Explore topic-wise InterviewSolutions in .

I thought (or at least hoped) it would never happen to me, but alas, it has. I get several msgs (all associated with getting me to buy"AntiVirus SOFT") along with some silly porn page(?s). One of the several msgs has something to do with an application failing to run. It SEEMS that none of my executable run anymore. Can you folks help?Please download exeHelper

• Double-click on exeHelper.com to run the fix.
  
• A black WINDOW should pop up, press any key to close once the fix is COMPLETED.
• Post the contents of LOG.txt (Will be created in the directory where you ran exeHelper.com)
  

Hello. for the PAST 3 days something would auto open window LIVE chats on my friends LIST and send a link to them and then close the chat fast.. I can see it open and close.. i asked my friend if i sent them a link and he sent a pic of it.. Why is it doing this? My friend said the link was a key LOGGER.. How do i remove it?Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the AREA: Using ComboFix, and when done, post the log back here.

You need to let MBAM fix those.


Open HijackThis and SELECT Do a system scan only

Place a check mark next to the following ENTRIES: (if there)

- O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
- O9 - Extra \'Tools\' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Please run TDSSKiller per the below steps:

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any sub-folder of the Desktop.
* Click Start > Run and copy/paste the following Red text into Run box and hit Enter on your keyboard.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called 'TDSSKiller.txt' please add this log to your next reply.Done, TDSSkiller came up with nothing. and saved no logfile.Update: I am now having trouble clicking things in my browser window, I can't open links or click buttons. I am only able to post this by going through history and finding the history link to me posting from before



Okay this is strange. sometimes I can't click links, highlite text, or click buttons like post/modify. but if I minimize then maximize I can then do the previously mentioned, however I can't switch tabs. I minimize and maxmize and its back to the first problemTry this.

Download Rooter.exe to your desktop.

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at C:\Rooter.txtRooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 1
[32_bits] - x86 Family 6 Model 7 Stepping 6, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.7 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:68 Go - Free:32 Go )
D:\ [CD_Rom]
E:\ [Fixed-NTFS] .. ( Total:139 Go - Free:114 Go )
F:\ [Fixed-NTFS] .. ( Total:229 Go - Free:222 Go )
.
Scan : 18:04.46
Path : C:\Documents and Settings\Mark\Desktop\Rooter.exe
User : Mark ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (968)
______ \??\C:\WINDOWS\system32\csrss.exe (1024)
______ \??\C:\WINDOWS\system32\winlogon.exe (1048)
______ C:\WINDOWS\system32\services.exe (1096)
______ C:\WINDOWS\system32\lsass.exe (1108)
______ C:\WINDOWS\system32\svchost.exe (1304)
______ C:\WINDOWS\system32\svchost.exe (1464)
______ C:\WINDOWS\System32\svchost.exe (1608)
______ C:\WINDOWS\System32\svchost.exe (1900)
______ C:\WINDOWS\System32\svchost.exe (1932)
______ C:\WINDOWS\system32\spoolsv.exe (220)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (312)
______ C:\WINDOWS\Explorer.EXE (576)
______ C:\WINDOWS\V0410Mon.exe (772)
______ C:\Program Files\Razer\Lachesis\razerhid.exe (784)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (792)
______ C:\WINDOWS\System32\devldr32.exe (828)
______ C:\WINDOWS\System32\alg.exe (876)
______ C:\Program Files\Java\jre6\bin\jqs.exe (948)
______ C:\WINDOWS\System32\svchost.exe (1112)
______ C:\Program Files\Razer\Lachesis\OSD.exe (1816)
______ C:\Program Files\Razer\Lachesis\razertra.exe (188)
______ C:\Program Files\Razer\Lachesis\razerofa.exe (404)
______ C:\WINDOWS\RTHDCPL.EXE (496)
______ C:\WINDOWS\SOUNDMAN.EXE (2184)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1908)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3852)
______ C:\Documents and Settings\Mark\Desktop\Rooter.exe (3068)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:74052163584)
\Device\Harddisk0\Partition0 (Start_Offset:74052195840 | Length:246018124800)
\Device\Harddisk0\Partition2 (Start_Offset:74052228096 | Length:246018092544)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:04.47
.
C:\Rooter$\Rooter_2.txt - (07/02/2010 | 18:04.47)
It looks like Malwarebytes got everything.

Although you will want to run this next scan. Be sure you have time to let it finish as it can take up to 3 hours or more.

Run the F-Secure Online Scanner for Viruses, Spyware and Rootkits.

Note: This Scanner is for Internet Explorer Only!

