Explore topic-wise InterviewSolutions in .

Was recently hit with some BAD malware/viruses.  Took it upon myself to do some "diagnosing" and found one of the culprits to be masked as CSRSS.EXE.  Well,...long story short;  I deleted the "GOOD" CSRSS.EXE from the Windows/System32 directory, and now I'm SCREWED.

Cannot boot in normal mode.  Cannot boot in safe mode, with or without command prompt.  I can get into the pre-INSTALLED Windows System Recovery, but not sure if that helps, and if so,....what to do.

Running a Dell Inspiron 1501 w/ XP SP2 installed.  I do not have the recovery CD handy, nor do I remember specifically where it is.

Any and all help is TREMENDOUSLY appreciated.

Hi all,

i'd like to switch them off completely...which i actually did for a few weeks until recently when someone said "dont", as deactivating windows UPDATES was equivalent to leave you car windows open with all your valuable stuff to see for everyone passing by...

However i dont like them, but is it dangerous to NOT use them at all?

What do you say?

Windows updates routinely fix security issues so it's in your best interest to keep updating .i have never closed them in 5 years , as i'm sure everyone doe'sYou can PICK and choose which updates to install, but based on the fact that you even posted the question I'd just set the system to install updates AUTOMATICALLY. YES, you should install updates.As ADG said, you can be selective with your updates.  You can disable AUTO. updates and run the "Windows Update" utility manually, every week or so.. Just be sure to choose the "custom" option over the "express", which will allow you to be selective about what updates you want to install...Whatever you do make sure you get all the security updates and hotfixes (which fixes OS bugs)


Whether or not you install updates automatically, I think it depends on how much bandwidth you have to spare. For instance, I regularly maintain my mother's computer with WinXP, which USES a dial up connection... She generally keeps her computer turned off when not in use...   When she turns on her computer and connects to the Internet, first thing that happens (if she has auto. enabled) is Windows will go out to the Internet to find all those updates which will, in some respect, monopolize her connection....   I also, keep her anti-virus definitions from being automatically updated for the same purpose..  Try to imagine your anti-virus updates and Windows Updates going at the same time over a dial up connection, on top of all the fluff ISP software that may be installed on your system         You may not be using a dialup connection, but you can use this a sort of a reference..

Hello,
My wife was on the computer last evening and picked up a bug. I can't log in to safe mode at all. I get a warning message that the logon.exe is not available. The background for my workspace is changed to "Your system is infected! the system has been stopped due to spyware. I need to get spyware to continue." I have mbam installed on the system but am not able to use it. I also have Superantispyware installed. With bitdefender antivirus 2009 and use zone alarm firewall. Working with it I have gotten the pop up to go away, but still no luck with trying to get computer to log into safe mode. I have win xp sp2 installed I am attaching my last HJT log as this atm is my only program I can run. I don't have internet with the corrupted computer. I am looking for some help with this.
Thanks

[attachment deleted by admin]check the following:

This is probably what is stopping you from using Safe mode:
F2 - REG:system.ini: Shell=Explorer.exe logon.exe

userinit is a windows component; sdra64, on the other hand, is a trojan.
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\sdra64.exe,

this isn't necessarily a threat but there's no reason for it to be there:
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

"winupdate" is not a windows component. (windows update is performed by a process called wuaclt, if memory serves me)
O4 - HKLM\..\Run: [winupdate.exe] D:\WINDOWS\system32\winupdate.exe
O15 - Trusted Zone: http://wow.allakhazam.com

O20 - Winlogon Notify: yayyVMdc - yayyVMdc.dll (file missing)

and click "fix checked"

Also, try using the mbamrenamer tool, here, or rename the malwarebytes shortcut and program file yourself, (as you have for hijackthis) and see if that let's you run it; or after fixing the items with hijackthis see if you can reboot into safe mode and run MBAM from there.

I fixed the items in HJT but am still having the same problem not able to log into safe mode  or use MBAM.

[attachment deleted by admin]are you getting the same error when you try to start in safe mode?


Also- did you try the mbam renamer?It won't let me log in to safe mode. I renamed the mbam also. I am getting a runtime error with mbam '372' FAILED to load 'vbalgrid' from vbalgrid6.ocx. version maybe outdated. try a reinstall of mbam, if possible.OK, I reinstalled mbam still the same runtime error. As for the logging into safe mode I can't seem to get F8 to work at the win banner. Quote from: robcam on August 11, 2009, 06:49:30 PM

OK, I reinstalled mbam still the same runtime error. As for the logging into safe mode I can't seem to get F8 to work at the win banner.

p.s. there were no errors in dial-a-fix.  also, when i tried to reset internet explorer settings, it said that it had failed, and there was a big red 'X' NEXT to "resetting user CUSTOMIZATIONS".  don't know if i should worry, since i don't really use internet explorer anyway Quote

don't know if i should worry, since i don't really use internet explorer anyway

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

I've searched on "How To's" to do this.  However, all of them (example) are like this:

http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1_5.htm

I get to STEP 5 (in the above example), but the NEXT screen/page is different than mine.  What I get is a screen that shows 3 partitions on my HD:

-: Partition 1 [FAT]         71 MB (62 free)
C: Partition 2 [NTFS]       71336 MB (25802 free)
E: Partition 3 [FATS32]    4910 MB (452 free)

Might sound stupid, but which one is my XP os on, and/or which one should I select?  I can tell you that I went as far as the next step by selecting drive C, (as that's the one I presume I'm attempting to repair).  But again,....EVEN the next screen I get is different from the screen on STEP 7 of the example above.

Any help is appreciated.  Thank you.

Just a note.......I WANT to do a repair of XP, not a clean/new install.  I see that there's an option at the begining to press "R" to repair, but all of the instuctional websites I saw said NOT to choose the "R" option.Oops.  Sorry mod(s).  Just realized I posted this thread in the wrong forum.  Please feel free to MOVE if need be.C is the drive you want.
Try this repair and see if it gets you through.

http://michaelstevenstech.com/XPrepairinstall.htm

Hi

I have KIS 2009 which,as I'm sure most of you are AWARE, has

anti-malware, anti-phishing and anti-spam built in. My question is:

as a comprehensive security suite, is the above sufficient protection

or do I need additional security and, if so, what do you advise?


Also, am I RIGHT in believing that KIS 2009 does not contain an anti-

virus PROGRAM in which case I need to have one running alongside it!


MANY Thanks
According to the features listed antivirus is included.

http://www.kaspersky.com/kaspersky_internet_security

Remember to only use ONE antivirus program.Kaspersky is an antivirus  MAKER, they would not miss out with antivirus protection in their products. If you are getting an internet security suite from a well known maker, it should have antivirus, antimalware, phishing and perhaps antispam all in one, and maybe even a firewall too,

I dont think something left from the last time.

Ran Combofix, but not everything is gone. The background on my screen changes, and all my icons are highlighted.

Superantispyware came up with nothing.

[attachment deleted by admin]go below and complete and wait for an expert to have a look at the rest

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:
•ViewMgr.exe - Useless

•Viewpoint to Plunge Into Adware
It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
•Viewpoint

•Viewpoint Manager

•Viewpoint Media Player

•Viewpoint Toolbar

•Viewpoint Experience TechnologyOkay, done. You are 4 versions out of date with Malwarebytes. Always update your scanners before RUNNING them.

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your NEXT reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

How is the computer now?Malwarebytes' Anti-Malware 1.40
Database version: 2628
Windows 5.1.2600 Service Pack 2

8/14/2009 11:14:19 PM
mbam-log-2009-08-14 (23-14-19).txt

Scan type: Quick Scan
Objects scanned: 101604
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items DETECTED)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sto453190.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
You downloaded a bad file from Facebook, Myspace or somewhere similar. Always be careful accepting anything from those sites. http://en.wikipedia.org/wiki/Koobface

Delete ComboFix and download a new version.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When FINISHED ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix USAGE, see How to use ComboFix

----------

Next:

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

Next post add:

• ComboFix log
• Both DDS logs

Running out of options here...how about the keyboard ...... is it PS/2 or usb?..... came across some posts on another forum stating the USB keyboard can be at fault....and to make sure USB is enabled in Bios....can you try another keyboard and see if it makes a difference.

You might want to look here as well.

http://support.microsoft.com/kb/330184Karnac,
My keyboard is a Logitech PS/2.  A test with the devise manager recently indicated it was working properly.  My thoughts now are:  the computer is runing fine, my dskchk doesn't seem to have any major issues, I am not infected with a virus or spyware, the 3 logs previously submitted were basically clean, and I do not get any messages such as I have read on other posts, where different types of freqent error messages are given and their computers won't do anything.  My only error message at start up, again is : invalid boot. ini file, Booting from C:\windows.  I think I have read in other posts it should be booting off the hard drive, but I am not sure of this.  Is this anything?

Is there something, rather than safe mode being being infected or broken, that would cause it to be just switched off?

I can get into the Bios.  I know I shouldn't go in there and just start changing things around on my own.  I have looked in there recently and one function that I noticed is:  Super Boot-disabled.  I was tempted to enable it, but so far I haven't.  Should I do that? 

To try another keyboard, I would have to puchase one and this one is only 2 1/2 years old.

Also, I went to your MS link, invalid boot: ini file.  It explains how to rebuild a damaged or lost boot file.  It starts by asking that I put my Windows XP installation CD in the cd-rom and at setup press r to begin the fix.  Sounds simple enough but.. when I do that, my installation CD says this:

Welcome to Microsoft Windows XP

What do you want to do?

Install Windows XP
Learn more about the setup process
Install optional Windows components
Perform additional tasks
Check system compatibility  * reading the various MS links that I have been sent to, I think my installation CD is for SP 2 but I have SP 3 on this computer.  I have gotten messages that indicate my current version of Windows is newer than what is on my Windows CD and It has asked if I want to install an older version.  I don't want a reinstall of any version if it means my computer would be wiped clean.

There is no command  - press r for Recovery Console. This Recovery Console sounds like it might be what I need to fix this, if you can suggest how I can get to it.  And... how come my installation CD doesn't seem to have this? Hope this GIVES you some new ideas. 


Thanks,
 beachguy Here's a step by step to install the recovery console...

http://www.bleepingcomputer.com/tutorials/tutorial117.html


There's also an option to edit the boot.ini file here...

http://support.microsoft.com/kb/289022



Beachguy, it might be a good idea to try this. It certainly can't hurt and might cure the problem of starting in safe mode.Karnac,

I tried to follow your link:  http://www.bleepingcomputer.com/tutorials/tutorial117html a few days ago.  Actually, I thought I was doing everything correctly.  At one point in he process it asked that I insert the windows installation CD into the drive and restart the computer.  When I did that the computer would not completely reboot .  Up until that point, I thought I was going through the directions correctly.  I guess I messed something up. They are very detailed.  Well,  the only thing that would work finally, was to reinstall Windows and all my previous programs.  This problem really turned out to be quite an adventure and I learned more than I previously knew before I started.  I guess that old saying is true,  "a  little  knowledge can be dangerous."  It looks like it was in my case.  With the reinstall my F8 key now taps into safe mode.

