Win32:Daonol-P[Trj]

[Kelcher]

Okay,

I've got a virus.  I'm looking at the top stickied thread, and I'll try to provide the information requested for help.

Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove:
http://www.avast.com/i_idt_171.html

Tried, but the link is dead.

- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!

- What name does avast give the virus (e.g. like: "Win32:Netsky-P [Wrm]" )  ?

- Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
You'll get this info from the Alert/PopUp window or from avast's report/Log-files. If you can't start avast, look for the info in the logfiles in the avast (sub-)folders and
in the EventLog of Win XP / 2000: Controlpanel -> Administration -> Event-log

-Windows XP Home Edition Version 2002 Service Pack 3

-Win32:Daonol-P[Trj]

-c:\windows\RYQAAWR.DVX and a few dozen variations of this, all in c:\windows.  By variations, I mean all starting with c:\windows\ryqaawr.dvx, but having different numbers of x's at the end.  E.g. -c:\windows\RYQAAWR.DVXX, -c:\windows\RYQAAWR.DVXXX etc.

Background.  Mcafee was using up so many system resources, the computer was just about unusable.  I uninstalled it, planning to install Avast.  Stupidly, I waited like a week, and suddenly:

-I started clicking links from search results, and occasionally instead of going to the page I had clicked, I got redirected to another site.

-Decided to check AV sites, but was blocked from accessing them.

-Tried to download Avast through download.com, but couldn't download.

-Managed to download Avast through a different server and install.

-Avast didn't find the virus.

-Tried to download most recent database through the Avast interface, but got 501 errors.

-Downloaded most recent database from the Avast website, and got Avast updated.

-It then began finding the virus every time I started a new program.

-I scanned, and it found the virus several times during the scan.

-In all cases, when Avast has found the virus, I've added it to the chest.  There are now 60 files in the chest.

-There are 20 versions in c:\windows (just looking through Windows Explorer)

I'm wondering:

a) if i can find out what type of damage this particular virus can do/has done

b) find a way to clean it.

I uploaded one of the files in c:\windows to virustotal.com, and have a report.  I can post it here, if that makes sense.

Very appreciative of anyone who can help me out. 

[Kelcher]

By the way, I should add that since having updated the virus database, and now that Avast seems to find the virus every time it executes (if that's the right term?), I AM able to access AV sites like McAfee, and I am able to update the database from within the Avast interface.  Also, my browser doesn't seem to be redirecting any more. 

I don't know if that means the damage is being contained or not, but I do know that every time I start a program, I still get the siren and have to send another version of this to the chest, so it's clearly not gone.

For what that's worth.

[DavidR]

First even if the link weren't dead (that topic is getting long in the tooth) the avast cleaner is for a very limited set of viruses/worms, and your detection, a Trojan doesn't come under the worms/viruses that it can repair/clean. So installing avast is the best way to go.

Based on only the file names and locations the detections appear to be good as a few google searches on the file names return zero hits, suspicious for anything in the windows folder.

When you get avast installed and running - I would suggest running this tool to ensure all remnants of McAfee are gone see #### below.

I think that avast has gone some way to cleaning your system but I would suggest two more applications to compliment avast and see if they also find other hidden/undetected elements. Don't worry about tracj=king cookies not a big issue but let SAS deal with them.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

What is your firewall ?
The reason I ask is Daonol is meant to be an info stealer, so I would also advise changing any security/confidential passwords (definitely for stronger ones) and changing the username if allowed my be a good idea too.

####
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
 
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
 
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

[Kelcher]

Thank you for the help.  I'm going to try to do this one step at a time.  

First.  I downladed and updated Malwarebytes Anti-malware, and ran a quick scan.  I should note that Avast was still running when I ran the Malwarebytes scan.  Malwarebytes detected all of the files still in C:\Windows (to which I alluded earlier).  Every time it detected one, Avast detected it, and let me put it in the chest.  I don't know if they're supposed to work in concert like this, but that's what happened.