* Place a check mark next to I have read and accepted the license terms and then click Install
* Accept the warning to install the F-Secure Control in Internet Explorer.
* Click Start once the control is installed.
* Choose the Full Scan option and then click Start
* Once the download completes,the scan will begin automatically.
* The scan will take some time to finish so please be patient.
* When the scan completes, choose the Automatic cleaning (recommended) button then click Next and let the scanner finish cleaning.
* Click the Show Report button. (this will open an Internet Explorer window containing the report)
* Copy & Paste the entire report in your next reply.
canning Report
Sunday, February 7, 2010 20:12:08 - 20:36:25

Computer name: MARK-47805DC06C
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ E:\ F:\
3 malware found
TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 22294
* System: 2718
* Not scanned: 6

Actions:

* Disinfected: 3
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM All that found was 3 cookies which are not a threat. Looks like you are clean.... again.

How is the computer running now?It seems to be running alright, after the repair install i'm back on SP 1. I have tried to upgrade to SP2 but I get stuck at 'creating cabinets'. been there for about 40 min now.Ignore that last post, problem taken care of.

Thank you so much for your help Evil.

Hi,
A client of MINE was complaining about her PC blue screening occasionally. I have tried different repairs. There were no signs (pop ups, etc.) of a virus but thought I would check anyway. The OS is 32 bit XP and the PC is a Dell Optiplex 755.
Trojans were found after I went thru your procedures (Ccleaner, SA, MBAM and HijackThis (Sniper)).
Attached are three logs. Any further steps I should take?
THANKS

[recovering disk space - OLD attachment deleted by admin]re-run mbam and remove what it finds ( no action taken in other LOG ) and post the log , an expert will be along to helpWill do.
I am working on three PC's at mom so may take a little time.
ThanksHere you go. MBAM found NOTHING and no BSOD so far.
Thanks

[recovering disk space - old attachment deleted by admin]

+1OK I will Delete it. because I don't know what Data it has collected. and I don't know for what PURPOSE it has collected it. Just seems creepy to me.

so we can mark this one as solved, thanks to EVERYONE who helped.
shakes head and waits for the 'My PC has STOPPED WORKING' post!!

From your reply to Rootkit.Agent found in System32 Drivers' on this forum

Please read here for more information about WildTangent. Your choice if you want to remove it or not.

From the link:-

Fourth: There are also claims in the forums and by anti-spyware tool makers that the uninstaller does not remove everything
that was installed by WildTangent and that you still need to run the free remover tools to get everything. Also a classic
spyware tactic.

and...

There is also the increased chance that another piece of malware/spyware could be designed and injected into your machine
that will leverage or redirect the information gathered by their technology for more sinister purposes. Why would a
malicious code writer go to the trouble of writing their own relay software if they know that a large portion of home
systems may already contain the code he needs?