One point I am still wondering about is the 3 logs that were requested.  Those logs seem to be given a lot of importance.  No one ever commented about them once I got them on this post.  I am curious as to why any evaluation of them was not posted back except for another link to try with really no explanation concerning the logs.

Thank you,
beachguy Beachguy, the HJT log was the most important one and, if I recall correctly, it looked ok. That's why everyone was looking for some other solutions. That's why I suggested a System File check.beachguy,

The purpose of the logs is twofold. First it shows the specialist that the scans have been run. Second, in the event that the pc does not respond to the scans/cleaning the information logged gives the specialist a good idea of what threats he is facing, and what tools to use to proceed....Usually using the process tool, a pc can be brought back to working order. In your case I don't believe we used the process tool once the pc was determined to be working fine with the exception of the disabled F8 key...that's when attention was diverted to that issue. I am not a specialist on this or any forum. I basically direct traffic and attempt to KEEP things moving and assisting as best I can. Unfortunately, your problems developed during a period of time when evilfantasy was enjoying a well deserved break from the boards and specialists are in short supply in all the malware forums. Hope this answers some of your questions and finds your pc running well. As evilfantasy recommends, download WOT(Web of Trust) and install it. This program will allow you to surf safely, and alert you to suspect sites.Karnac,

Thank you for the REPLY.  It answered the questions I had and after awhile I sort of assumed that evilfantasy was away.  I will download the Web Of Trust.

beachguy Quote

(tapping F8 key, computer does not go into safe mode)

This is a Logitech PS/2 keyboard and it is plugged into the back of the tower.

Several months ago I had gotten a similar infection on my computer and the guys at Bleepingcomputer.com helped, but they don't seem to be around anymore.  They had recommended SuperAntispyware and Malware Bytes.  I ran the Super Antispyware in Safe Mode and the logs are attached.

My problem is that I am still receiving a popup of:
C:\System Volume INFORMATION\_restore{63EFC063-C398-4284-88BB-D9A39A12ED8}\RP723\A0085341.exe
Infection: Trojan-GameThief.win32.Onlinegames.vgil

I've even tried to go thru the registry and clean out anything associated with gamevance.com  This is thw WEBSITE that seems to be the culprit.  Is there anyone out there that can offer any assistance?  Thanx



[attachment deleted by admin] Quote

the guys at Bleepingcomputer.com helped, but they don't seem to be around anymore.

C:\System Volume Information\_restore{63EFC063-C398-4284-88BB-D9A39A12ED8}\RP723\A0085341.exe
Infection: Trojan-GameThief.win32.Onlinegames.vgil

How is the computer running now?it is better so far! thank you so much! Now is there anything else I need to do? Is there a way I can fix this problem with GETTING sp2? And do i need to keep all of these programs that this SITE has had me download?

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.
.

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• In the upper left corner click the Validate Windows button.
  
• Be patient while the ActiveX loads, do not click on any links.
• Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  
• Enter your product key then click continue
  
• When it says "Validation Complete" please click Continue to return to your previous activity

i got an e-mail from a friend and i new it was spam right away and she said she did not send it , so they have

got her pc address , can any thing be done and how did they get it

i told her to d/load spamfighter and let me know her security

this is the mail be-low



Hi friend,
    how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is   www.elewholesale.com   .They can OFFER you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles  etc........Please take some time to have a check ,there must be somethings you 'd like to purchase .
Their contact EMAIL: [email protected]
                       MSN:  [email protected]
Hope you have a good mood in shopping from their company !
                                                                                                     Regards

http://www.mywot.com/en/scorecard/elewholesale.com

It's possible they got it off a website somewhere on the net. Quote

all kinds of electronical products

motorcycles

kpac , is there any why of stopping mail using her address or is it a lost cause , i know she can get a new

address

Ok, so my computer have these annoying files that don't get deleted when told to. One is called cool OOZE, another called amok eggs four web, and a delself.exe that keeps disappearing when I delete it and coming back somewhere else. There are a few other FILE that I don't remember, but they don't seam to show up in the logfile. There is also a Program that's called holetr~1.exe that comes up in my task manager when I try to delete anyone of the two iexplorer.exe that are that making them come back up. After starting iexplorer.exe it disappears. While using mozilla firefox the iexplorer.exe opens pop ups no matter what site I am on in firefox. I also want to delete anything related to hxxp://googlesearch.uuuq.com/ which got installed in my computer by itself, it seams. I haven't installed any new software from the point before and after I got hxxp://googlesearch.uuuq.com/ on my computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:24, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cmpe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Oi Velox\Manager\desp2k.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\upgrade.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://googlesearch.uuuq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 59.9.247.91:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [desp2k] C:\Program Files\Oi Velox\Manager\desp2k.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Hole tray.exe
O4 - HKLM\..\Run: [VimicroMonitorSnapshotVMUVC] "C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [cool ooze] C:\DOCUME~1\Yay!!!\APPLIC~1\STUPID~1\Owns Camp Idol.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADBFFAAE-75DD-49BA-9C45-5022E97B30D3}: NameServer = 200.165.132.147 200.165.132.155
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Context Manager Process Extension (cmpe) - LightComm - C:\WINDOWS\system32\cmpe.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13214 bytes
Have you tried doing a system restore to a point before you had these problems?

Alan <><  T_T nope, and ive had these problems for a long time and I have been trying to fix them myself. Just now that I though that i should post this somewhere for someone to help me. A dude told me to reformat my computer but I don't want to because I want this fixed without needing to do that.Right click HijackThis and choose Run as Administrator

Next select Do a system scan only

Place a check mark next to the following ENTRIES: (if there)

• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://googlesearch.uuuq.com/
• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 59.9.247.91:8080
• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
• O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\Hole tray.exe
• O4 - HKCU\..\Run: [cool ooze] C:\DOCUME~1\Yay!!!\APPLIC~1\STUPID~1\Owns Camp Idol.exe

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

• OTM log
• Malwarebytes log
• DDS log(s)

Hello
I RECENTLY cleaned my SYSTEM,finding no problems.
However,I have 412 quarintined files that were selected by PREVIOUS cleanings.
Can they all be deleted;or is there some way to determine if some should not be deleted?
Thanks
FrankMost quaranteened files can be safely deleted.kpac
Thanks, will do.
FrankNo problem. If you've any trouble, please TELL us and we'll help.

Recently I had to create a new FACEBOOK account due to someone HACKING in to it and also they changed my hotmail account password etc and now recently on my old facebook account there is a picture of myself EXACTLY the same as on my new account and they are also friend requests being sent out from my old facebook account to my friends on my new one.

So is it a possibility that even though I have started using Comodo Firewall and Avira anti virus - the latter says i have no viruses/worms etc, that my computer is still hacked and that they still have access to my documents on my hard drive or is it a facebook fault that I am still in some way linked to my old account?? please help, thanks. Gareth"I have started using Comodo Firewall and Avira anti virus - the latter says i have no viruses/worms etc"

Well, I think that the damage, if any, may have been done before you started using it. Using the antivirus and the firewall is a good idea, but it protects you from the exact point for which the successful installation and update on your computer happened until the day you uninstall the program, whenever  And also, no antivirus program is 100% good, there's always going to be something that GETS by, however rare the probability of that happening.

that is.

You may have information on your old facebook that's linked to (or is same as) your new facebook account, you might have had your IP jacked, if it's a static IP and they tracked you to your new facebook account, I don't know exact specifics of what may happen, just throwing out the possibilities coming to my mind at the moment.No-one can access your computer through Facebook.

Just email Facebook with a link to your old account and ASK them to close it, giving the reason that someone has gained access to it without your PERSON.

Hello, and thanks in advance for the help.

Im running Microsoft XP on a Dell Latitude 820. I primarily use Firefox and this was contracted through a facebook video link by only clicking the link. I don't know a whole lot about computers so please direct me as to what more you need. Here are the logs

SAS Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/11/2009 at 08:28 PM

Application Version : 4.26.1004

Core Rules Database Version : 3936
Trace Rules Database Version: 1879

Scan type       : Complete Scan
Total Scan Time : 01:01:25

Memory items scanned      : 569
Memory threats detected   : 0
Registry items scanned    : 5749
Registry threats detected : 1
File items scanned        : 54805
File threats detected     : 2

Trojan.Dropper/Win-NV
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysldtray [ C:\windows\ld09.exe ]

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

MBAM log

Malwarebytes' Anti-Malware 1.37
Database version: 2265
Windows 5.1.2600 Service Pack 3

6/11/2009 8:45:28 PM
mbam-log-2009-06-11 (20-45-28).txt

Scan type: Quick Scan
Objects scanned: 91977
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\podmena\podmena.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122458.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:44 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helpdesk.aero.und.edu/f1_Home/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' MENUITEM: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180638090750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228249728606
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick STARTER (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7624 bytes
Multiple antivirus warning!

- Avira
- McAfee

Microsoft, Kaspersky and Symantec RECOMMEND that you do not have more than one antivirus product installed and running on your computer at the same time.

The real-time protection of two antivirus programs may conflict with each other and cause the following:

* False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
* Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
* Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.
* LESS protection: Two antivirus trying to scan the same file may interfere with the process and allow a malicious file onto the computer without notice to you.

I strongly suggest you uninstall one before continuing.

----------

Download GooredFix from one of the locations below and save it to your Desktop.

Link #1
Link #2

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.Mcafee removed. heres the goored log

GooredFix v1.92 by jpshortstuff
Log created at 20:13 on 12/06/2009 running Option #1 (Broadway)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
That log is clean.

Click Start > Run and then copy/paste the following into the box and then click OK
Code: [Select]"%userprofile%\Desktop\GooredFix.exe" /uninstallIf any of your security programs query a new Registry/AutoStart value being added please allow the changes.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

----------

Next post please add the ComboFix log and also let me know how the computer is running now.Computer is running considerably slower than normal, but IX FInd seems to be gone.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:43 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helpdesk.aero.und.edu/f1_Home/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180638090750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228249728606
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6637 bytes

ComboFix 09-06-12.02 - Broadway 06/12/2009 20:57.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.619 [GMT -5:00]
Running from: c:\documents and settings\Broadway\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((   Files Created from 2009-05-13 to 2009-06-13  )))))))))))))))))))))))))))))))
.

