Expert: Brian Benosky - 1/7/2009

Question
QUESTION: I have recently encountered a problem where my PC would load up everything and as soon as it would come to the desktop (approx. 20 seconds after displaying the desktop to be precise) my computer restarts itself.

I have no idea how this happened and the only way i can access the computer without it restarting is by running it in safe-mode. Whilst in safe mode i also tried running various virus/spyware/malware detection and eradication software (for example Ad-aware and Spybot S&D) and neither have solved the problem.

Whilst running windows in normal mode (just before it restarts), i get a a warning pop up in the bottom right corner of my screen (which is in the form of a yellow triange with a black exclamation mark in the centre) telling me that that "rundll.32exe" (something along those lines) is a corrupt file and i need to run "chkdsk utility". This is almost impossible to screenshot so this is the most i can explain on that.  

To be honest i don't have a clue what is causing it, but nothing like this has ever happened before and i reckon it's not a hardware problem, because this computer has been running fine for 2 years now.

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:44, on 05/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.43.247.145
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [3a1c0a0f] rundll32.exe "C:\WINDOWS\system32\fkmsjiky.dll",b
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: imfwno.dll

--
End of file - 5916 bytes

Thanks for your time

Mike





ANSWER: Hi Mike

You definitely have some malware in there.  I will need you to run a few scans in Safe Mode with Networking.
Please download Malwarebytes' Anti-Malware to your desktop from here:
http://www.besttechie.net/tools/mbam-setup.exe
Double-click mbam-setup.exe and follow the prompts to install the program.
  * At the end, be sure a checkmark is placed next to
        o Update Malwarebytes' Anti-Malware
        o and Launch Malwarebytes' Anti-Malware
  * then click Finish.
  * If an update is found, it will download and install the latest version.
  * Once the program has loaded, select Perform full scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
  * Be sure that everything is checked, and click Remove Selected.
  * When completed, a log will open in Notepad.
  * Save that log to your desktop and continue below.

Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  You should now press the number 1 key and then press the enter key to continue.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.

Copy and paste the MBAM log and the ComboFix log, along with a new HJT log in a follow-up to me.

Brian

---------- FOLLOW-UP ----------

QUESTION: Ok, i have followed all the instructions you have set me and used both the software applications which you had recommended.

I have just finished running the ComboFix scan, Windows had reset itself normally and the computer had not restarted. A positive sign.

I will restart my computer again and if i do encounter any more problems i hope that you will offer me more help. However, for now i give you all my thanks and i really appreciate the time you have given towards helping me with my problem.

Here are the logs which you asked me to obtain from both software applications.

"Malwarebytes' Anti-Malware" -

Malwarebytes' Anti-Malware 1.32
Database version: 1624
Windows 5.1.2600 Service Pack 2

06/01/2009 13:23:07
Malwarebytes Log

Scan type: Full Scan (C:\|)
Objects scanned: 133958
Time elapsed: 39 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 852

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tuvSkHyw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\imfwno.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tuvSkkIA.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{394871d6-4735-466a-9c21-572d83a00fdc} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{394871d6-4735-466a-9c21-572d83a00fdc} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f24e03d4-d73b-4523-a3e3-1a0a69ee0b40} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f24e03d4-d73b-4523-a3e3-1a0a69ee0b40} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvskkia (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a1c0a0f (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvskhyw -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvskhyw

"ComboFix" -

ComboFix 09-01-05.05 - Andrzej 2009-01-06 14:17:18.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1270.985 [GMT 0:00]
Running from: c:\documents and settings\Andrzej\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrzej\Favorites\Download programs.url
c:\documents and settings\Andrzej\Favorites\Games.url
c:\documents and settings\Andrzej\Favorites\Translator.url
c:\documents and settings\Andrzej\Favorites\Videos.url
c:\documents and settings\Andrzej\Start Menu\Programs\Download programs.url
c:\documents and settings\Andrzej\Start Menu\Programs\Games.url
c:\documents and settings\Andrzej\Start Menu\Programs\Translator.url
c:\documents and settings\Andrzej\Start Menu\Programs\Videos.url
c:\program files\windows
c:\program files\windows\system\INSTALL.LOG
c:\windows\b.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\__c00169D2.dat
c:\windows\system32\__c0021A89.dat
c:\windows\system32\__c003AC16.dat
c:\windows\system32\__c0045CD0.dat
c:\windows\system32\__c0053DA6.dat
c:\windows\system32\__c0056602.dat
c:\windows\system32\__c005EE5B.dat
c:\windows\system32\__c0061E91.dat
c:\windows\system32\__c00830A1.dat
c:\windows\system32\__c008900.dat
c:\windows\system32\__c009C22D.dat
c:\windows\system32\__c00A72E8.dat
c:\windows\system32\__c00B53BC.dat
c:\windows\system32\__c00C0472.dat
c:\windows\system32\__c00D95FF.dat
c:\windows\system32\__c00E46B8.dat
c:\windows\system32\__c00FD844.dat
c:\windows\system32\dfiwiuwg.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaxjynmdey.sys
c:\windows\system32\oqdosmav.dll
c:\windows\system32\paijlh.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekagjciswgy.dll
c:\windows\system32\senekaijkjfduj.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaodlvtahm.dll
c:\windows\system32\setup.ini
C:\xcrashdump.dat

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


(((((((((((((((((((((((((   Files Created from 2008-12-06 to 2009-01-06  )))))))))))))))))))))))))))))))
.

2012-01-23 19:16 . 2012-01-23 19:16   <DIR>   d--------   c:\program files\Gravity
2010-06-04 19:00 . 2010-06-04 19:01   <DIR>   d--------   c:\program files\Dofus
2009-01-06 11:11 . 2009-01-06 11:11   <DIR>   d--------   c:\documents and settings\Andrzej\Application Data\Malwarebytes
2009-01-06 11:10 . 2009-01-06 11:11   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-01-06 11:10 . 2009-01-06 11:10   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 11:10 . 2009-01-04 18:41   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 11:10 . 2009-01-04 18:41   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-01-05 17:32 . 2009-01-05 17:32   <DIR>   d--------   c:\program files\Trend Micro
2009-01-05 15:16 . 2009-01-05 15:17   <DIR>   d--------   c:\program files\CCleaner
2009-01-04 18:59 . 2009-01-04 18:59   <DIR>   d--------   c:\documents and settings\Andrzej\Application Data\RegistryDefense
2009-01-04 18:49 . 2009-01-04 18:56   <DIR>   d-a------   c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 17:08 . 2009-01-04 17:08   552   --a------   c:\windows\system32\d3d8caps.dat
2009-01-04 17:00 . 2009-01-04 17:00   <DIR>   d--------   c:\program files\Microsoft Windows OneCare Live
2009-01-04 16:55 . 2009-01-04 17:00   <DIR>   d--------   c:\program files\Windows Live Safety Center
2009-01-04 16:46 . 2009-01-04 18:39   <DIR>   d--------   c:\program files\RegistryFix7
2008-12-30 13:12 . 2008-12-30 13:12   <DIR>   d--------   c:\program files\Joymax
2008-12-28 19:11 . 2009-01-03 21:57   <DIR>   d--------   c:\program files\Call of Duty Game of the Year Edition
2008-12-28 19:08 . 2008-12-28 19:26   745   --a------   c:\windows\CoD.INI
2008-12-15 05:10 . 2008-12-15 05:10   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Synthetic Reality
2008-12-15 05:09 . 2008-12-15 05:36   <DIR>   d--------   C:\WoS
2008-12-15 05:09 . 2008-12-15 05:09   <DIR>   d--------   C:\VMO
2008-12-15 04:57 . 2008-12-15 04:59   <DIR>   d--------   c:\program files\Another World
2008-12-14 18:34 . 2008-12-14 18:35   <DIR>   d--------   c:\windows\system32\Adobe
2008-12-13 03:50 . 2008-12-13 03:50   <DIR>   d--------   c:\documents and settings\Andrzej\Application Data\GarageGames
2008-12-08 03:10 . 2008-12-08 03:12   <DIR>   d--------   c:\program files\bmoworld
2008-12-07 23:31 . 2008-12-07 23:31   <DIR>   d--------   c:\program files\SocksCapV2
2008-12-07 23:31 . 1998-02-06 22:37   299,520   --a------   c:\windows\uninst.exe
2008-12-07 23:19 . 2008-12-08 00:14   <DIR>   d--------   c:\program files\FreeCap