I may be getting paranoid here or have gotten completely the wrong impression from this article, but McAfee SUPPLIES a
removal tool which I had to download. This mysterious file or link or whatever it is, coupled with this information,
has me concerned.Did you run the McAfee Removal tool?Yes. Let's try another scan.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not MOUSECLICK ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixComboFix 10-09-27.05 - Ron 29/09/2010 0:30.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1691 [GMT 1:00]
Running from: c:\users\Ron\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-28 23:42 . 2010-09-28 23:42--------d-----w-c:\users\Ron\AppData\Local\temp
2010-09-28 23:42 . 2010-09-28 23:42--------d-----w-c:\users\Public\AppData\Local\temp
2010-09-28 23:42 . 2010-09-28 23:42--------d-----w-c:\users\Default\AppData\Local\temp
2010-09-28 22:17 . 2010-09-28 22:20--------d-----w-c:\program files\SpywareBlaster
2010-09-28 22:11 . 2010-09-28 22:11--------d-----w-c:\program files\WOT
2010-09-27 13:39 . 2010-09-27 13:39--------d-----w-c:\program files\iPod
2010-09-27 13:39 . 2010-09-27 13:40--------d-----w-c:\program files\iTunes
2010-09-27 13:37 . 2010-09-27 13:37--------d-----w-c:\program files\QuickTime
2010-09-27 13:35 . 2010-09-27 13:35--------d-----w-c:\program files\Apple Software Update
2010-09-27 13:02 . 2010-09-27 13:02--------d-----w-c:\users\Ron\AppData\Local\Secunia PSI
2010-09-27 13:02 . 2010-09-27 13:02--------d-----w-c:\program files\Secunia
2010-09-27 12:34 . 2010-09-28 22:13--------d-----w-c:\users\Ron\AppData\Roaming\OnlineArmor
2010-09-27 12:34 . 2010-09-27 12:53--------d-----w-c:\programdata\OnlineArmor
2010-09-27 12:33 . 2010-07-05 07:4422600----a-w-c:\windows\system32\drivers\OAmon.sys
2010-09-27 12:33 . 2010-07-05 07:4429256----a-w-c:\windows\system32\drivers\OAnet.sys
2010-09-27 12:33 . 2010-07-05 07:43236104----a-w-c:\windows\system32\drivers\OADriver.sys
2010-09-27 12:33 . 2010-09-27 12:33--------d-----w-c:\program files\Emsisoft
2010-09-26 19:23 . 2010-09-26 19:23--------d-----w-c:\programdata\WindowsSearch
2010-09-26 19:08 . 2010-09-27 11:46--------d-----w-c:\programdata\Comodo
2010-09-26 14:59 . 2010-09-26 14:59--------d-----w-c:\programdata\NVIDIA Corporation
2010-09-24 01:51 . 2010-09-24 01:5173000----a-w-c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-22 14:02 . 2010-09-22 14:02--------d-----w-c:\program files\ESET
2010-09-17 22:15 . 2010-09-17 22:15388096----a-r-c:\users\Ron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-17 21:53 . 2010-09-17 21:53--------d-----w-c:\users\Ron\AppData\Roaming\Malwarebytes
2010-09-17 21:53 . 2010-04-29 14:3938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 21:53 . 2010-09-17 21:53--------d-----w-c:\programdata\Malwarebytes
2010-09-17 21:53 . 2010-09-17 21:53--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:53 . 2010-04-29 14:3920952----a-w-c:\windows\system32\drivers\mbam.sys
2010-09-17 09:43 . 2010-09-17 21:4263488----a-w-c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 09:43 . 2010-09-17 09:4352224----a-w-c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 09:43 . 2010-09-17 21:42117760----a-w-c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 09:43 . 2010-09-17 09:43--------d-----w-c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 09:43--------d-----w-c:\programdata\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 21:40--------d-----w-c:\program files\SUPERAntiSpyware
2010-09-17 09:30 . 2010-09-27 15:02--------d-----w-c:\programdata\Yahoo! Companion
2010-09-17 09:30 . 2010-09-17 09:30--------d-----w-c:\users\Ron\AppData\Roaming\Yahoo!
2010-09-17 09:30 . 2010-09-17 09:30--------d-----w-c:\program files\Yahoo!
2010-09-17 09:29 . 2010-09-17 09:30--------d-----w-c:\program files\CCleaner
2010-09-17 07:47 . 2010-04-16 16:46502272----a-w-c:\windows\system32\usp10.dll
2010-09-17 07:47 . 2010-08-17 14:11128000----a-w-c:\windows\system32\spoolsv.exe
2010-09-17 07:47 . 2010-04-05 17:02317952----a-w-c:\windows\system32\MP4SDECD.DLL
2010-09-17 07:47 . 2010-05-27 20:08739328----a-w-c:\windows\system32\inetcomm.dll
2010-09-09 21:00 . 2010-09-09 21:00--------d-sh--w-c:\windows\system32\%APPDATA%
2010-09-06 11:17 . 2010-09-06 11:17--------d-----w-c:\program files\Common Files\Java
2010-09-06 11:14 . 2010-09-06 11:1610787840----a-w-c:\users\Ron\AppData\Roaming\Adobe\Acrobat\7.0\Updater\AcroProUpd710_all_cum.exe
2010-09-04 09:48 . 2010-09-04 09:49--------d-----w-c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-04 09:42 . 2010-09-04 09:42--------d-----w-c:\program files\Bonjour
2010-09-01 08:30 . 2010-09-01 08:3015544----a-w-c:\windows\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 23:23 . 2009-07-12 09:53--------d-----w-c:\program files\Spybot - Search & Destroy
2010-09-28 23:23 . 2009-07-12 09:53--------d-----w-c:\programdata\Spybot - Search & Destroy
2010-09-28 23:00 . 2009-11-06 11:281----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-28 21:53 . 2010-06-24 06:2936725----a-w-c:\programdata\nvModes.dat
2010-09-28 21:50 . 2009-07-15 13:5112----a-w-c:\windows\bthservsdp.dat
2010-09-27 13:42 . 2009-11-13 18:53--------d-----w-c:\users\Ron\AppData\Roaming\Apple Computer
2010-09-27 13:39 . 2009-11-13 18:45--------d-----w-c:\program files\Common Files\Apple
2010-09-27 13:15 . 2009-07-06 10:58--------d-----w-c:\program files\Java
2010-09-26 15:24 . 2009-05-31 18:09--------d-----w-c:\programdata\NVIDIA
2010-09-26 15:00 . 2010-06-24 04:42--------d-----w-c:\program files\NVIDIA Corporation
2010-09-22 13:10 . 2009-05-03 04:20175808----a-w-c:\users\Ron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 13:10 . 2009-05-05 21:40--------d-----w-c:\program files\Common Files\Adobe
2010-09-17 22:32 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-09-13 09:42 . 2009-05-17 18:30--------d-----w-c:\program files\Microsoft Silverlight
2010-08-27 14:15 . 2010-08-27 14:15--------d-----w-c:\program files\Microsoft Security Essentials
2010-08-14 21:06 . 2009-07-19 15:39300384----a-w-c:\users\Ron\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 14:06 . 2010-08-13 06:10--------d-----w-c:\program files\Common Files\ParetoLogic
2010-08-13 06:33 . 2010-08-13 06:33--------d-----w-c:\users\Ron\AppData\Roaming\AdobeUM
2010-08-13 06:33 . 2010-08-13 06:33--------d-----w-c:\program files\Common Files\Java(0)
2010-08-13 06:10 . 2010-08-13 06:10--------d-----w-c:\programdata\FileCure
2010-08-08 18:48 . 2010-08-08 18:48568832----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-08 18:48 . 2010-08-08 18:48686080----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-08 18:48 . 2010-08-08 18:48655872----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-08 18:48 . 2010-08-08 18:48583168----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-08 18:48 . 2010-08-08 18:48224768----a-w-c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-08 18:42 . 2009-11-06 11:24--------d-----w-c:\program files\OpenOffice.org 3
2010-07-27 17:44 . 2010-07-27 17:4491424----a-w-c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:4475040----a-w-c:\windows\system32\jdns_sd.dll
2010-07-27 17:44 . 2010-07-27 17:44197920----a-w-c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44107808----a-w-c:\windows\system32\dns-sd.exe
2010-07-17 04:00 . 2010-05-17 12:09423656----a-w-c:\windows\system32\deployJava1.dll
2010-07-09 15:37 . 2010-07-09 15:371469544----a-w-c:\windows\system32\nvsvc.dll
2010-07-09 15:37 . 2010-07-09 15:3713939816----a-w-c:\windows\system32\nvcpl.dll
2010-07-09 15:37 . 2010-07-09 15:37129640----a-w-c:\windows\system32\nvvsvc.exe
2010-07-09 15:37 . 2010-07-09 15:37110696----a-w-c:\windows\system32\nvmctray.dll
.