2009-06-12 00:21 . 2009-06-12 00:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-12 00:21 . 2009-06-12 00:21   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-06-12 00:21 . 2009-06-12 00:21   --------   d-----w-   c:\documents and settings\Broadway\Application Data\SUPERAntiSpyware.com
2009-06-12 00:21 . 2009-06-12 00:21   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-12 00:16 . 2009-06-12 00:16   --------   d-----w-   c:\program files\CCleaner
2009-06-12 00:10 . 2009-03-30 15:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-06-12 00:10 . 2009-03-24 21:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-06-12 00:10 . 2009-02-13 17:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-06-12 00:10 . 2009-02-13 17:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-06-12 00:10 . 2009-06-12 00:10   --------   d-----w-   c:\program files\Avira
2009-06-12 00:10 . 2009-06-12 00:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2009-06-11 23:21 . 2009-06-11 23:21   152576   ----a-w-   c:\documents and settings\Broadway\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 22:51 . 2009-06-11 22:51   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-09 01:10 . 2009-06-09 01:10   --------   d-----w-   c:\program files\SystemRequirementsLab
2009-06-09 01:10 . 2009-06-09 01:10   --------   d-----w-   c:\documents and settings\Broadway\Application Data\SystemRequirementsLab
2009-06-09 01:10 . 2009-06-09 01:10   207872   ----a-w-   c:\documents and settings\Broadway\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-09 01:10 . 2009-06-09 01:10   207872   ----a-w-   c:\documents and settings\Broadway\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-09 01:10 . 2009-06-09 01:10   207872   ----a-w-   c:\documents and settings\Broadway\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-09 01:10 . 2009-06-09 01:10   207872   ----a-w-   c:\documents and settings\Broadway\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-14 13:34 . 2009-05-14 13:34   --------   d-----w-   c:\windows\system32\KB905474
2009-05-14 13:34 . 2009-03-11 03:26   1403264   ----a-w-   c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-14 13:34 . 2009-03-11 03:18   453512   ----a-w-   c:\windows\system32\KB905474\wgasetup.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 01:51 . 2009-06-12 00:22   117760   ----a-w-   c:\documents and settings\Broadway\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-13 01:03 . 2007-08-03 20:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2009-06-12 03:00 . 2008-12-03 17:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 02:00 . 2009-06-12 01:56   --------   d-----w-   c:\program files\Trend Micro
2009-06-12 01:50 . 2006-05-22 18:42   --------   d-----w-   c:\program files\Java
2009-06-12 01:36 . 2009-06-12 01:36   --------   d-----w-   c:\documents and settings\Broadway\Application Data\Malwarebytes
2009-06-12 01:36 . 2009-06-12 01:36   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-12 01:36 . 2009-06-12 01:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 23:25 . 2006-05-22 19:14   --------   d-----w-   c:\program files\Google
2009-05-30 03:50 . 2006-05-18 16:14   23406   ----a-w-   c:\windows\system32\nvModes.dat
2009-05-26 18:20 . 2009-06-12 01:36   40160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 18:19 . 2009-06-12 01:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-05-21 16:33 . 2008-12-02 20:33   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-04 12:00   345600   ----a-w-   c:\windows\system32\localspl.dll
2009-05-07 01:49 . 2009-05-06 18:03   90352   ----a-w-   c:\documents and settings\Broadway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 04:56 . 2004-08-04 12:00   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00   1847168   ----a-w-   c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00   585216   ----a-w-   c:\windows\system32\rpcrt4.dll
2007-03-19 18:13 . 2007-03-19 18:13   147750776   ----a-w-   c:\program files\ComplexAircraftSystems.wmv
2006-05-22 16:11 . 2006-05-22 16:11   421888   ----a-w-   c:\program files\putty.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\AIMS\\aimsmain.exe"=
"c:\\AIMS\\AIMS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48100:TCP"= 48100:TCP:TCP 48100
"48101:TCP"= 48101:TCP:TCP 48101
"8085:TCP"= 8085:TCP:podmena

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/11/2009 7:10 PM 108289]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-06-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-14 03:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.helpdesk.aero.und.edu/f1_Home/index.php
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
DACL=(02 0000)
=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
DACL=(02 0000)
=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
DACL=(02 0000)
=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3664)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 21:01
ComboFix-quarantined-files.txt  2009-06-13 02:01

Pre-Run: 62,039,302,144 bytes free
Post-Run: 62,846,402,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

166   --- E O F ---   2009-06-12 03:00

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48100:TCP"=-
"48101:TCP"=-
"8085:TCP"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Was the computer running slow before this happened?

.Registry was a success. The computer is running much better today, but it was considerably slower than normal yesterday. Let me know if you need anything else.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

IE7 wanted to update to IE8 and when it did am unable to open internet explorer from any of the links. When ever I tried the window would pop up like it normally should but then after about 2-5 seconds it would close again. When i tried to open internet options nothing would happen. I'm currently unable to surf the web though internet explorer. I talked to JustJoe on the live chat and he had me try several different things but to no avail, come to find out i couldn't even download anything. i was able to search the web by using either bitlord's web search or by using the windows help and support center.
after about 2 days of frustration i was able to get FireFox on my computer by using outlook express e-mail. at current i am able to search the web but I'm afraid that the problem is still on my hard drive somewhere. So I followed the instructions for this and here are the log files.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/13/2009 at 02:06 PM

Application Version : 4.26.1004

Core Rules Database Version : 3938
Trace Rules Database Version: 1881

Scan type       : Complete Scan
Total Scan Time : 01:33:41

Memory ITEMS scanned      : 492
Memory threats detected   : 0
Registry items scanned    : 6772
Registry threats detected : 0
File items scanned        : 100839
File threats detected     : 21

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][1].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected]media[2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt
   C:\Documents and Settings\AdminProAccount\Cookies\[email protected][2].txt

Trojan.Unclassified/Packed-Win
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{0C487BA5-A927-4829-9980-0169796FE3E3}\RP295\A0036595.EXE


Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 2:42:11 PM
mbam-log-2009-06-13 (14-42-11).txt

Scan type: Quick Scan
Objects scanned: 111409
Time elapsed: 7 minute(s), 17 second(s)

Memory PROCESSES Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{331cf7ad-4ff8-47f8-bbfb-04eed85c4652} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51c0946f-938e-4909-a128-8a2f688df31a} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f32d7d45-1750-48da-9cac-c6216972bb33} (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\ConTest.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ConTest.dll (Adware.Ascentive) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:52 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={D6E0D756-B0B8-44EC-8888-E3286065374A}; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MESSENGER - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O16 - DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} (ZenGems Control) - http://www.worldwinner.com/games/v54/zengems/zengems.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215206399546
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://83.215.238.83:8081/activex/AMC.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://www.charter.net/files/charter/securitysuite/fscax.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://207.111.165.30/activex/AMC.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13937 bytes

This problem started a few days ago. When I open an IE BROWSER another one will pop up a few seconds later. The second one will be an ad but it won't always be the same one. It could be for VBS.TV, NEXPLORE.COM, PREMIERECARDOFFERS.COM, HOWIMADECASH.COM, etc.

This problem does not occur in Firefox, which is the browser I primarily use. I only use IE for a specific application because the company I work for requires IE for their application to work. I am also using IE 6, because I haven't seen the need to upgrade to IE 7 or IE 8 as of yet.

I'm using the current version of AVG as my antivirus software. I have run CCleaner, SuperAntiSpyware, MalawareBytes, and HiJack This. The logs are attached.

I have also checked the list of applications in Add/Remove Programs and the only one that I can identify as possibly suspicious is called Otto.

I would appreciate any assistance on this issue. Thanks.


Norm


[ATTACHMENT deleted by admin]Probably is some kind of malware or spyware issue that needs malware specialist's attention but in the meantime....

1. Try resetting internet explorer, here's instructions ... see what happens
http://support.microsoft.com/kb/923737

2. You might want to try IE Tab addon for firefox. https://addons.mozilla.org/en-US/firefox/addon/1419I FOLLOWED the link to the instructions for resetting IE but it seems to APPLY to IE 7. As I mentioned I'm still using IE 6 and the only option it offered was to Restore Defaults. I tried that but it didn't resolve the issue. Thanks anyways.Problem seems to be resolved.  Turns out it was a fairly new malware app called QualityProductAdviser http://www.superantispyware.com/malwarefiles/QUALITYPRODUCTADVISER.DLL.html which the latest update of SuperAnti Spyware was ABLE to clean up.

Download ComboFix© by SUBS from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your ANTIVIRUS and any ANTISPYWARE real time protection before performing a scan. Click this link to see a LIST of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your NEXT reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

I'll try to be brief but thorough.  I am an intermediate computer user and know my way around Windows.  My machine is a Pentium 4 with 512MB ram running Windows XP Pro SP3.  This is a work computer connected to a small office network.

Prior to the infection, I was not running any anti-virus software.  I scan regularly with Super Antispyware, and Malwarebytes.  System Restore and Automatic Updates were turned OFF.

Last week I noticed that SEVERAL instances of iexplore were running as processes in the background and suspected that something was WRONG because I NEVER use IE, only Firefox.  After complete scans with SAS and MWB, the iexplore was still running in the background.  At that point I downloaded Spybot - Search and Destroy, and I believe I unfortunately downloaded a nasty virus at the same time.

Symptoms:

1.  Regedit is disabled.  I found a script online that will turn it on so I CAN access it, but after a couple of minutes, the registry is changed and it is disabled again.

2.  Tweak UI is disabled.

3.  "Folder Options" in the tools menu is disabled in explorer and the settings for "show hidden files", and "show file extensions" are turned off.  So I can't browse the system files to look for anything without getting into the registry and turning them back on. 

4.  An errant .exe file is everywhere.  It is a random mix of letters and numbers.  It has appeared as "sm346llr.exe"; vp6tr6cxa.exe; currently it is cfqiia2x.exe.  Two instances of it are running at all times.  When I click "end process" it disappears for a split second and then appears in the list again.  It is listed in the startup tab under msconfig.  I tried un-checking it in msconfig and then re-booting.  It simply comes back, sometimes as a different name.  The file shows up in the registry under HKCU\Software\Microsoft\Windows\Currentversion\Run.  When I try to delete it from the registry, it simply reappears.  It is also located in the Docs and Settings\current user\Local Settings\Temp folder.

5.  I believe other processes that look like system processes are bogus, like winlogon.exe, services.exe, lsass.exe, csrss.exe, etc.  I know these are legit system processes, but when I run the scans, they are detected as ILLEGITIMATE files.

6.  The computer has slowed significantly because all of the processes are hogging memory.

7.  A weird popup appeared this morning that said "Thank you for use iexplore"

I have since installed Avira Antivirus.  I did a complete scan today.  It found several trojans, but was unsuccessful in cleaning them out.  I also cannot start the "Guard" feature in Avira.  It is listed in Windows services as automatic, but it does not start at bootup or when Avira starts. When I try to start the service manually, Windows tries to start it and then it stops on its own.  I suspect the virus is preventing this.

Everything I have tried so far has failed.  The virus is listed by SAS and MWB as smitfraud variant-Gen/Bensorty.  Avira found TR/Patched.AA.522 Trojan.

Below are the logs from Super Antispyware, Malwarebytes, Avira, and the most recent Hijack This log.

Any help would be very much appreciated.

~Chris

[attachment deleted by admin]I would isolate that computer and run scans on the other pcs connected to it if you have file sharing enabled....just a precaution.For what it's worth...

