Hi,
Your system is infected with a trojan and possibly some other malware
Download the Pocket Killbox from HERE (
http://www.bleepingcomputer.com/files/killbox.php. Extract it but don`t run it yet.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Run AVG antispyware scan and quarantine the items. See
HERE for instructions.
Click on start > Run, and type the services.msc. Press Enter.
Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
sstrol.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close the services window.
Open your task manager by pressing the ctrl, alt and delete keys, or alternatively, ctrl + shift + escape. Click on the processes tab and end the following processes, if found:
partnership.dll
winload.dll
honewabe.dll
tmp9.tmp.dll
runtfs32.exe
ie_updater.exe
iass.exe
Close
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
O2 - BHO: (no name) - {7DA93366-EEB8-4A78-8F61-B0B98D7A1BFA} - C:\Program Files\Outlook Express\honewabe.dll
O2 - BHO: 0 - {B277D0C9-0C71-41E8-368A-08E5428DFCFB} - (no file)
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - (no file)
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\sstrol.dll",realset
O4 - HKCU\..\Run: [Microsoft Webcam Enhance V2.1] C:\WINDOWS\runtfs32.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -
http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O21 - SSODL: SgfTBcerjme - {E475A4AE-4EDF-0E04-6FBE-72BCBBD0D529} - (no file)
O22 - SharedTaskScheduler: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O23 - Service: McDetect.exe - LT - (no file)
O23 - Service: McTskshd.exe - LT - (no file)
O23 - Service: mcupdmgr.exe - LT - (no file)
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\michelle\My Documents\ie_updater.exe (file missing)
O23 - Service: System Version S (SvS) - Unknown owner - C:\WINDOWS\system32\iass.exe (file missing)
I also advise you to remove all other O16 entries related to game1.pogo.com if you do not frequent the site.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Documents and Settings\michelle\My Documents\
ie_updater.exe
C:\WINDOWS\system32\
iass.exe
Run the killbox file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.
This is the filepath you need to enter:
C:\WINDOWS\system32\winload.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\WINDOWS\sstrol.dll
C:\Program Files\Outlook Express\honewabe.dll
C:\WINDOWS\system32\tmp9.tmp.dll
Rehide your OS files after reboot.
Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.
<edit> deleted the part on turning off system restore. Thanks Howard.