Popup when exploring files Options

[BruceF]

I typed in NET STOP johknkyd and received the following message:

The requested pause or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.

I also tried just deleting it, but that didn't work.

[Raid]

I typed in NET STOP johknkyd and received the following message:

The requested pause or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.

I also tried just deleting it, but that didn't work.

Hmm. Alright, proceed with step 5. Update MBAM, scan, provide logs, Open HJT, scan and provide logs.

[BruceF]

Thanks again

Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 5.1.2600 Service Pack 3

11/16/2008 10:51:19 PM
mbam-log-2008-11-16 (22-51-19).txt

Scan type: Quick Scan
Objects scanned: 39678
Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ombha.dll (Trojan.BHO.H) -> Delete on reboot.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:04 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1181333827\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F56C5FD6-A52C-4E65-A54A-31FE0DC87E06} - C:\WINDOWS\system32\ombha.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181333827\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1181247306625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181247358875
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10662 bytes

[Raid]

Ehm... After you ran MBAM, did you reboot?

And once you have rebooted and scanned again, are the entries back?

[BruceF]

Yes. I just ran them again and rebooted. Here are the logs.

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 3

11/17/2008 1:34:45 PM
mbam-log-2008-11-17 (13-34-45).txt

Scan type: Quick Scan
Objects scanned: 49173
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ombha.dll (Trojan.BHO.H) -> Delete on reboot.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:06 PM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1181333827\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F56C5FD6-A52C-4E65-A54A-31FE0DC87E06} - C:\WINDOWS\system32\ombha.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181333827\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1181247306625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181247358875
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10421 bytes

[Raid]

Strange....

Alright, evidently something isn't as it's claiming to be.. So lets get a 2nd opinion real quick:

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine


Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st

Basically there are 3 parts that need to be downloaded from these links:

1. Sysclean Package
2. Virus Pattern Files
3. Spyware Pattern Files

• As an example on 2008-10-17 the files to download are: sysclean.com | lpt605.zip | ssapiptn697.zip
• NOTE! These file names are examples and you must visit Trend Micro for the very latest files which may have different names.
• Create a brand new folder to copy these files to.
• As an example: C:\DCE
• Then open each of the zipped archive files and copy their contents to C:\DCE
• Copy the file sysclean.com to the new folder C:\DCE as well.
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

• This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.
  This tool supports the following features:
  o Terminate all detected malware/spyware instances in memory
  o Remove malware/spyware registry entries
  o Remove malware/spyware entries from system files
  o Scan for and delete all detected malware/spyware copies in all local drives

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

[BruceF]

Thanks again for your help and patience.

I'm going to take the time to look all of this over and run it tomorrow evening. I'll post the results as soon as I have them.

[AdvancedSetup]

Thanks Bruce. Please don't forget to upload the log from this scanner as well.

[BruceF]

Here is the result of sysclean.log:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-11-18, 17:20:54, Auto-clean mode specified.
2008-11-18, 17:20:54, Initialized Rootkit Driver version 2.2.0.1004.
2008-11-18, 17:20:54, Running scanner "C:\DCE\TSC.BIN"...
2008-11-18, 17:22:33, Scanner "C:\DCE\TSC.BIN" has finished running.
2008-11-18, 17:22:33, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 0 5 3 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : T u e N o v 1 8 2 0 0 8 1 7 : 2 0 : 5 7





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 9 8 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : T u e N o v 1 8 2 0 0 8 1 7 : 2 2 : 3 3


E x e c u t e p a t t e r n c o u n t ( 3 0 1 7 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2008-11-18, 17:22:33, Running scanner "C:\DCE\VSCANTM.BIN"...
2008-11-18, 18:32:27, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2008-11-18, 18:32:27, VSCANTM Log:

2008-11-18, 18:32:27, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 17:22:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.657

123169 files have been read.
123169 files have been checked.
123136 files have been scanned.
433599 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 18:32:27 1 hour 9 minutes 53 seconds (4193.13 seconds) has elapsed.(34.044 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 18:32:27, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 17:22:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.657

123169 files have been read.
123169 files have been checked.
123136 files have been scanned.
433599 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 18:32:27 1 hour 9 minutes 53 seconds (4193.13 seconds) has elapsed.(34.044 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 18:32:27, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 17:22:33
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.657