I was able to clean this up.  I found a utility called PSKill that really helped.  While the infected process was running, I was unable delete anything without new files being regenerated, and the Spyware/Malware software could not successfully quarantine the infected files.  With PSKill, I was able to end the process that was causing all the problems.  Once the process was stopped, I was able to delete everything and run successful scans.  I also re-loaded Avira and the Guard program now works.  I've REBOOTED several times now without any of the suspicious files present.  All is well in computerland again.

~ChrisGlad all's well...thanks for the update.

anyone ever heard of Noelia Trossero?

I don't know, some chick/or someone who found my eMail address from somewhere and decided to invite me to who-knows-where

I'm tempted to open the ATTACHMENT just to see what happens   attachment: "sexy picture of me, Neolia Trossero.exe" Quote from: BC_Programmer on June 08, 2009, 09:36:45 PM

attachment: "sexy picture of me, Neolia Trossero.exe"

Since installing a new printer, I've had no end of problems (got a post ongoing in another forum). Maybe coincidence, but since then my system has been acting really weird and slowing down but it's not a virus (?) as SAS and MBAM run clear.
However, ran a HJT through the scanner and it came up with 2 possible dns hijacks. Did a whois on the ip addresses shown and although it's my ISP (ie France Telecom), got no idea of the persons name it's quoting.
Should l delete these, and if so, how?
HJT log is as follows.

 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:34:31, on 25/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.wanadoo.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.wanadoo.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.wanadoo.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra BUTTON: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223302897125
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (SHOCKWAVE Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CADDFDF-8C2B-436C-8E42-F0AB5C2FD79E}: NameServer = 81.253.149.1 80.10.246.3
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon NOTIFY: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, INC. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5969 bytes

Thank you
It looks like its an HP. I had the same issue, where upon bootup, it seemed to take like 30 seconds longer for it to finish. This is how I fixed it:

start>>>>run
type in: services.msc
hit enter
now find the following on the list:

HP Cue DeviceDiscovery Service
HP Network Devices Support
hpqcxs08

now right click all three and click "stop"

right click again, then click properties, and change it to manual, apply, ok

Restart.  You should notice it is a lot quicker starting up. When you want to print, right click the first one i mentioned in services.msc and click start. This will start up all 3 and you will then be able to print. Anytime u restart the computer/turn it off, it will again be stopped so u have the faster boot time, then just go back to services and restart them.

I know very little about computer software.  I have a anti-virus/malware PACKAGE through AVG 7.5.  AVG quit giving me updates on the 7.5 version on 4/30/09.   They do not support ME in their version 8.  Does anyone know of a company that has and is still supporting anti-virus/malware for a ME?  I am not "obsolete" and can not afford to upgrade my computer.  Thanks in advance, Jayhttp://www.avast.com/eng/avast_4_home.html

System Requirements - Windows® 95/98/Me:
486 Processor, 32MB RAM and 100MB of free hard disk space. Thank you!   This is working out very well for me.  SOMETHINGS are faster, somethings are slower.  When running CCleaner there is less "STUFF" on my machine.  Have delete all AVG stuff - will never use them again as they did not honor the two year contract I had with them (still had 6 months left on the contract).  JayAvast is still running great for me.  By the way, AVG did a PARTIAL refund on my contract.  Thanks again!I didn't help you, but it's good to hear that you have a solution.
Good LUCK.

I'd been having a bit of time lately with malware on some of my websites. I've scanned my computer with three programmes and it seems clear for the moment. HOWEVER, I noticed something on a website yesterday. It is a script TAGGED  onto the END of the some of the PAGES. Could someone tell me how DANGEROUS this script is please? I've only put a portion of it here, it is actually very very long

I had a power interuption (lights blinked) while online & my computer restarted. When it finished loading & before I touched it,  Zone Alarm had popped up with this MESSAGE.

                               SERVER Program

Do you WANT to allow Distributed COM Services to act as a server?
Source IP.0.0.0.0:Port135
Application:RPCSS.EXE
Version:4.71.1718

This program has previously asked for Internet access.


I've never seen this message, but it is POSSIBLE my wife has as we both use this computer. There have been no RECENT changes to my system at all. I did notice this morning when I went to a couple of tractor boards I frequent that I had to log in. That happens once in a while, but when I clicked on the box to log in the password choices that always show up weren't there. Even when I delete my cookies & have to log in this hasn't happened before. Coincedence? Is this something I should be concerned about?

RPCSS.exe is the Remote Procedure Call.
Here is some more information on it.
http://www.cexx.org/rpc.htm

As to whether something else is the issue is hard to say.  You should install and run some antivirus and antimalware software to verify if your system is okay though.Some info here.....

http://forums.techguy.org/web-email/203328-zonealarm-blocking-rpcss-exe.htmlThanks for the link's. Ran a thorough Avast scan & didn't find anything so I guess I'm ok.

What has happened:
Funny lines started showing up, computer started crashing, sata DRIVERS for cdrom drives uninstalled, lots of hardware started failing or getting errors.
Current state:
Can not log in to an account without the computer bluescreening.
Can not read cds

What I've tried:
Some rescue cds via usb flash drive
Kaspersky Rescue CD (virus does not LET the scan start)
BitDefender Rescue CD (virus FREEZES the virus scan and crashes computer, also funny lines appear during the scan)
"G Data Antivirus" Rescue CD (scan gets frozen)
Tried to reformat by booting from usb flashdrive with vista install files on it, computer crashes

Willing to do anything to make the computer work again

ThanksWhen you tried the CDs did you CHANGE the boot order in your bios....Thanks for the fast reply!

I have set my boot order in BIOS to
#1 removable
#2 cdrom
#3 harddrive
#4 disabled
and sometimes I used
#1 removable
#2 cdrom
#3 disabled
#4 disabled


CD's don't work though, the computer doesn't recognize the drives anymore, and there are i/o port errors when I use a firewire cd driveDo you know anyone with a router? If so you need to set up a network, with another computer with a strong anti virus, use the boot sequence order to boot from networking, use this network to CONTROL your computer, and run the anti virus. Sometimes this works, and others not so much. Quote from: ireland-1 on June 23, 2009, 03:42:28 AM

Do you know anyone with a router? If so you need to set up a network, with another computer with a strong anti virus, use the boot sequence order to boot from networking, use this network to control your computer, and run the anti virus. Sometimes this works, and others not so much.

Do you know anyone with a router? If so you need to set up a network, with another computer with a strong anti virus, use the boot sequence order to boot from networking, use this network to control your computer, and run the anti virus. Sometimes this works, and others not so much.

I am having trouble removing Norton 2006.  The add/remove will not let me.  It keeps telling me that live update is on {whether it is or not} and then stops.  Is there SOMETHING I have missed, because I was UNABLE to find a UNINSTALL.... please help.
Try this...

http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.htmlThanks so much... will try... tyPlease post with the results of the tool, good or BAD so we know if you need more help or not.

If ComboFix alerts you that an antivirus is running just ignore it and keep on with the instructions.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix
evilfantasy -
You want me to close the Internet Explorer.  How do I do that if I have to keep this page in front of me to follow DIRECTION?  Sometime I think this has gotten out of hand.  Bob Just close IE and then run ComboFix. It will guide you through the steps.evilfantasy -
ComboFix 09-06-13.09 - Bob 06/14/2009 15:16.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic   6.0.6000.0.1252.1.1033.18.1525.915 [GMT -5:00]
Running from: c:\users\Bob\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090614-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: avast! antivirus 4.8.1335 [VPS 090614-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Desktop.ini

.
(((((((((((((((((((((((((   Files Created from 2009-05-14 to 2009-06-14  )))))))))))))))))))))))))))))))
.