((((((((((((((((((((((((((((( [emailprotected]_20.49.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-22 09:00 . 2010-09-22 09:2565536 c:\windows\tracing\RASPPTP.BIN
+ 2010-09-22 09:00 . 2010-09-22 09:2565536 c:\windows\tracing\RASL2TP.BIN
+ 2010-09-22 09:00 . 2010-09-22 09:2565536 c:\windows\tracing\IPSEC.BIN
+ 2009-05-03 14:56 . 2010-09-28 21:5468536 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-09-28 21:5460142 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-03 14:40 . 2010-09-28 21:5418796 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3891294070-290603237-754910137-1000_UserData.bin
+ 2010-07-10 04:37 . 2010-07-10 04:3756936 c:\windows\System32\OpenCL.dll
+ 2010-09-27 12:33 . 2010-07-05 07:4429256 c:\windows\System32\DriverStore\FileRepository\oanet.inf_536b0972\OAnet.sys
+ 2010-07-10 04:37 . 2010-07-10 04:3756936 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\OpenCL.dll
+ 2006-11-02 13:02 . 2010-09-28 21:5232768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-09-19 20:1732768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-27 13:15 . 2010-09-27 13:1579488 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\gtapi.dll
+ 2010-09-28 22:17 . 2010-09-28 21:5232768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2010-09-28 21:5216384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2010-09-19 20:1716384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-09 21:00 . 2010-09-09 21:0016384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2010-09-09 21:00 . 2010-09-27 13:1616384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:5316384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:1816384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:1832768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:5332768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:5316384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:1816384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:1716384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:5216384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:1432768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:0632768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:1416384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:0616384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:1416384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:0616384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:5232768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:1732768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:1716384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:5216384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-27 13:35 . 2010-09-27 13:3527136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
+ 2009-12-21 19:09 . 2009-12-21 19:0916832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 00:57 . 2009-12-22 00:5735760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 19:02 . 2009-12-21 19:0279280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 22:21 . 2009-12-21 22:2199776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 14:57 . 2009-12-11 14:5770584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 22:37 . 2009-12-21 22:3727048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 17:39 . 2009-12-21 17:3915288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 17:27 . 2009-12-21 17:2775200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 17:27 . 2009-12-21 17:2761888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
- 2006-11-02 10:25 . 2010-09-04 09:4486016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-09-27 12:3486016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-09-27 12:3451200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2010-09-04 09:4451200 c:\windows\inf\infpub.dat
+ 2010-09-28 21:52 . 2010-09-28 21:522048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-19 20:17 . 2010-09-19 20:172048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-28 21:52 . 2010-09-28 21:522048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-19 20:17 . 2010-09-19 20:172048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-22 09:00 . 2010-09-22 09:25131072 c:\windows\tracing\RASSSTP.BIN
+ 2006-11-02 10:33 . 2010-09-28 21:58608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-19 20:23608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-19 20:23108268 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-09-28 21:58108268 c:\windows\System32\perfc009.dat
+ 2009-05-31 17:14 . 2010-07-10 04:37604776 c:\windows\System32\nvuninst.exe
+ 2008-09-17 22:55 . 2010-07-10 04:37604776 c:\windows\System32\nvudisp.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37236136 c:\windows\System32\nvcod1922.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37236136 c:\windows\System32\nvcod.dll
+ 2010-09-27 13:12 . 2010-09-27 13:12232912 c:\windows\System32\Macromed\Flash\FlashUtil10k_Plugin.exe
+ 2010-09-27 13:18 . 2010-09-27 13:18232912 c:\windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe
+ 2010-09-27 13:18 . 2010-09-27 13:18311760 c:\windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.dll
- 2010-09-06 11:17 . 2010-07-17 04:00153376 c:\windows\System32\javaws.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00153376 c:\windows\System32\javaws.exe
- 2010-09-06 11:17 . 2010-07-17 04:00145184 c:\windows\System32\javaw.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00145184 c:\windows\System32\javaw.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00145184 c:\windows\System32\java.exe