123169 files have been read.
123169 files have been checked.
123136 files have been scanned.
433599 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 18:32:27 1 hour 9 minutes 53 seconds (4193.13 seconds) has elapsed.(34.044 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 18:32:27, Running scanner "C:\DCE\VSCANTM.BIN"...
2008-11-18, 20:11:50, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2008-11-18, 20:11:50, VSCANTM Log:

2008-11-18, 20:11:50, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 18:32:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.657

E:\Downloads\Books\Trading\Temp\swing trading strategy Imagine a swing trading strategy so powerful that it could take you..exe [TROJ_CLICKER.ATG]
E:\Downloads\Books\Trading\Temp\swing trading strategy Learn how to apply Science to trading stocks. The entire Universe is governed by science, the markets are no.exe [TROJ_CLICKER.ATG]
E:\Downloads\Books\Zip\A new and effective way to get the results you desire. With Online Coaching receive Exclusive Program Email Support 247 14 Day Free.exe [TROJ_CLICKER.ATG]
E:\RECYCLER\NPROTECT\00000001.EXE [TROJ_CLICKER.ATG]
157924 files have been read.
157924 files have been checked.
157918 files have been scanned.
313080 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 20:11:50 1 hour 39 minutes 21 seconds (5960.72 seconds) has elapsed.(37.744 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 20:11:50, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 18:32:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.657

157924 files have been read.
157924 files have been checked.
157918 files have been scanned.
313080 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 20:11:50 1 hour 39 minutes 21 seconds (5960.72 seconds) has elapsed.(37.744 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 20:11:50, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 11/18/2008 18:32:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 657 (332094/332094 Patterns) (2008/11/17) (565700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.657

157924 files have been read.
157924 files have been checked.
157918 files have been scanned.
313080 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 11/18/2008 20:11:50 1 hour 39 minutes 21 seconds (5960.72 seconds) has elapsed.(37.744 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-11-18, 20:11:50, Running SSAPI scanner ""...
2008-11-18, 21:22:43, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.05
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 11/18/2008 20:11:54

Detected: 0 items.

Spyware Scan Ended: 11/18/2008 21:22:43
Scan Complete. Time=4252.528809.

[BruceF]

I then updated MBAM did a scan, rebooted, and rescanned:

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 3

11/18/2008 10:10:18 PM
mbam-log-2008-11-18 (22-10-18).txt

Scan type: Quick Scan
Objects scanned: 49290
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ombha.dll (Trojan.BHO.H) -> Delete on reboot.

[AdvancedSetup]

Wow... stubborn little bugger.

Can you actually locate this file in that location with Windows Explorer?

[BruceF]

Yes. C:\WINDOWS\system32\ombha.dll is showing up. But, I've tried to delete it and it says access denied. I've even tried booting into safe mode with command prompt to delete it with the same results.

FWIW, I haven't had the popup in a couple of days.

[AdvancedSetup]

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[BruceF]

Okay. I'll give that a try and report back.

[BruceF]

Had a scary moment when running this. When I dragged the recovery console download onto combofix it started and installed it okay. But, then combofix said the recovery console was not installed and asked if it should install it. I said yes and then it said the console was already installed. It seemed to run fine from there. Here are the results:



ComboFix 08-11-18.A2 - Bruce 2008-11-19 21:54:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.651 [GMT -5:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bruce\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://onestopstation.net
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-17 22:39 . 2008-11-18 21:33 <DIR> d-------- C:\DCE
2008-11-16 16:47 . 2008-11-16 16:47 17,709 --a------ c:\windows\system32\drivers\johknkyd.zip
2008-11-16 13:39 . 2008-11-16 13:45 250 --a------ c:\windows\gmer.ini
2008-11-14 23:52 . 2008-11-14 23:52 44,951 --a------ c:\windows\SM1bg.zip
2008-11-14 16:02 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-14 16:01 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Panda Security
2008-11-14 01:58 . 2008-11-14 02:04 <DIR> d-------- c:\documents and settings\Bruce\.housecall6.6
2008-11-14 01:38 . 2008-11-14 01:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-14 01:19 . 2008-11-14 01:19 <DIR> d-------- c:\program files\Trend Micro
2008-11-13 17:31 . 2008-11-13 17:45 <DIR> d-------- c:\documents and settings\Bruce\Application Data\Download Manager
2008-11-11 18:07 . 2008-11-11 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 22:50 . 2008-11-09 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-09 21:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 21:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\system32\scripting
2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\system32\en
2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\l2schemas
2008-11-08 17:58 . 2008-04-13 19:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2008-11-08 17:58 . 2008-04-13 19:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2008-11-08 17:58 . 2008-04-13 19:12 290,304 --------- c:\windows\system32\rhttpaa.dll
2008-11-08 17:58 . 2008-04-13 19:12 276,992 --------- c:\windows\system32\wmphoto.dll
2008-11-08 17:58 . 2008-04-13 19:12 76,800 --------- c:\windows\system32\qutil.dll
2008-11-08 17:58 . 2008-04-13 19:12 69,120 --------- c:\windows\system32\wlanapi.dll
2008-11-08 17:58 . 2008-04-13 19:12 61,952 --------- c:\windows\system32\rasqec.dll
2008-11-08 17:58 . 2008-04-13 19:12 53,248 --------- c:\windows\system32\tsgqec.dll
2008-11-08 17:58 . 2008-04-13 19:12 50,688 --------- c:\windows\system32\tspkg.dll
2008-11-08 17:58 . 2008-04-13 19:12 32,768 --------- c:\windows\system32\setupn.exe
2008-11-08 17:58 . 2008-04-13 13:40 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2008-11-08 17:56 . 2008-04-13 19:11 650,752 --------- c:\windows\system32\dot3ui.dll
2008-11-08 17:25 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-08 17:24 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-08 17:24 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-08 17:24 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-08 17:24 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-08 17:24 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-08 17:24 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-04 17:12 . 2008-11-04 17:12 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-01 13:59 . 2008-11-13 17:45 116,480 --a------ c:\windows\system32\ombha.dll
2008-10-30 17:26 . 2008-10-30 17:26 <DIR> d--hs---- c:\windows\ftpcache
2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 . 2008-10-28 17:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 . 2008-10-28 17:35 802,816 --a------ c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 . 2008-10-28 17:35 684,032 --a------ c:\windows\system32\DivX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 02:59 103,923,744 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-20 02:43 1,219,580 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-20 02:39 1,634 ----a-w c:\program files\eSignalMHP - Detail.dtl
2008-11-19 14:30 --------- d-----w c:\program files\eSignal
2008-11-19 14:29 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-19 02:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-15 06:18 --------- d-----w c:\program files\Norton SystemWorks
2008-11-15 03:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 17:56 17,842,963 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-12 02:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 19:27 11,514 ----a-w c:\program files\eSignalMHP,D - AdvCh.ach
2008-11-11 04:01 10,973 ----a-w c:\program files\eSignalMHP,5 - AdvCh.ach
2008-11-10 02:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 12:40 --------- d-----w c:\program files\eMule
2008-11-09 04:32 --------- d-----w c:\program files\Full Tilt Poker
2008-11-09 02:52 --------- d-----w c:\documents and settings\Bruce\Application Data\Move Networks
2008-11-09 00:18 --------- d-----w c:\program files\Replay AV 8
2008-11-08 21:45 --------- d-----w c:\program files\DivX
2008-11-08 06:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 04:34 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 17:20 841,728 ----a-w c:\windows\Internet Logs\xDB21.tmp
2008-10-30 16:35 1,714,688 ----a-w c:\windows\Internet Logs\xDB20.tmp
2008-10-25 22:26 1,679,360 ----a-w c:\windows\Internet Logs\xDB1F.tmp
2008-10-21 13:09 1,512,448 ----a-w c:\windows\Internet Logs\xDB1E.tmp
2008-10-17 17:28 2,697,728 ----a-w c:\windows\Internet Logs\xDB1D.tmp
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-14 21:35 --------- d-----w c:\program files\DAP
2008-10-14 21:34 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-10-14 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-10-14 02:43 737,280 ----a-w c:\windows\iun6002.exe
2008-10-08 07:03 43,872 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-10-08 07:03 129,520 ------w c:\windows\system32\pxafs.dll
2008-10-08 07:03 120,568 ------w c:\windows\system32\pxcpyi64.exe
2008-10-08 07:03 118,256 ------w c:\windows\system32\pxinsi64.exe
2008-10-04 19:54 --------- d-----w c:\documents and settings\Bruce\Application Data\BitTorrent
2008-10-03 21:24 --------- d-----w c:\documents and settings\Bruce\Application Data\Imagenomic
2008-10-03 21:20 --------- d-----w c:\program files\Instant JPEG From RAW
2008-09-29 03:41 4,988 ----a-w c:\windows\system32\tmp.reg
2008-09-29 03:15 --------- d-----w c:\documents and settings\Bruce\Application Data\Malwarebytes
2008-09-29 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-27 22:13 --------- d-----w c:\documents and settings\Bruce\Application Data\OpenOffice.org2
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-14 17:32 98,304 ----a-w c:\windows\DUMP5ae1.tmp
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-23 02:40 61,224 ----a-w c:\documents and settings\Bruce\GoToAssistDownloadHelper.exe
2008-01-05 00:30 1,681 ----a-w c:\program files\eSignalPortfolio1.por
2003-08-27 18:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2008-10-17 00:04 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-10-17 00:04 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-17 00:04 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2005-07-14 18:31 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2005-06-26 21:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 04:37 45,568 --sha-r c:\windows\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F56C5FD6-A52C-4E65-A54A-31FE0DC87E06}]
2008-11-13 17:45 116480 --a------ c:\windows\system32\ombha.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton SystemWorks"="c:\program files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 132248]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2006-03-02 684032]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2004-01-19 1892864]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-06-07 100056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-07 185896]
"HostManager"="c:\program files\Common Files\AOL\1181333827\ee\AOLSoftware.exe" [2006-09-25 50736]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Bruce\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-06-09 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-02 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-16 18:08 289088 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1181333827\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 johknkyd;johknkyd;c:\windows\system32\drivers\johknkyd.sys [2003-03-31 23424]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-14 28544]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2007-06-24 14:24:47 13560]
R3 G200;G200;c:\windows\system32\DRIVERS\g200mini.sys [2007-06-07 261120]
S3 APLMp50;APLMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp50.sys [2006-07-31 18816]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Bruce.job
- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2005-01-10 11:20]