2009-06-14 17:46 . 2009-02-05 20:06   51376   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-06-14 17:46 . 2009-02-05 20:06   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-06-14 17:46 . 2009-02-05 20:04   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-06-14 17:46 . 2009-02-05 20:07   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-06-14 17:46 . 2009-02-05 20:07   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-06-14 17:46 . 2009-02-05 20:11   1256296   ----a-w-   c:\windows\system32\aswBoot.exe
2009-06-14 17:46 . 2009-02-05 20:06   51792   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2009-06-14 17:46 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2009-06-14 17:46 . 2009-06-14 17:46   --------   d-----w-   c:\program files\Alwil Software
2009-06-13 16:54 . 2009-06-13 16:54   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-06-13 16:17 . 2009-06-13 16:17   --------   d-----w-   c:\users\Bob\AppData\Roaming\Malwarebytes
2009-06-13 16:17 . 2009-05-26 18:20   40160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 16:17 . 2009-06-13 16:17   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-13 16:17 . 2009-06-13 16:17   --------   d-----w-   c:\programdata\Malwarebytes
2009-06-13 16:17 . 2009-05-26 18:19   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-06-13 15:25 . 2009-06-14 18:20   117760   ----a-w-   c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-13 15:25 . 2009-06-13 15:25   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2009-06-13 15:23 . 2009-06-13 15:23   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-06-13 15:23 . 2009-06-13 15:23   --------   d-----w-   c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-06-13 15:22 . 2009-06-13 15:22   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-13 11:05 . 2009-06-13 11:10   116842   ----a-w-   c:\windows\hpqins00.dat
2009-06-12 09:59 . 2009-06-13 17:55   --------   d-----w-   c:\program files\trend micro
2009-06-12 09:59 . 2009-06-12 10:04   --------   d-----w-   C:\rsit
2009-06-11 23:56 . 2009-06-11 23:56   --------   d-----w-   c:\programdata\HP Product Assistant
2009-06-11 15:35 . 2009-06-11 15:35   --------   d-----w-   c:\program files\CCleaner
2009-06-11 11:09 . 2009-06-11 11:09   268800   ----a-w-   c:\windows\system32\es.dll
2009-06-11 00:22 . 2009-06-14 00:37   --------   d-----w-   c:\programdata\Symantec
2009-06-11 00:22 . 2009-06-14 00:37   --------   d-----w-   c:\programdata\Norton
2009-06-11 00:18 . 2009-06-11 00:22   --------   d-----w-   c:\programdata\NortonInstaller
2009-06-10 23:48 . 2009-06-10 23:54   --------   d-----w-   c:\users\Bob\AppData\Local\Microsoft Games
2009-06-10 23:30 . 2009-06-10 23:30   --------   d-----w-   c:\program files\Internet Saving Optimizer
2009-06-10 23:29 . 2009-06-10 23:29   --------   d-----w-   c:\program files\DoubleD
2009-06-10 21:19 . 2009-06-10 21:19   --------   d-----w-   c:\users\Bob\AppData\Roaming\WildTangent
2009-06-10 20:52 . 2006-12-22 02:51   771672   ------w-   c:\programdata\HP\Installer\Temp\hpzscr01.exe
2009-06-10 20:52 . 2006-12-22 02:47   472664   ------w-   c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2009-06-10 20:40 . 2009-06-10 20:40   --------   d-----w-   c:\programdata\WEBREG
2009-06-10 20:39 . 2009-06-10 20:50   --------   d-----w-   c:\users\Bob\AppData\Roaming\HP
2009-06-10 20:35 . 2009-06-10 20:35   --------   d-----w-   c:\program files\Hewlett-Packard
2009-06-10 20:35 . 2009-06-10 20:35   --------   d-----w-   c:\program files\Common Files\Hewlett-Packard
2009-06-10 20:35 . 2009-06-10 20:38   --------   d-----w-   c:\program files\Common Files\HP
2009-06-10 20:00 . 2009-06-10 20:53   --------   d-----w-   c:\program files\HP
2009-06-10 19:58 . 2009-06-10 20:45   148928   ----a-w-   c:\windows\hpoins19.dat
2009-06-10 19:58 . 2009-06-10 20:50   --------   d-----w-   c:\programdata\HP
2009-06-10 19:58 . 2006-11-20 21:36   258048   ----a-w-   c:\windows\system32\hpzids01.dll
2009-06-10 19:58 . 2006-12-16 06:19   675840   ----a-w-   c:\windows\system32\hpowiav1.dll
2009-06-10 19:58 . 2006-12-16 06:19   303104   ----a-w-   c:\windows\system32\hpovst01.dll
2009-06-10 19:58 . 2006-12-16 06:19   573440   ----a-w-   c:\windows\system32\hpotscl1.dll
2009-06-10 19:58 . 2007-03-13 19:52   26952   ----a-w-   c:\windows\hpomdl19.dat
2009-06-10 18:43 . 2009-06-10 18:43   --------   d-----w-   c:\program files\Common Files\Adobe
2009-06-10 18:41 . 2009-02-12 09:35   38208   ----a-w-   c:\users\Bob\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-10 18:40 . 2009-06-10 18:40   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2009-06-10 18:39 . 2009-06-10 18:44   --------   d-----w-   c:\users\Bob\AppData\Local\Adobe
2009-06-10 18:39 . 2009-06-10 18:39   86016   ----a-w-   c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-06-10 18:38 . 2009-06-10 18:52   --------   d-----w-   c:\programdata\NOS
2009-06-10 18:38 . 2009-06-10 18:52   --------   d-----w-   c:\program files\NOS
2009-06-10 18:08 . 2009-06-10 18:08   61440   ----a-w-   c:\windows\system32\winipsec.dll
2009-06-10 18:08 . 2009-06-10 18:08   28672   ----a-w-   c:\windows\system32\FwRemoteSvr.dll
2009-06-10 18:08 . 2009-06-10 18:08   361984   ----a-w-   c:\windows\system32\IPSECSVC.DLL
2009-06-10 18:08 . 2009-06-10 18:08   272896   ----a-w-   c:\windows\system32\polstore.dll
2009-06-10 18:07 . 2009-06-10 18:07   8192   ----a-w-   c:\windows\system32\riched32.dll
2009-06-10 18:07 . 2009-06-10 18:07   48640   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
2009-06-10 18:07 . 2009-06-10 18:07   20480   ----a-w-   c:\windows\system32\drivers\ndistapi.sys
2009-06-10 18:07 . 2009-06-10 18:07   77824   ----a-w-   c:\windows\system32\rascfg.dll
2009-06-10 18:07 . 2009-06-10 18:07   61952   ----a-w-   c:\windows\system32\drivers\wanarp.sys
2009-06-10 18:07 . 2009-06-10 18:07   52736   ----a-w-   c:\windows\system32\rasdiag.dll
2009-06-10 18:07 . 2009-06-10 18:07   32768   ----a-w-   c:\windows\system32\rasmxs.dll
2009-06-10 18:07 . 2009-06-10 18:07   22016   ----a-w-   c:\windows\system32\rasser.dll
2009-06-10 18:06 . 2009-06-10 18:06   384000   ----a-w-   c:\windows\system32\netcfgx.dll
2009-06-10 18:06 . 2009-06-10 18:06   286208   ----a-w-   c:\windows\system32\ipnathlp.dll
2009-06-10 18:06 . 2009-06-10 18:06   13824   ----a-w-   c:\windows\system32\icsunattend.exe
2009-06-10 18:06 . 2009-06-10 18:06   70144   ----a-w-   c:\windows\system32\drivers\pacer.sys
2009-06-10 18:06 . 2009-06-10 18:06   33280   ----a-w-   c:\windows\system32\traffic.dll
2009-06-10 18:06 . 2009-06-10 18:06   13824   ----a-w-   c:\windows\system32\wshqos.dll
2009-06-10 18:06 . 2009-06-10 18:06   619008   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2009-06-10 18:06 . 2009-06-10 18:06   36864   ----a-w-   c:\windows\system32\cdd.dll
2009-06-10 18:06 . 2009-06-10 18:06   15360   ----a-w-   c:\windows\system32\pacerprf.dll
2009-06-10 18:06 . 2009-06-10 18:06   134656   ----a-w-   c:\windows\system32\dps.dll
2009-06-10 18:05 . 2009-06-10 18:05   95232   ----a-w-   c:\windows\system32\PortableDeviceClassExtension.dll
2009-06-10 18:05 . 2009-06-10 18:05   241152   ----a-w-   c:\windows\system32\PortableDeviceApi.dll
2009-06-10 18:05 . 2009-06-10 18:05   160768   ----a-w-   c:\windows\system32\PortableDeviceTypes.dll
2009-06-10 18:04 . 2009-06-10 18:04   87040   ----a-w-   c:\windows\system32\msoert2.dll
2009-06-10 18:04 . 2009-06-10 18:04   39424   ----a-w-   c:\windows\system32\ACCTRES.dll
2009-06-10 18:04 . 2009-06-10 18:04   205824   ----a-w-   c:\windows\system32\msoeacct.dll
2009-06-10 18:02 . 2009-06-10 18:02   704000   ----a-w-   c:\windows\system32\PhotoScreensaver.scr
2009-06-10 18:02 . 2009-06-10 18:02   356352   ----a-w-   c:\windows\system32\wbem\wbemcomn.dll
2009-06-10 18:02 . 2009-06-10 18:02   24064   ----a-w-   c:\windows\system32\wtsapi32.dll
2009-06-10 18:02 . 2009-06-10 18:02   28344   ----a-w-   c:\windows\system32\drivers\battc.sys
2009-06-10 18:02 . 2009-06-10 18:02   258232   ----a-w-   c:\windows\system32\drivers\acpi.sys
2009-06-10 18:02 . 2009-06-10 18:02   20920   ----a-w-   c:\windows\system32\drivers\compbatt.sys
2009-06-10 18:02 . 2009-06-10 18:02   542720   ----a-w-   c:\windows\system32\sysmain.dll
2009-06-10 18:02 . 2009-06-10 18:02   67584   ----a-w-   c:\windows\system32\wlanhlp.dll
2009-06-10 18:02 . 2009-06-10 18:02   502784   ----a-w-   c:\windows\system32\wlansvc.dll
2009-06-10 18:02 . 2009-06-10 18:02   47104   ----a-w-   c:\windows\system32\wlanapi.dll
2009-06-10 18:02 . 2009-06-10 18:02   297984   ----a-w-   c:\windows\system32\wlansec.dll
2009-06-10 18:02 . 2009-06-10 18:02   290816   ----a-w-   c:\windows\system32\wlanmsm.dll
2009-06-10 18:00 . 2009-06-10 18:00   110080   ----a-w-   c:\windows\system32\drivers\mrxdav.sys
2009-06-10 18:00 . 2009-06-10 18:00   194560   ----a-w-   c:\windows\system32\WebClnt.dll
2009-06-10 17:59 . 2009-06-10 17:59   2028032   ----a-w-   c:\windows\system32\win32k.sys
2009-06-10 17:58 . 2009-06-10 17:58   49664   ----a-w-   c:\windows\system32\csrsrv.dll
2009-06-10 17:58 . 2009-06-10 17:58   376320   ----a-w-   c:\windows\system32\winsrv.dll
2009-06-10 17:54 . 2009-06-10 17:54   376832   ----a-w-   c:\windows\system32\winhttp.dll
2009-06-10 17:51 . 2009-06-10 17:51   297472   ----a-w-   c:\windows\system32\gdi32.dll
2009-06-10 17:50 . 2009-06-10 17:50   41984   ----a-w-   c:\windows\system32\drivers\monitor.sys
2009-06-10 17:50 . 2009-06-10 17:50   1060920   ----a-w-   c:\windows\system32\drivers\ntfs.sys
2009-06-10 17:48 . 2009-06-10 17:48   --------   d-----w-   c:\windows\system32\x64
2009-06-10 17:47 . 2009-06-10 17:47   211456   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2009-06-10 17:46 . 2009-06-10 17:46   374456   ----a-w-   c:\windows\system32\mcupdate_GenuineIntel.dll
2009-06-10 17:44 . 2009-06-10 17:44   500736   ----a-w-   c:\windows\system32\msdtcprx.dll
2009-06-10 17:44 . 2009-06-10 17:44   30208   ----a-w-   c:\windows\system32\xolehlp.dll
2009-06-10 17:43 . 2009-06-10 17:43   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2009-06-10 17:43 . 2009-06-10 17:43   4247552   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-10 17:43 . 2009-06-10 17:43   1687040   ----a-w-   c:\windows\system32\gameux.dll
2009-06-10 17:41 . 2009-06-10 17:41   303616   ----a-w-   c:\windows\system32\wmpeffects.dll
2009-06-10 17:40 . 2009-06-10 17:40   2048   ----a-w-   c:\windows\system32\msxml3r.dll
2009-06-10 17:40 . 2009-06-10 17:40   1194496   ----a-w-   c:\windows\system32\msxml3.dll
2009-06-10 17:38 . 2009-06-10 17:38   414208   ----a-w-   c:\windows\system32\msscp.dll
2009-06-10 17:37 . 2009-06-10 17:37   356864   ----a-w-   c:\windows\system32\MediaMetadataHandler.dll
2009-06-10 17:36 . 2009-06-10 17:36   86016   ----a-w-   c:\windows\system32\icfupgd.dll
2009-06-10 17:36 . 2009-06-10 17:36   63488   ----a-w-   c:\windows\system32\drivers\mpsdrv.sys
2009-06-10 17:36 . 2009-06-10 17:36   396800   ----a-w-   c:\windows\system32\MPSSVC.dll
2009-06-10 17:36 . 2009-06-10 17:36   392192   ----a-w-   c:\windows\system32\FirewallAPI.dll
2009-06-10 17:36 . 2009-06-10 17:36   61952   ----a-w-   c:\windows\system32\cmifw.dll
2009-06-10 17:36 . 2009-06-10 17:36   16896   ----a-w-   c:\windows\system32\wfapigp.dll
2009-06-10 17:36 . 2009-06-10 17:36   23040   ----a-w-   c:\windows\system32\drivers\tunnel.sys
2009-06-10 17:36 . 2009-06-10 17:36   178688   ----a-w-   c:\windows\system32\iphlpsvc.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 18:15 . 2006-11-02 12:35   --------   d-----w-   c:\program files\Windows Calendar
2009-06-10 18:14 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-06-10 18:14 . 2006-11-02 12:35   --------   d-----w-   c:\program files\Windows Defender
2009-06-10 18:14 . 2006-11-02 12:35   --------   d-----w-   c:\program files\Windows Sidebar
2009-06-10 18:14 . 2006-11-02 10:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2009-06-10 17:09 . 2009-06-10 17:09   40960   ----a-w-   c:\windows\system32\srclient.dll
2009-06-10 17:06 . 2009-06-10 17:06   549888   ----a-w-   c:\windows\system32\rpcss.dll
2009-06-10 17:06 . 2009-06-10 17:06   3503584   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-06-10 17:06 . 2009-06-10 17:06   3469280   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-06-10 17:06 . 2009-06-10 17:06   654336   ----a-w-   c:\windows\system32\printfilterpipelinesvc.exe
2009-06-10 17:06 . 2009-06-10 17:06   247296   ----a-w-   c:\windows\system32\wbem\WmiPrvSE.exe
2009-06-10 17:06 . 2009-06-10 17:06   24576   ----a-w-   c:\windows\system32\printfilterpipelineprxy.dll
2009-06-10 17:06 . 2009-06-10 17:06   130560   ----a-w-   c:\windows\system32\wbem\WmiDcPrv.dll
2009-06-10 17:06 . 2009-06-10 17:06   614912   ----a-w-   c:\windows\system32\wbem\fastprox.dll
2009-06-10 17:06 . 2009-06-10 17:06   501760   ----a-w-   c:\windows\system32\wbem\WmiPrvSD.dll
2009-06-10 17:06 . 2009-06-10 17:06   97280   ----a-w-   c:\windows\system32\iasrecst.dll
2009-06-10 17:06 . 2009-06-10 17:06   53248   ----a-w-   c:\windows\system32\iasads.dll
2009-06-10 17:06 . 2009-06-10 17:06   37888   ----a-w-   c:\windows\system32\iasdatastore.dll
2009-06-10 17:06 . 2009-06-10 17:06   158720   ----a-w-   c:\windows\system32\sdohlp.dll
2009-06-10 17:05 . 2009-06-10 17:05   72704   ----a-w-   c:\windows\system32\admparse.dll
2009-06-10 17:05 . 2009-06-10 17:05   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-06-10 17:05 . 2009-06-10 17:05   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-10 17:05 . 2009-06-10 17:05   48128   ----a-w-   c:\windows\system32\mshtmler.dll
2009-06-10 17:05 . 2009-06-10 17:05   26624   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-06-10 17:05 . 2009-06-10 17:05   56320   ----a-w-   c:\windows\system32\iesetup.dll
2009-06-10 17:02 . 2009-06-10 17:02   0   ----a-w-   c:\windows\system32\drivers\EMACHINES_W3609__GCY7110063644.MRK
2009-06-10 15:21 . 2009-06-10 15:21   --------   d-----w-   c:\users\Bob\AppData\Roaming\SampleView
2009-06-10 15:17 . 2009-06-10 15:17   --------   d-sh--we   c:\programdata\Templates
2009-06-10 15:17 . 2009-06-10 15:17   --------   d-sh--we   c:\programdata\Start Menu
2009-06-10 15:17 . 2009-06-10 15:17   --------   d-sh--we   c:\programdata\Favorites
2009-06-10 15:17 . 2009-06-10 15:17   --------   d-sh--we   c:\programdata\Documents
2009-06-10 15:17 . 2009-06-10 15:17   --------   d-sh--we   c:\programdata\Desktop
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-13 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-02 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3206373129-98774604-3863853047-1000]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3206373129-98774604-3863853047-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3B7DEAAA-1CC5-4686-A134-28C43700D33E}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [6/14/2009 12:46 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [6/14/2009 12:46 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [6/14/2009 12:46 PM 51792]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3609
uInternet Settings,ProxyOverride =
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 15:21
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-14 15:22
ComboFix-quarantined-files.txt  2009-06-14 20:22