- 2010-09-06 11:17 . 2010-07-17 04:00145184 c:\windows\System32\java.exe
+ 2006-11-02 12:47 . 2010-09-22 13:08546176 c:\windows\System32\FNTCACHE.DAT
+ 2010-07-10 04:37 . 2010-07-10 04:37604776 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvudisp.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37261268 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvdrsdb.bin
+ 2010-07-10 04:37 . 2010-07-10 04:37236136 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcod.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37795104 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\dpinst.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37156264 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\dbInstaller.exe
+ 2009-05-17 18:41 . 2010-09-28 14:24294912 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-17 18:41 . 2010-09-17 21:47294912 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-09-27 13:15 . 2010-09-27 13:15152576 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\lzma.dll
+ 2010-09-27 13:15 . 2010-09-27 13:15581120 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\jre1.6.0_20.msi
+ 2010-09-27 13:16 . 2010-09-27 13:16183808 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\AU\au.msi
+ 2010-09-19 21:26 . 2010-09-19 21:26802304 c:\windows\Installer\3e650b.msi
+ 2010-09-27 13:15 . 2010-09-27 13:15577536 c:\windows\Installer\17f3ac.msi
+ 2010-09-28 22:11 . 2010-09-28 22:11279552 c:\windows\Installer\11c055.msi
+ 2010-09-19 21:26 . 2010-09-19 21:26295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2010-09-27 13:41 . 2010-09-27 13:41380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe
+ 2008-04-10 08:20 . 2008-04-10 08:20638976 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA746454382090000000040\9.0.0\AdobeLinguistic.dll
+ 2009-12-11 14:57 . 2009-12-11 14:57326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 17:35 . 2009-12-21 17:35378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 17:34 . 2009-12-21 17:34103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 18:18 . 2009-11-09 18:18684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 19:02 . 2009-12-21 19:02542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 17:43 . 2009-12-21 17:43120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 18:32 . 2009-12-21 18:32280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2006-11-02 10:25 . 2010-09-27 12:34143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2010-09-04 09:44143360 c:\windows\inf\infstrng.dat
+ 2008-09-17 22:55 . 2010-07-10 04:379818728 c:\windows\System32\nvd3dum.dll
+ 2010-07-10 04:37 . 2010-07-10 04:372892904 c:\windows\System32\nvcuvid.dll
+ 2010-07-10 04:37 . 2010-07-10 04:372506344 c:\windows\System32\nvcuvenc.dll
+ 2010-07-10 04:37 . 2010-07-10 04:374553832 c:\windows\System32\nvcuda.dll
+ 2008-09-17 22:55 . 2010-07-10 04:371625192 c:\windows\System32\nvapi.dll
+ 2009-02-03 02:15 . 2010-09-27 13:125969360 c:\windows\System32\Macromed\Flash\NPSWF32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:379818728 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvd3dum.dll
+ 2010-07-10 04:37 . 2010-07-10 04:372892904 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuvid.dll
+ 2010-07-10 04:37 . 2010-07-10 04:372506344 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuvenc.dll
+ 2010-07-10 04:37 . 2010-07-10 04:374553832 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuda.dll
+ 2010-07-10 04:37 . 2010-07-10 04:371625192 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvapi.dll
+ 2010-09-27 13:41 . 2010-09-27 13:416333440 c:\windows\Installer\29a52d.msi
+ 2010-09-27 13:37 . 2010-09-27 13:379472000 c:\windows\Installer\299c8c.msi
+ 2010-09-27 13:35 . 2010-09-27 13:351554944 c:\windows\Installer\2999d8.msi
+ 2010-06-20 08:01 . 2010-06-20 08:018040960 c:\windows\Installer\13fca.msp
+ 2010-09-22 08:34 . 2010-09-22 08:343940352 c:\windows\Installer\13ed7.msi
+ 2009-12-21 17:29 . 2009-12-21 17:292409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-10-27 19:34 . 2009-10-27 19:345009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2009-12-21 22:31 . 2009-12-21 22:315713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-07-10 04:37 . 2010-07-10 04:3714092904 c:\windows\System32\nvoglv32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:3710267240 c:\windows\System32\nvcompiler.dll
+ 2010-07-10 04:37 . 2010-07-10 04:3714092904 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvoglv32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:3711008040 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvlddmkm.sys
+ 2010-07-10 04:37 . 2010-07-10 04:3750354424 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\NvCplSetupInt.exe
+ 2010-07-10 04:37 . 2010-07-10 04:3710267240 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcompiler.dll
+ 2010-07-10 04:37 . 2010-07-10 04:3711008040 c:\windows\System32\drivers\nvlddmkm.sys
+ 2010-04-04 06:54 . 2010-04-04 06:5411850240 c:\windows\Installer\13fcb.msp
+ 2010-08-13 18:09 . 2010-08-13 18:0912263936 c:\windows\Installer\13fc9.msp
+ 2009-12-21 22:21 . 2009-12-21 22:2120436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 303104]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-05 6854984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-05 924488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\Drivers\apprngr.sys

