ->  guromome.dll -> C:\WINDOWS\System32\guromome.dll
[Empty Temp Folders]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


STEP 2

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

[TripartonChamps]

Hey, I guess my anti-virus did the job after all. haha. My subscription with CA expired a couple months back so now I use Symantec which my school gave me, but I could have sworn I removed CA and all of its components. How do I get rid of it completely?

Here is the Drop.io link to the OTS quick scan log (after the fixes):
http://drop.io/ds42jvs


And these are the results from the fixes:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.
Registry value HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry value HKEY_USERS\S-1-5-21-536743712-2674405637-1277733739-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:bedihidu.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\yozuyosa.dll deleted successfully.
File C:\WINDOWS\System32\yozuyosa.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\\SysNet deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22015F69-C639-4941-A145-0A7B0A77681B}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler\\{9aecc2f4-3dd7-45a4-8455-93ec0e183aaa} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9aecc2f4-3dd7-45a4-8455-93ec0e183aaa}\ not found.
[Files/Folders - Created Within 30 Days]
C:\Program Files\Personal Guard 2009\q folder moved successfully.
C:\Program Files\Personal Guard 2009 folder moved successfully.
C:\Documents and Settings\All Users\Microsoft AData folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\gehijaye moved successfully.
C:\WINDOWS\spoov.exe moved successfully.
C:\WINDOWS\certsystem.exe moved successfully.
C:\WINDOWS\regred.exe moved successfully.
C:\WINDOWS\usexplorer.exe moved successfully.
C:\WINDOWS\securits.com moved successfully.
LoadLibrary failed for C:\WINDOWS\microsoftdef.dll
C:\WINDOWS\microsoftdef.dll moved successfully.
[Files - No Company Name]
File C:\WINDOWS\spoov.exe not found!
File C:\WINDOWS\certsystem.exe not found!
File C:\WINDOWS\regred.exe not found!
File C:\WINDOWS\usexplorer.exe not found!
File C:\WINDOWS\securits.com not found!
File C:\WINDOWS\microsoftdef.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\guromome.dll
C:\WINDOWS\System32\guromome.dll moved successfully.
[Empty Temp Folders]


User: All Users

User: Default User
->Temporary Internet Files folder emptied: 67 bytes

User: Drew
->Temp folder emptied: 755781 bytes
->Temporary Internet Files folder emptied: 11068436 bytes
->Java cache emptied: 54926062 bytes
->FireFox cache emptied: 47758228 bytes
->Apple Safari cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65670 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 499940 bytes

User: Owner
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3613713 bytes
Windows Temp folder emptied: 34650 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23959580 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2540051 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 138.51 mb

< End of fix log >
OTS by OldTimer - Version 3.1.5.0 fix logfile created on 11152009_143340

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_8c0.dat moved successfully.

Registry entries deleted on Reboot...

[NeonFx]

The file you attached to dropio is the same log you pasted here. Please attach a new OTS Quick Scan here instead of uploading it to DropIo. To attach things here just click on the blue Reply button or on the Go Advanced button to then be able to click on the "Manage Attachments" button. Use that dialog to attach the results here instead.


Before you run OTS's Quick Scan again though, please uninstall CA using one of the following tools:

For CA 2007/2008 see HERE (there are other tools near the bottom of the page if you didn't have the whole suite )
For CA 2009 see HERE

Restart the computer and run OTS again after doing that so that I can see that the CA components were removed.

[TripartonChamps]

Lets see if this works

[NeonFx]

Looking much better

STEP 1

Run OTS

• Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Empty Temp Folders]
[ClearAllRestorePoints]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


STEP 2

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

[TripartonChamps]

I apologize for my lateness. I was traveling but now I'm back to my computer. I apreciate your help thus far. Thank you.

Below is the OTS log followed by the MBAM log:

All Processes Killed
[Empty Temp Folders]


User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: Drew
->Temp folder emptied: 1014055 bytes
->Temporary Internet Files folder emptied: 739153 bytes
->Java cache emptied: 13689353 bytes
->FireFox cache emptied: 97789967 bytes
->Apple Safari cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33220 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 33432 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 108.05 mb


Restorepoints cleared and new one set!
< End of fix log >
OTS by OldTimer - Version 3.1.5.0 fix logfile created on 11232009_235709

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






Malwarebytes' Anti-Malware 1.41
Database version: 3225
Windows 5.1.2600 Service Pack 3

11/24/2009 7:09:48 PM
mbam-log-2009-11-24 (19-09-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174784
Time elapsed: 1 hour(s), 1 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTS\MovedFiles\11152009_143340\C_WINDOWS\System32\guromome.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[NeonFx]

Excellent. Let's run a full scan of your system to be sure you're clean. This will take a while but it's worth it. It can often find things all other scans will miss.

STEP 1

Before we do, I need you to update Internet Explorer to IE8. Even if you don't use it, we need to have it updated as its components are deeply connected with Windows itself.

Please go here to download the installer:

http://www.microsoft.com/windows/internet-explorer/

STEP 2

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

STEP 3

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
  
  
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[TripartonChamps]

Here are the scan results. And Happy (early) Thanksgiving

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 25, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 25, 2009 22:15:47
Records in database: 3291079
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 75479
Threats found: 2
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 03:03:57


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BD00000.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0000.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0001\4EFFA245.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0002\4EFFA291.VBN Infected: Trojan.Win32.Vilsel.lou 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0003\4EFFA2CA.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0004\4EFFA2DC.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0005\4EFD1CC5.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0006\4EFD3560.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0007\4EFD5182.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0008\4EFD6DA1.VBN Infected: Trojan.Win32.Vilsel.lou 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0009\4EFD8CB0.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C000A\4EFDA623.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C000B\4EFDC20A.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C000C\4EFDDE11.VBN Infected: Packed.Win32.TDSS.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C000D\4EFDFA30.VBN Infected: Packed.Win32.TDSS.aa 1

Selected area has been scanned.

[NeonFx]

Good. All it found was stuff that Norton already took care of.

How's the computer running?

[TripartonChamps]

Running great. Thank you for all your help!
Happy Holidays!