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-22 18:15   ---------   d-----w   c:\program files\HighGrow
2009-01-06 13:26   ---------   d-----w   c:\program files\Steam
2009-01-05 15:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\Kontiki
2009-01-04 17:04   12,528   ----a-w   c:\windows\system32\drivers\secdrv.sys
2009-01-03 22:05   ---------   d-----w   c:\program files\Common Files\Symantec Shared
2009-01-03 16:16   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2008-12-30 13:12   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-29 15:02   ---------   d-----w   c:\program files\Wolfenstein - Enemy Territory
2008-12-29 15:00   23,352   ----a-w   c:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 15:00   107,832   ----a-w   c:\windows\system32\PnkBstrB.exe
2008-12-29 14:55   ---------   d-----w   c:\program files\Tibia
2008-12-28 14:57   ---------   d-----w   c:\program files\World of Warcraft
2008-12-17 04:13   31   ----a-w   c:\documents and settings\Andrzej\jagex_runescape_preferences.dat
2008-12-08 03:34   ---------   d-----w   c:\program files\Diablo II
2008-12-04 11:31   ---------   d-----w   c:\program files\PingFu Iris
2008-12-04 11:31   ---------   d-----w   c:\documents and settings\Andrzej\Application Data\ArtOfPing
2008-12-03 01:26   ---------   d-----w   c:\program files\BYOND
2008-12-02 15:20   ---------   d-----w   c:\program files\Common Files\Blizzard Entertainment
2008-12-02 02:00   ---------   d-----w   c:\documents and settings\Andrzej\Application Data\GetRightToGo
2008-12-02 01:50   ---------   d-----w   c:\program files\NCSoft
2008-12-01 21:08   ---------   d-----w   c:\documents and settings\All Users\Application Data\Blizzard
2008-12-01 20:19   ---------   d-----w   c:\documents and settings\Andrzej\Application Data\Tibia
2008-12-01 19:14   ---------   d-----w   c:\program files\Tremulous
2008-12-01 14:43   ---------   d-----w   c:\program files\Illusory Studios
2008-11-27 23:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\Symantec
2008-11-24 12:08   ---------   d-----w   c:\program files\Zemi Interactive
2008-11-23 16:41   ---------   d-----w   c:\program files\Brain Seal
2008-11-14 15:30   ---------   d-----w   c:\program files\Disney
2008-10-27 10:04   70,992   ----a-w   c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04   514,384   ----a-w   c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04   235,856   ----a-w   c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04   23,376   ----a-w   c:\windows\system32\X3DAudio1_5.dll
2008-10-23 13:01   283,648   ----a-w   c:\windows\system32\gdi32.dll
2008-10-16 14:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 14:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 14:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 14:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 14:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 14:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 14:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 14:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 10:37   659,456   ----a-w   c:\windows\system32\wininet.dll
2008-10-10 04:52   452,440   ----a-w   c:\windows\system32\d3dx10_40.dll
2008-10-10 04:52   4,379,984   ----a-w   c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52   2,036,576   ----a-w   c:\windows\system32\D3DCompiler_40.dll
2008-04-30 12:15   435   ----a-w   c:\documents and settings\Andrzej\layout.bin
2007-11-20 09:13   54,272   ----a-w   c:\documents and settings\Andrzej\Setup.exe
2008-09-10 13:49   5,817,064   ----a-w   c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-06-30 12:44   324,976   ----a-w   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"Steam"="c:\program files\steam\steam.exe" [2008-12-27 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=imfwno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SPTISRV"=3 (0x3)
"ServiceLayer"=3 (0x3)
"PnkBstrA"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Auto Start ITE"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mikedurkiewicz\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mikedurkiewicz\\day of defeat source\\hl2.exe"=
"c:\\Q3Ademo\\quake3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mikedurkiewicz\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Icewind Dale II\\IWD2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war soulstorm demo\\Soulstorm.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Ubisoft\\XIII Demo Online\\System\\XIII.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Steam\\SteamApps\\mikedurkiewicz\\team fortress 2\\hl2.exe"=
"c:\\Rohan\\rohanclient.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\NCsoft\\Exteel (US)\\System\\Exteel.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12142:TCP"= 12142:TCP:*:Disabled:BitCometLite 12142 TCP
"12142:UDP"= 12142:UDP:*:Disabled:BitCometLite 12142 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:UDP"= 3724:UDP:Blizzard Downloader
"11366:TCP"= 11366:TCP:*:Disabled:BitCometLite 11366 TCP
"11366:UDP"= 11366:UDP:*:Disabled:BitCometLite 11366 UDP