I am running windows 7 and am TRYING to GRANT my user administration...with cmd.exe that is when i try to ANYTHING weather i be changing user passwords or adding usernames... it displays system error 5 acces denied. someone told me sounds like infection.any HELP. i used aavg FREE scaner and no results were found.Quote from: cmdpro on September 28, 2010, 07:27:05 PM

I am running windows 7 and am trying to grant my user administration...with cmd.exe that is when i try to anything weather i be changing user passwords or adding usernames... it displays system error 5 acces denied. someone told me sounds like infection.any help. i used aavg free scaner and no results were found.

Here is the ESET removal:

C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\3ebcf5d2-3de6c09bmultiple threatsdeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\238ef117-5a87caaemultiple threatsdeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\16646899-1fc27cbdmultiple threatsdeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\6e741361-22cae4a7multiple threatsdeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\42123aa8-34752fe8OSX/Exploit.Smid.B trojandeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\23ea3369-65466a12multiple threatsdeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-367312bbprobably a variant of Win32/Agent.DYXWUMY trojandeleted - quarantined
C:\Users\Darren\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\5473416c-3dc84921multiple threatsdeleted - quarantined

Thanks SD,
D.So, how's your computer running now? Any issues?Actually, it seems to be running great!

Did another Eset scan and everything seems to be fine.

Just wondering if I should be deleting the ESET quarantined items, I still have the old Java updates in add/remove, will that get rid of them for good?

So basically if MalwareBytes, SAS, AVG and ESET say I'm clear now, I should be good malware/virus-wise?

Quote

Just wondering if I should be deleting the ESET quarantined items, I still have the old Java updates in add/remove, will that get rid of them for good?

i NEED HELP i have the NUMBER but i can not find what PC HELP SOFT it belong to can some one help pleaseHelp how? What is your QUESTION?
At some point we need to ignore her POSTS.

Well, that is good news. I just want to make sure that your computer is clean. Please run these scans and post the LOGS.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the FOLLOWING are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***************************************
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Hello...I apologize in advance for my zero knowledge of any thing computer! I am getting a box from Microsoft Security Essentials Alert w/ a big RED Box saying Potential threat details. Message is MSE detected potential threats that might compromise your privacy or damage your computer. Your access to these items may be suspended until you taken an action. Click "Show Details" to learn more.
Detected Items: Unknown Win32/Trojan
Alert Level: High
Recommendation: Remove
Status: Suspended

My question is...is this real or if I click on any of the buttons in the box is that the virus. It came up when I was trying to sign into Mozilla. It came up a few days ago and I ran Malaware and Webroot Antivirus and they came up clean.

Thank you so much w/ your help!!! We have used you in the past and as painful as it was to do all the steps it worked!!!I've noticed a few have looked at this question but no replies. Can someone just tell me if I can run the options Microsoft Security Essentials is asking, if that is legit.