Pre-Run: 80,566,763,520 bytes free
Post-Run: 80,382,128,128 bytes free

267   --- E O F ---   2009-06-14 15:01
evilfantasy -
I hope that is what you wanted.  I must be the dumbest person you have ever tried to help .  If I had known how much this would take I would never have STARTED.  I would have called in a Geek.  Thank you for your effort.  I hope we finish soon.  BobDelete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Folder::
c:\program files\Common Files\McAfee

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3B7DEAAA-1CC5-4686-A134-28C43700D33E}"=-


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeevilfantasy -
I could not get McAfee turned off and the panel said it might not run correctly.  Sure enough it is running and I can not get it to stop.  I even turned the computer off while I ate supper but when I turned it back on it is still going from CFScript and ComboFix.  I checked, I still have McAfee.  However a lot of space is back in D drive.  It is now 2.79   GB free of 8.36 GB.  Now if I could shut off the ComboFix and get rid of McAfee I would be happy.  Bob evilfantasy -
One other thing.  I now have the desktop background that comes up when I take a full factory restart.  I know this is true because I use other desktop backgrounds.  BobWhat is the computer doing now?

Are you saying you have reset it to factory settings?evilfantasy -
The only thing I did was try to do the part where CFScript put stuff in ComboFix.  You are suppose to turn off all your security.  I got Avast turned off but I could not get McAfee turned off.  The panel said run at my risk so I ran it.  It never stopped running even while I ate supper.  I turned the computer off and back on and the desktop background that is used when the computer is new and turned on came up.  I would guess it WENT back to a restore point at the factory restart.  The ComboFix never gave me a log.  Then the computer quit working.  The message was "can't DISPLAY page".  I hit F* when I turned it back on and "repair".  It came back on.  I of course have no idea what happened.  I guess it is fixed.  It seems to be working.  Bobevilfantasy -
I just discovered that if I scroll back up to the post where I was to get CFScript to put stuff into ComboFix that it is still doing that.  How do I stop it?  Bob evilfantasy -
Shuting down for the night.  At least you got more space in my D drive.  I got a popup that said "perfact uninstall" could get rid of McAfee.  Do you know them?  Bob

Hi Thanks strange now I have the yellow shield in the TASK BAR again & cant install the attached same problem which we managed to cure before! Im wondering if its definately needed?

Same THING is happening, the update will download but wont install to the MACHINE!

any suggestions?

Thanks DAVE

[attachment deleted by admin]

My gf puter is very very sick. I plan on using all the info and available tools from here to cure the ills.

BUT what I do need to know is..... how do I get her computer to pause long enough for me to get my commands entered ?

I plan on down loading all needed software to a disk using my computer and running them one by one on hers. Can I do all this in safe mode from her computer?

Thanks in advance.This will make it easier for you.

AVIRA AntiVir Rescue System

1. Download the Avira AntiVir Rescue System
- If you need a free burning application, CDBurnerXP works on all operating systems from Microsoft Windows 2000 SP4 onwards.
2. Place a blank CD in your burner and double-click on the downloaded file.
3. The program will automatically burn the CD for you.
4. Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
5. On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
6. Click on the Configuration button.

- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (JOKES)
- Select Scan for games
- Select Scan for spyware (SPR)

7. Click on Virus scanner
8. Click on Start scanner at the bottom of the screen.

9. Let Avira finish it's scan and then remove any threats found and then exit out of the scanner.
10. Take the CD out of the CD/DVD tray and then restart the computer.

If needed see this Tutorial for the Avira Rescue CDDude the beers on me!

This place has never failed me.

Thanks a mill.OK This sounded so simple! lol

I downloaded Avira fairly simply. It didn't work as described so what I did was load it on my PC and burn it to a disc then, after an hour, tried running it on my GF's pc. When I finally got into safemode and double clicked the avira icon on her pc it ask's me where I want to burn it?

I tried the same with malwarebytes and on her PC it said something about not having admin rights and this function could not be done?

HELP ! LOLYou don't need to run the Avira disk in Safe Mode.

Do you have a flash drive? Check this out. http://evilfantasy.wordpress.com/bitdefender-rescue-usb/I know but it did not burn directly from the site to the disk. The only way I could get it to my GF's puter was to load it to my PC and THEN burn it to disc so when I placed the burned cd into my GF's puter and rebooted it did not recognize it as a boot disc and continued with its normal process. THEN I had to go to safe mode and try to run it from her F drive. OK when you restart the computer and you see the boot options in the upper right corner, it will say press F12 for boot options. Do that and then CHOOSE to boot from the CD.Tried it 

I "BELIEVE" it said not a valid drive. Something like that or at least that was the bottom line. Try some suggestions here. How to or can't boot from a CD or DVD.I got it to run!

Had to load on my machine and then double click and let it burn to drive. I just copied it before.

I'll let you know thanks a mill.DOH! I thought you had burned it before putting the disk into the other PC.

hehehe Heres what happen...

I "THOUGHT" when I placed the blank cd in my computer it would burn directly from the site.

What I really needed to do was download it to my PC "THEN" double click and open it on my PC then it asked me where to burn it.  I burned it and then ran it on my girlfriends puter.

Working on it again this morning.

I'll report back and thanks again.OK That did nothing. lol

Found 7 item, should have renamed them, and I rebooted and again I can't even enter a command the cursor is blinking so fast.Here's what else I did (tried and failed lol) I got it into safe mode and for whatever reason it did not let me into add / remove programs. I could click on everything else and it would open but not add / remove.

I sat there and tried to right click on the start tray (lower right hand corner) to get the application to come up so I could exit it but I wasn't fast enough. lol cntr alt del also didn't work or again I wasn't fast enough.

I re-ran avira, to no avail.

I've had several PROBLEMS in the past but this one seemd to be the worst or I'm missing something here.

Somehow I "DID" get into add / remover programs (dumb luck) and I it wouldn't let me delete Super Anti spyware which I know is a illness.

I need some drastic measures here. Can I just do a system restore ? And if I can , looking into f2 and f12 does not not seem as easy as some other puters I'v had the pleasure to Exorcise!

What about spyware blaster by javacool? Quote from: Bgs on June 15, 2009, 12:08:02 AM

yeah except that one but I have a question in some Malware Removal sites in their removal guide i saw that Hijack this was replaced by OTListIt  but still it is used even in that site it is some kinda confusing because we must learn how to read logs in HJT but in their malware removal guide they tell us that it has been replaced by OTL  .
It is kinda confusing.

Kpac , perhaps you can run Spycar on Stopzilla and share your findings.....I found it worked well, but I'm not sure I did things right.

What am I, the forum's virtual malware tester?

I use Win 2000 and IE 6.0 fully updated and I am considering banking online.
Naturally I am concerned about security. I don't have a firewall or a router but I use SpyBot and McAfee and scan my system regularly.

What else can I do to increase my security before I start?

Use a good free firewall. Comodo Free Firewall

Strong passwords: How to create and use them

Online Banking Security

Millions of people BANK online with no problems. The best safety net is yourself.