2008-11-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2004-11-04 00:19]

2008-11-19 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 13:48]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\rps2e06z.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.investors.com/
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npaxctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 21:58:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-11-19 22:01:50
ComboFix-quarantined-files.txt 2008-11-20 03:01:10

Pre-Run: 34,314,190,848 bytes free
Post-Run: 34,340,724,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

266 --- E O F --- 2008-11-08 23:49:49

[AdvancedSetup]

Well first off you need to uninstall ALL the Peer2Peer software like emule, bit torrent, etc...

Are you still running any Norton products or AV on your system ?

Are you using AOL (America Online) ?

[BruceF]

Hmmm. I didn't know the P2P stuff was on here. But, they've now been uninstalled. I do have Norton as the AV and ZoneAlarm as the firewall, currently. AOL gets used on occasion.

[AdvancedSetup]

Okay thanks for the information. It looks like you have at least one modified Microsoft file on your system which is not good.

Please run this tool which will hopefully help us locate Microsoft files that are not digitally signed.

Click on START - RUN and type in SIGVERIF and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.

• Click on the START button and let it run.
• It will popup a box when it's done to show the status, you can close that box.
• Close the File Signature Verification application.
• Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply.
• DO NOT post the log directly into your reply, attach the file please.

Can you also start REGEDIT and browse to the location where ombha.dll is located and check the Permissions on it. See if you can delete that entry or not directly in Regedit. If you can, then wait about 60 seconds and refresh Regedit or quit and restart Regedit and see if the entry is back in or not.

Thanks.

[AdvancedSetup]

Also please try running this. Close ALL applications first, including the Browser, so that no program is running.

Click on START - RUN and copy / paste this entry into the box and click OK (after closing the browser).

CODE

CMD /C netstat -a -b -o -v >C:\MYSERVICES.TXT

This will open a black DOS window for a minute or so while it gathers the information.

When it closes please browse to this location and open the file with Notepad and post here if not too big, if it's big then just attach the file please.

C:\MYSERVICES.TXT

[BruceF]

I tried to attach the SIGVERIF.TXT file, but it said it was too big. So, I've zipped it up and attached that.

I found an entry for a REG_SZ C:\WINDOWS\system32\ombha.dll under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll
I was able to delete that one. It hasn't come back so far.

I found one under
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F56C5FD6-A52C-4E65-A54A-31FE0DC87E06}\InprocServer32
But, it wouldn't delete.

When I go to Edit>Permissions it looks like it applies to the \InprocServer32 folder. Allow Full Control and Read are checked. I can click on Deny, but I'm not sure if I should or not. Is that the permission you are talking about? If so, what should I do?

Thanks again for your help.

Attached File(s)

 SIGVERIF.zip ( 30.71K ) Number of downloads: 17