ThanksHello and welcome to Computer HOPE Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this ISSUE on this machine.
3. If you don't know or understand something, please don't hesitate to ASK.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*COPY and Paste the log in your post.
*****************************************
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

Hi there, I've seen many people that are having the same problem with this virus but there are no '1-click-fix' things anywhere, so I figured I would just ask away. I am running Windows XP, SP 3 (I think it's 3, it's the latest one whatever it is). I did have Microsoft Security Essentials installed, and this kept detecting and cleaning all the infected files, then seconds later finding them infected again. On the advice of a computer technician, I have also installed Avast! Antivirus, and Malwarebytes anti-malware. I have turned off MSE, and have been running scans on the other two constantly for the last 36 hours. I've run two boot scans by Avast!, two full scans (again Avast!) and two full scans with MWB. The first few scans detected things, and deleted them, but the last Avast! Full scan and boot scan both came up clean. BUT Avast! keeps detecting attempts to infect other files by this virus, even thought the scans are coming back clean.

Something, which i assume is the same virus, although I can't be sure, keeps redirecting both IE and Chrome to strange websites. The same is happening on 3 out of the 4 computers on my network.

The virus detected is always the same, although sometimes it is classified as a trojan or a worm. It is "win32:Ramnit-B". It generally infects .exe files, which means my antivirus is slowly DELETING all my programmes .

I do not use any P2P software, although someone on my LAN does. When the Computer technician I talked about earlier was looking at this computer, he found over 400 separate viruses.

I'm sure I've left out something necessary, so I apologise in advance. I'm desperately putting off reformatting my computer, because i just don't have time.Clik Here and FOLLOW the Guide for posting your LOGS...Sorry, here are the logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2010 at 05:20 PM

Application Version : 4.44.1000

Core Rules Database Version : 5614
Trace Rules Database Version: 3426

Scan type : Complete Scan
Total Scan Time : 01:22:41

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 5783
Registry threats detected : 0
File items scanned : 48184
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\5ERH872R ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ]
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

Trojan.Agent/Gen-FakeProt
C:\DOCUMENTS AND SETTINGS\ROB\APPLICATION DATA\ENLUAS\NUWIE.EXE
C:\PROGRAM FILES\TEMP\U21.EXE


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:50:00, on 02/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tribalwars.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263736093050
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6743 bytes


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4712

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/10/2010 15:30:41
mbam-log-2010-10-02 (15-30-41).txt

Scan type: Quick scan
Objects scanned: 143635
Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0a11b96e-c7d4-82f7-1e77-c699f728b7da} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\java\jre6\bin\jqssrv.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)If it's Ramnit.....

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.[/color]

• Understanding virus names
  
• Threat aliases for Win32/Ramnit.A

• When should I re-format? How should I reinstall?
  