If you need ANYTHING else just let us know.And also keep in mind that NO FINANCIAL institution will ever contact you by email for important ACCOUNT information...
This is a common scam known as phishing and if you ever recieve one forward it to the mentioned Bank and delete it immediately.Here's what I do to increase security...

-Never bank online while using public WIFI
-Use FireFox instead of Internet Explorer.
-Consider using a VPN (virtual private network) while on a public internet connection. You can get good one's for free.

Here's a good resource for more info. Internet Safety Tips

also if your bank's website offers secure login vs standard login, then always use the secure login method. Quote from: 2x3i5x on June 16, 2009, 11:52:38 AM

also if your bank's website offers secure login vs standard login, then always use the secure login method.

Hi there,

Got my cousins laptop here. Just keeps popping up Personal Antivirus warnings, which I know MAM deals with. I've reset her IE, too many toolbars running, MyWebSmiley and the likes. Just going to run StartUpLite as well.

She's running Windows Vista on a Dell. Processor is Intel Pentium Core Duo. 2GB Ram.

I've ran the logs and it seems fine right now. Also going to have secunia do a quick check while I'm waiting for you guys to get back to me.

Many thanks.

[ATTACHMENT deleted by admin]Please re-open HijackThis and scan.  Check the boxes next to all the entries listed below.

O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Media Access Startup\1.0.0.610\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.1.0.3900\NPIEAddOn.dll

Now close all windows other than HijackThis, then click Fix Checked.  Close HijackThis.  Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be GIVEN the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Internet Saving Optimizer
Media Access Startup

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please DELETE these folders (if present):

C:\Program Files\Media Access Startup\
C:\Program Files\Internet Saving Optimizer\

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Program Files\Media Access Startup\1.0.0.610\HPIEAddOn.dll
C:\Program Files\Internet Saving Optimizer\3.1.0.3900\NPIEAddOn.dll

After that, Reboot, and post a new HijackThis log here in a reply.Thanks, done that. Not SURE what programmes should be removed, so I took a screen shot.

[attachment deleted by admin]Looks good. How's the PC running?

Have you got a firewall installed?
- Free Firewalls. Remember to install only ONE!

• Comodo Personal Firewall - A firewall is your first line of defense in protecting private information. This is an excellent firewall.
  
• Sunbelt-Kerio - Protect yourself from hackers and other malicious attacks on the internet.
  
• Zone Alarm - Easy-to-use firewall blocks hackers and other unknown threats.
  

Thanks, going to download comodo, I'm guessing Windows Firewall isn't secure enough.

you know what teens are like adding webfetti and the like.

Yes, I would recommend Comodo over Windows - far better.
Yes I do, being one myself. Fortunately, I am one of the sensible ones.

Many thanks for you're help.

After trying to watch a video on a website about donating plasma, all my PROBLEMS started.  It sounded like commercials were playing although I couldn't SEE anything running.  I would also try to go to websites and be taken to something other than what I clicked on.  After finding your website, I followed the instructions and I've attached all 3 logs.  It seems as if something I did may have worked because I haven't had any of the problems for a little while but I wanted to follow through with the directions given.  Thank you so much for your help!!!

[attachment deleted by admin]i would remove uniblue from your pc and wait for an expert to help you with the restPlease re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O4 - HKCU\..\Run: [defender32.exe] C:\Users\DUSTY&~1\AppData\Local\Temp\defender32.exe

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot into safe mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Conduit Toolbar

Please note any other programs that you don't RECOGNIZE in that LIST in your next response.


Using Windows Explorer (to get there right-click your Start BUTTON and go to "Explore"), please delete these files (if present):

C:\Users\DUSTY&~1\AppData\Local\Temp\defender32.exe
C:\Windows\system32\sdra64.exe

After that, Reboot, and post a new HijackThis log here in a REPLY.

I am working on Windows XP.  I was on my laptop and laid SOMETHING on the keyboard..I Think it was a FILED folder that I wrote on.  When I picked it up everything on my COMP was larger.

The Devise MANAGER is missing.

Can't I GO back to a date 2 days ago to fix all this?

Right-click on your desktop and choose settings. Change the settings of your resolution.

I DONT' know where it WENT?  Can I downlone it?it cannot be gone. Go to START - RUN and type devmgmt.msc and press ENTER. What happens?

And please tell us the FULL story of what is going on with your system.So sorry It is not the Device Manager.  Someone prev. told me to delete something in the device manager to help because my fonts are enourmous suddenly.

In the device mananger, Under Network Adapters, the are 3 yellow question marks:

? Other Devices
   ? Video Controller
   ? Video Controller (VGA Adapter)

This is what I deleted and when I rebooted the comp. wanted me to insert the discs that came with the LAPTOP but could not find what it needed.

Sorry I goofed on the name.



Go to the website of your video card manufacturer and download and install the latest driver.by the way, my computer can pick up other devices when they are connected with the usb, like my ipod, etc....


______________
<Link REMOVED> Quote from: mekarls on October 23, 2010, 01:10:36 PM

by the way, my computer can pick up other devices when they are connected with the usb, like my ipod, etc....


______________

by the way, my computer can pick up other devices when they are connected with the usb, like my ipod, etc....


______________
<Link Removed>

OS = Win XP   When the computer boots and get to the desktop I get a pop-up box with the following:  c:\windows\soct32gi.dll

The computer belongs to a friend and I WANT to help get rid of this annoying message box. Any help appreciated.

Thanks.Is that the entire message? And is the computer displaying any problems?Allan:

Once the message box is closed the message disappears and from what I can tell -- the computer is running normal.1) Is that the entire message?

2) Did this just START? If so, what is different since the last time the system booted without that error?I think the entire message is: system error c:\windows\soct32gi.dll

 It's not my computer. I SAW the error, but do not when it started. When the computer boots to the desktop it appears. After you close the message box it does not return. Just on the boot. Quote from: mrz on October 21, 2010, 03:05:24 PM

I think the entire message is: system error c:\windows\soct32gi.dll

Which files should i remove with hijack this? ( have tried the previous steps in Read this before REQUESTING malware removal help thread)

the problem is trojan HORSE agent 4.0 from C:\windows\system32\comdlg3.dll(ACCORDING to avg)  keeps appearing even when  i tried deleting it with avg. it pops up whenever I open windows explorer

*log attached



[attachment DELETED by admin]Don't fix anything with HijackThis.

Can you post your MalwareBytes' and SuperAntiSpyware logs too please.log attached^^

[attachment deleted by admin]

That's likely a temporary file e can clean with CleanUp!


Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

I have an infected PC again!

I RAN the scans before xmas, just haven't had chance to post til today.

Current VIRUS warning SAYS:

Infected file NAME: C:\WINDOWS\system32\ezpra.dll\EZPRA.DLL
Virus name: W32/Conficker.worm

cheers

Nick

[attachment deleted by admin]Any chance someone could check this for me?

Cheers

Woah, no need to thank me. Quote from: evilfantasy on January 13, 2009, 07:07:06 PM

You can delete them if you don't want them for your tests.

Final steps.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to REMOVE all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the BOX next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with ADBLOCK Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

i dont feel a need to do that.

i want to sight up for malware REMOVAL but i get a error that says Quote

No available slots. Please check back at a later time

i want to sight up for malware removal but i get a error that says Quote

No available slots. Please check back at a later time

what does that mean

It might also mean if you check back there may or may not be available slots...

I was hoping that would work. Glad it did!

Keep Avira, SuperAntiSpyware, MalwareBytes and CCleaner.

Final steps and suggestions.

• Click START then RUN
  
• Now type Combofix /U in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

And, is it worth getting SpywareBlaster if I have SAS?

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
  
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
  
• Place a check next to Remove Useless JRE Files and click Go
  
• Exit JavaRa
  
• Delete the JavaRa files from the Desktop

I am having a problem with my Dell Inspiron 6000 laptop (Win XP SP2 running AVG 8.0, ADAWARE, and Zone Alarm) and hope you can offer some suggestions. I have been through the process outlined here and similar forums to erraticate viruses/malware before, but this time I'm stuck.

 Here's what happened:

I was on the internet and got a popup window that said something about a script running and asked if I want to close it. I just X’d out of it. About 15-minutes later, I got off the net and did some work in EXCEL. When I got finished, I started running a drive cleaner (HD Cleaner) which I have used for several years on various computers without a problem. I typically run this utility at least once a month. At some point after it finished, I returned to find the screen display size increased by about 300%. That is, I could only SEE about half of what I should be seeing. I tried to resize through Control Panel/Display/Settings but the "APPLY/OK" buttons at the bottom of the box were no longer there...so I couldn't resize. Also, It would not allow me to “RESTORE” previous computer settings. I realized then that I probably had a virus so I started following STEPS that I have used in the past to get rid of it. However, because the screen display was so large, I could not do anything. I did not have the option of scrolling up or down.  I was able to access the internet and LOAD a Microsoft malware removal tool, but again, the display was so large that I could not “reach” the RUN button to activate it. Next, I tried to reboot in "SAFE MODE", but that was a no-go. It would start to load the index and then freeze about halfway through. I tried safe mode several times to no avail, even safe mode with command prompt. Now when I boot and try to load windows normally, I will get the Windows XP splash screen followed by the screen that allows me to select the user account, but when I select one (I tried them all) it loads my desktop wallpaper, and then freezes. I get no desktop ICONS, no taskbar or "START" button. I ONLY see the desktop wallpaper. I'm afraid now I'm stuck...any suggestions? It seems to me that whatever fix there may be will have to come through the CD drive.

safe mode takes a long time to start up try doing it agin but wait like 15 minuts

Hi,

My name is Jesse and I'm new to your sight. First of all let me say what you guys, and maybe girls, do here is awesome. You rock. What has brought me to your website is the fact that I have some malware or spyware on my computer, I'm not sure which. I've read the "Read this before requesting malware removal help" topic and I do plan on following your directions(That leads me to another question I'll ask here also). I think I understand everything EXCEPT what the "log" technically is. I understand it's some sort of information of what's going on after the directions have been followed but what is it? Are you on the internet when you create it? I'm sure once I understand what it is I'll understand the directions for how to attack the logs to the post.
I could get started on following the directions right now but I want to follow your directions as well as possible since you are helping me out when you don't have to.
I'm looking forward to working with whomever will help me. That leads into my next question. Am I supposed to have an expert help me through the PROCESS you have laid out in the "Read this before requesting malware removal help" topic?

Thanks for your help,
JesseA log, in the computer world, is a document of EVENTS in a specific program. It may list errors, warnings, status, and execution details.

In the case of "HiJackThis" (HJT) logs, which are what Malware and Spyware Removal uses quite often.
The HJT log details system information, such as startup entries, browser helper objects (BHO's), and various other bits of information that can help identify and remove a virus, spyware, or adware program. Zylstra has nailed that but just to add - with few if any exceptions I can think of - the log file will be straight text - and so a .txt file even if it does not aquire such an extension.