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-21 99376]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-10-14 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-10-14 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-10-14 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-10-14 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-10-14 100648]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
S4 Auto Start ITE;Auto Start ITE (Rev A);c:\ite_6v1.00\Bin\Auto_Start_A.exe [2007-05-01 40960]
S4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
Notify-__c00C662A - c:\windows\system32\__c00C662A.dat


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = 82.43.247.145
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf

c:\windows\Downloaded Program Files\YYGInstantPlay.ocx - O16 -: {C49134CC-B5EF-458C-A442-E8DFE7B4645F}
hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
c:\windows\Downloaded Program Files\YYGInstantPlay.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Andrzej\Application Data\Mozilla\Firefox\Profiles\hyhkfu1h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79918993
FF - prefs.js: network.proxy.ftp - 212.159.65.126
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.gopher - 212.159.65.126
FF - prefs.js: network.proxy.gopher_port - 1080
FF - prefs.js: network.proxy.http - 212.159.65.126
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - 212.159.65.126
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - 212.159.65.126
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Tripleplay\TPPlugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 14:22:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-06 14:28:40
ComboFix-quarantined-files.txt  2009-01-06 14:28:38

Pre-Run: 21,131,436,032 bytes free
Post-Run: 21,147,238,400 bytes free

328   --- E O F ---   2008-12-19 03:01:24

Just a quick mention - Whilst running ComboFix.exe it said that i had to de-activate Norton 360 or else there would be interferance with the scanning process. The problem was that Norton was not running in safe-mode with networking and i did not know how to stop it even if ComboFix did state that it was. Nevertheless, the ComboFix scanning process seemed to have worked and my initial problem had been rectified.

Much Thanks,

Mike

ANSWER: Hi Mike

Glad to hear the rebooting stopped.  Norton is so intertwined with Windows that it even runs in Safe Mode.  I don't recommend the Norton products for that and other reasons.  Just do me a favor and post me a new HJT log to check and see if everything is cleaned up, then you should be good to go.

Brian

---------- FOLLOW-UP ----------

QUESTION: Ok, sure thing. Many thanks again.

Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50:22, on 07/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.43.247.145
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: imfwno.dll

--
End of file - 6878 bytes


Answer
Hi Mike

Run HJT and click the Scan Only button.  Place a check mark in the box next to the following items, close all open browser windows, then click the Fix Checked button:

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O20 - AppInit_DLLs: imfwno.dll


After fixing, close HJT and reboot.  Post me a new HJT log, and hopefully it will show up clean and you'll be good to go.

Brian