So, here is the log from Malwarebytes (the registry key infection seems to be something that Avast didn't find):

---------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Service Pack 3

6/4/2009 9:04:25 PM
mbam-log-2009-06-04 (21-04-05).txt

Scan type: Quick Scan
Objects scanned: 90462
Time elapsed: 19 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\WINDOWS\ryqaawr.dvx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.

---------------------------------------------------

I'm taking no action until I hear back.  And, I'm waiting to download and run the other program as well.  

Thanks.

[DavidR]

What may be happening is that as MBAM detects this and or tries to move it avast is then able to see it and detect it and be able to move it to the chest.

So I don't know if that would subsequently stop MBAM actually moving it to its quarantine as I see in your log the No action taken suffix to the entries. So yes you should run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

[Lisandro]

The virus is replicant... I suggest you get rid of it asap.
I generally suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Maybe you could run MBAM booting is Safe Mode (I'm not sure).

[Kelcher]

1. Clean your temporary files.

Done

2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.

Did the boot time scan with archive scanning turned on.  Avast found several infected files, and put them all in the chest.

3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.

Did a full scan with MBAM and it came out clean.

4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

Used the Avast antirootkit.  Scan came out clean.

5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

Done.  Will post the HJT Log in next post.

6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Planning to do these next.  Might need a little more info on (6).

Thanks again.

[Kelcher]

Darned 10000 character limit. Here's part 1 of the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:47 AM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[Kelcher]

Part 2 of HJT log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
--
End of file - 12668 bytes

[Kelcher]

Part 3 of HJT log:

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Cole2k Media Toolbar Helper - {5499BCB1-5641-4A4C-9F75-462D4D8D0DA0} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Cole2k Media Toolbar - {8AE33802-00D3-4F1B-B5C7-6FEE34E402CE} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Java Sabre Server (JSERVER)] C:\SABRE\Apps\eVoya\JServer.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177884859828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://venicebeach.earthcam.net/viewer/AxisCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Unknown owner - C:\SABRE\Apps\OADP\Oadp.exe (file missing)
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE (file missing)
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

[Kelcher]

6. Disable System Restore and then reenable it again.

Okay, I've found where I can disable/enable System Restore (in the System Properties dialog box, system restore tab). 

It provides the option to turn off "turn off systerm restore on all drives.  I'm presuming I need to check that box and click "OK."  Do I need to then restart the computer?  And then unclick the box?  And then restart again?  Or is restarting unnecessary?

Also, can someone give me a quick explanation of what this accomplishes?

Thanks.

[polonus]

Hi Kelcher,

Read an answer to that question here: http://bertk.mvps.org/

Check if you know this service:
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe

Can you answer this question, because no active software firewall was found on your computer:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all,

polonus

[Kelcher]

Thanks polonus.  Responses below:

Check if you know this service:
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe

Yeah, it's a website log analysis program.  I use it to track traffic on my site.

Can you answer this question, because no active software firewall was found on your computer:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all,

I'm using windows firewall.  I believe my dsl modem/router also has a firewall, but I've never toyed with it to the best of my knowledge.  Windows firewall shows as "ON" in Windows Security Center. 

Is Windows Firewall a bad solution?

[polonus]

Hi Kelcher,

Not as your router is also involved, because the Windows firewall is only one way protection.
On XP I would use a firewall like ZA free, furthermore there are lots of threads where people recommend these here in the forum threads. In the case of an extra software FW, you could turn the Windows one off,
because no more than one active FW, in the case of Gumblar infection it is a good thing to have one, read what I wrote about this massive online threat here: http://forum.avast.com/index.php?topic=45697.0
and here: http://forum.avast.com/index.php?topic=45517.0

polonus

[Kelcher]

6. Disable System Restore and then reenable it again.

Done.

7. Immunize your system with SpywareBlaster.

Done.

8. Check if you have insecure applications with Secunia Software Inspector.

Done.  Most applications weren't too out of date, but I got rid of some old redundant versions of things like Acrobat, and updated everything else to the most recent.