View in Notepad or similar.
many log files are .log and even .DAT as well. (I sometimes accidentally name my log files "log.dat" or "Error.dat" instead of .log or .txt) True enough, agreed ... but some other .dat files tho can be hex .... OPENING in Notepad anyways should show 'em (logs that is). I think I get it. This last part I just want to make sure. The ability to create a log will be part of the antivirus program. T/F

Again, thanks for your help.If you are talking about the Malware Removal steps it is all described step by step in the Malware Removal Guide on how to create and post the logs.

For example I will attach a log to this post. You can also just copy and paste the entire contents of the logs into the reply box.

[recovering disk space -- attachment deleted by admin]

Perusing under misconfig - startup, I have noticed a new item, or at least I think it is a new item; dumprep 0 -k.  What is this?  I can find a little info on dumprep 0 -u but not the k.  Is it safe to disable this from the startup?  Is it a virus?

I have Windows XP sp3 and I am running AVG, MalwareBytes, & SuperAntiSpyware.

I am a concerned about new items in my startup since I recently found the RedGirl trojan lurking there that my anti-virus and anti-spyware programs failed to catch.  Thankfully Chris was able to GUIDE me through its removal and my computer was declared healthy.  So now the question is - have I picked up something else nasty?

Thank you for the help.dumprep.exe is associated with your memory dumps. Has the computer crashed recently? http://www.bleepingcomputer.com/startups/dumprep.exe-6014.html

It is OK to disable it with MSCONFIG but not preferred. MSCONFIG is intended to be a troubleshooting tool and not a startup manager. Removing dumprep entries is actually best done with a registry edit or a safer method of using HJT. We can do both if you wouldn't mind posting a log.

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Okay, mission accomplished and I did receive a success message. On a side note: I only copied and pasted the information that was posted in the grey box from REGEDIT4    to   "KernelFaultCheck - I did not include the word "Code:" that was outside the box.  So if this omission was a mistake...oops.

I noticed quite a few curious items in HijackThis, like most of the 08 entries and a couple of 09 and 016.  What's the Easy Webprint stuff?  Do I need it?  I have a Canon camera but I never upload or download anything from my camera to the web.  Ditto with Kodak gallery (016).

Plus, I have about a dozen items that I had previously disabled in my startup.  I am embarrassed to confess that I was using MSCONFIG as a startup manager.  Should I list those for you to see if I should take care of them another way?

As of late my computer has slowed somewhat and I have noticed a few quirky things -  like my icons occasionally disappear for a few seconds, my wallpaper vanished suddenly today, never to return, and my computer crashed a few days ago when I was photo editing in Adobe Elements.  Nothing terribly impossible, just perplexing.

Nothing shows up with my anti-virus or spyware.  I had work done to rid myself of a trojan (see Help Removing RedGirl Trojan thread) and after that it looked like I was all clear.

Thank you for your time and help!

• O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
• O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
• O4 - HKLM\..\Run: [StxTrayMenu] \"C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe\"
• O4 - HKLM\..\Run: [SSBkgdUpdate] \"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe\" -Embedding -boot
• O4 - HKLM\..\Run: [OpwareSE4] \"C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe\"
• O4 - HKLM\..\Run: [LVCOMSX] \"C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe\"
• O4 - HKLM\..\Run: [LogitechQuickCamRibbon] \"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe\" /hide
• O4 - HKLM\..\Run: [LogitechCommunicationsManager] \"C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe\"
• O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
• O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
• O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

• Double-click the CCleaner shortcut on the desktop to start the program.
  
• Click on the OPTIONS block on the left, then choose Cookies.
  
  • Under Cookies to Delete, highlight any cookies you would like to retain permanently
    
  • Click the right arrow > to move them to the Cookies to Keep window.
• Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
  
• Click Cleaner on the left then Run Cleaner on the right to run the program.
  
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner
  
• Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
  
• Exit CCleaner after it has completed its process.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

Hello,I am trying to install AVG antivirus,but it says another antivirus /security product is installed on this computer.

Well,I have had a bullguard trial for 90 days,but its not working anymore,and i can also not find it in my programs list to remove it.In my security centre(the place where you can switch on or off your windows firewall,and where you have windows defender and automatic updates) it is however still visible and on.

In my security centre there is also a big problem cause I can not switch anything off anymore.

I hope someone gets what I mean to say.Follow the link and scroll down for the Uninstall Tool For BullGuard.

http://www.bullguard.com/support/product-guides/bullguard-internet-security-guides/uninstall/4x.aspxHello,

Thanks for your reply.
The problem is that bullguard is not anymore in my add/remove programs.However,it still is showing in my windows security center:
(It was a 90 day trial that came on my pc)

I don't know if this affects the function of avg.

Actually the main problem I am trying to solve on my computer is not installing avg,but making my internet fast again.My internet is going very slow the last 3 weeks,sometimes even just 20 KB a second.I have called my internet provider for this,but from what they are seeing there,everything looks fine.They asked me to do a speedtest and I did.It had not the normal values at all.They said to me:or you have a virus,or your wire is broken.
Since my wireless laptop is slow too,I don't think the wire on this pc is the problem.

After I posted my first message in this thread,I tried a lot of things with the people in the chatroom.I downloaded hijackthis,spybot,adaware and I even installed avg(I even bought regcure cause I saw a bullguard file i nit,and I could only remove this by buying the program.Still after I ran avg again,the error message still came up),ignoring the error message.I have used all this programs yesterday,removed some things with hijackthis,spybot and adaware and msconfig.In Avg only cookies showed up,no viruses.I think it was then that someone advised me to use ccleaner to remove the cookies i found in avg,and also other things.I then removed about 800 MB of things in ccleaner and still,after all these things I had tried,it didn't seem to have any effect on my internet speed.

Doing the CCleaner was a big mistake,cause right after I removed 800 mb of stuff,my mouse started not working anymore.After restarting my pc,I could not enter anything anymore.NOt my computer,not any folder,nothing windows.It had an error message saying windows explorer doesn't work anymore.
Luckily I was able to make system restore open after 20 min of having clicked on it,and I have been able to restore my pc to the 5th of january.
But now,I'm kinda back where I started : with a very slow internet.

I have downloaded the uninstall tool from your bullguard link and used the program.This came up afterwards :

I don't know if the error message avg shows is very important.I just find it strange that no virus has been detected after I tried all those programs mentioned above.

Do you have any suggestions for me?Please forgive me if my post is long and messed up maybe.Feel free to ask me questions if u don't understand what I meant.

Thanks for replying to me


Ok,I have downloaded AVG again since my system restore removed the avg setup also.
The error message in avg(that I have another antivirus program installed) didn't SHOW up anymore.So thank you for the bullguard removal tool.

I have run the avg scan again and found some trojans and also spyware.
I am currently following your instructions from the Malware Removal Steps Tutorial but I am stuck before step 1.

My problem is this : the trojan infections have been moved to virus vault,but the spyware infections are a problem.When I try to remove them avg says :"Moved object is bigger than the archive size limit."I get 2 OPTIONS to click here:"Go to file" or "ignore"
Since I don't know the right option too choose I just close the window.

Should I just continue to step 1 now or does this spyware need to be removed otherwise?

Just continue on with the instructions. We will deal with anything that isn't removed after I have the logs.Thanks for your fast reply.I need to sleep now cause it's late her in belgium.I will continue this on monday since I'm not home tommorow.I saved the names and locations of both the trojans and spywares just in case.

see you,

 Hello,I followed step 1 and removed logitech desktop MESSENGER,the rest of my programs did not match any program in the Uninstall Malware via add or remove programs link.

I followed step 2 also,but I misunderstood the instructions at first,so I unchecked everything from the windows list except cookies.I didn't do anything to the applications list.


After this I followed all the steps in step 2.Should I recheck some things in windows and redo step 2,or can I continue?

I am also very affraid of doing this scan with the things checked that are normally checked and then run cleaner,cause a week ago this is exactly what I did and I removed about 800 MB of stuff,and afterwards the pc was completely unusable,and I was lucky that system restore was still functioning or else...
Check everything except for Cookies. Don't check anything under the Advanced menu.

You know what, I'm just going to say it's all good with the temp because I looked at the site, i looked at the program and was like...  So yeah, anything else you can think of that would help computer run SMOOTHER or check for any other THINGS that you can think of?I think we have done all we can. I'm out of NEW ideas...OKAY, well thank you until next time!

I REALLY do appreciate you taking the time to help me! I really do.No problem

This is in reference to my daughter's Dell Inspiron E1705 laptop. It became infected with win32.zafi.b. The virus software on the laptop, Trend Micro PC-cillian could not detect it. Internet Explorer and Mozilla Firefox would start then indicate a virus threat was present. Browsing became impossible. I followed the malware removal guide I found in this forum. Everything seemed to go well. I saved the requested log files to the desktop but when I ran CCleaner the second time, it deleted the MALWAREBYTES log. For the moment, win32.zafi.b seems to be gone and the two browsers are working again. The last issue I guess is what to do with the the findings MADE by Highjack This. It's log is pasted below as instructed. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:46 AM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\BLUEMY~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1174331022\ee\AOLSoftware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061121
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174331022\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra BUTTON: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device -   - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - UNKNOWN owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10088 BYTES

[attachment deleted by admin]

My DAUGHTER was sent a message on AIM and when she clicked on it I assume she installed the virus... Help is greatly appreciated.

I followed the directions, however I could not find the HijackThis.exe in my TrendMircro folder to rename it. For some reason the search only brings up the Install package and a shortcut. Further search in the actual folder itself doesnt yeild the file either.

Thank you for taking the time to help.

[attachment deleted by admin]So you're saying you have 9 viruses? It seems like I have...the same problem, but not from AIM.

I'm not a specialist !Not sure how many, but even one is too many me thinks...  Quote from: RustyRayR on January 13, 2009, 12:01:49 PM

I could not find the HijackThis.exe in my TrendMircro folder to rename it

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in USE will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

It didnt work, but the security center is working.

Sure I do, you asked me to tell you if the notepad note was accepted into the registry. It wasnt.

error messages?

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to REMOVE all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hey.

I've just joined up to this site and was wondering if I could get some help.

Everything was running fine not long ago, but after letting other people on my laptop I've now got an annoying problem I can't fix. ALOT of programs that NEED access to the internet aren't able to access it, though I am actually connected. Internet Explorer just gives me the 'Page cannot be displayed' message and I can't update programs like my Anti-Virus. However, MSN Messenger still runs fine. Firefox did work when Internet Explorer stopped working, but after a few days it also stopped working as WELL. I have a program for a game I play and it has it's own in-built browser, which works fine and that's how I have to get around the internet. But it's annoying to use as it's pretty basic and always has problems.

Is ANYONE able to help? It would be GREATLY appreciated.Logs attached..

[attachment deleted by admin]Just some added info, restarted the computer in safe mode with networking and Internet Explorer worked fine while in safe mode..