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

If ComboFix is still on your computer you should find it on your desktop. If you can't find, please download and install another one and run another scan and post the log.ComboFix 10-09-29.01 - Jinju 09/29/2010 18:12:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.437 [GMT -4:00]
Running from: c:\users\Jinju\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new RESTORE point
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 22:28 . 2010-09-29 22:28--------d-----w-c:\users\Public\AppData\Local\temp
2010-09-29 22:28 . 2010-09-29 22:28--------d-----w-c:\users\Jinhee\AppData\Local\temp
2010-09-29 22:28 . 2010-09-29 22:28--------d-----w-c:\users\Default\AppData\Local\temp
2010-09-29 22:07 . 2010-09-29 22:08--------d-----w-C:\32788R22FWJFW
2010-09-28 20:44 . 2010-06-22 12:572048----a-w-c:\windows\system32\tzres.dll
2010-09-23 20:19 . 2010-09-23 20:191377632----a-w-c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 20:19 . 2010-09-23 20:19598368----a-w-c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 20:19 . 2010-09-23 20:19942432----a-w-c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 20:19 . 2010-09-23 20:194371296----a-w-c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 20:19 . 2010-09-23 20:19300896----a-w-c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 20:15 . 2010-09-23 20:151690952----a-w-c:\programdata\avg9\update\backup\avgupd.dll
2010-09-23 07:21 . 2010-04-14 17:47293376----a-w-c:\windows\system32\psisdecd.dll
2010-09-23 07:21 . 2010-04-14 17:46428544----a-w-c:\windows\system32\EncDec.dll
2010-09-23 07:18 . 2009-11-08 14:5599176----a-w-c:\windows\system32\PresentationHostProxy.dll
2010-09-23 07:18 . 2009-11-08 14:5549472----a-w-c:\windows\system32\netfxperf.dll
2010-09-23 07:18 . 2009-11-08 14:55297808----a-w-c:\windows\system32\mscoree.dll
2010-09-23 07:18 . 2009-11-08 14:55295264----a-w-c:\windows\system32\PresentationHost.exe
2010-09-23 07:18 . 2009-11-08 14:551130824----a-w-c:\windows\system32\dfshim.dll
2010-09-23 00:17 . 2010-06-11 15:31274432----a-w-c:\windows\system32\schannel.dll
2010-09-23 00:17 . 2008-08-02 01:01625152----a-w-c:\windows\system32\drivers\dxgkrnl.sys
2010-09-23 00:17 . 2008-06-26 03:29565248----a-w-c:\windows\system32\emdmgmt.dll
2010-09-23 00:17 . 2008-08-02 03:2636864----a-w-c:\windows\system32\cdd.dll
2010-09-23 00:17 . 2008-06-26 03:2945056----a-w-c:\windows\system32\dataclen.dll
2010-09-23 00:17 . 2008-05-20 02:07148480----a-w-c:\windows\system32\drivers\nwifi.sys
2010-09-23 00:17 . 2010-05-27 19:1681920----a-w-c:\windows\system32\iccvid.dll
2010-09-23 00:17 . 2009-08-24 12:16378368----a-w-c:\windows\system32\winhttp.dll
2010-09-23 00:17 . 2010-04-05 16:0767072----a-w-c:\windows\system32\asycfilt.dll
2010-09-23 00:17 . 2010-06-21 13:182036736----a-w-c:\windows\system32\win32k.sys
2010-09-23 00:08 . 2010-06-08 17:003598216----a-w-c:\windows\system32\ntkrnlpa.exe
2010-09-23 00:08 . 2010-06-08 17:003545992----a-w-c:\windows\system32\ntoskrnl.exe
2010-09-23 00:07 . 2010-04-16 16:101314816----a-w-c:\windows\system32\quartz.dll
2010-09-23 00:07 . 2010-06-11 15:301257472----a-w-c:\windows\system32\msxml3.dll
2010-09-23 00:07 . 2008-09-18 04:56125952----a-w-c:\windows\system32\wersvc.dll
2010-09-23 00:07 . 2008-09-18 04:56147456----a-w-c:\windows\system32\Faultrep.dll
2010-09-23 00:07 . 2010-06-18 14:43302080----a-w-c:\windows\system32\drivers\srv.sys
2010-09-23 00:07 . 2010-06-18 14:43144896----a-w-c:\windows\system32\drivers\srv2.sys
2010-09-23 00:07 . 2008-05-08 21:5990112----a-w-c:\windows\system32\wshext.dll
2010-09-23 00:07 . 2008-05-08 21:59155648----a-w-c:\windows\system32\wscript.exe
2010-09-23 00:07 . 2008-05-08 21:59180224----a-w-c:\windows\system32\scrobj.dll
2010-09-23 00:07 . 2008-05-08 21:59172032----a-w-c:\windows\system32\scrrun.dll
2010-09-23 00:07 . 2008-05-08 21:58135168----a-w-c:\windows\system32\cscript.exe
2010-09-23 00:03 . 2008-04-05 03:3415360----a-w-c:\windows\system32\pacerprf.dll
2010-09-23 00:03 . 2008-04-05 01:2172192----a-w-c:\windows\system32\drivers\pacer.sys
2010-09-23 00:03 . 2010-04-16 16:0528672----a-w-c:\windows\system32\Apphlpdm.dll
2010-09-23 00:03 . 2010-04-16 14:174240384----a-w-c:\windows\system32\GameUXLegacyGDFs.dll
2010-09-23 00:02 . 2010-06-18 16:4336352----a-w-c:\windows\system32\rtutils.dll
2010-09-23 00:02 . 2010-05-26 14:25289792----a-w-c:\windows\system32\atmfd.dll
2010-09-23 00:02 . 2009-10-19 14:2472704----a-w-c:\windows\system32\fontsub.dll
2010-09-23 00:02 . 2010-05-26 16:1634304----a-w-c:\windows\system32\atmlib.dll
2010-09-23 00:02 . 2009-06-15 15:2010240----a-w-c:\windows\system32\dciman32.dll
2010-09-23 00:00 . 2010-06-16 15:59898952----a-w-c:\windows\system32\drivers\tcpip.sys
2010-09-22 23:51 . 2010-08-17 13:32126464----a-w-c:\windows\system32\spoolsv.exe
2010-09-22 23:40 . 2010-04-16 16:10501760----a-w-c:\windows\system32\usp10.dll
2010-09-22 23:34 . 2010-04-05 16:08317952----a-w-c:\windows\system32\MP4SDECD.DLL
2010-09-22 23:26 . 2010-05-27 19:16738816----a-w-c:\windows\system32\inetcomm.dll
2010-09-22 23:25 . 2009-10-19 14:27156672----a-w-c:\windows\system32\t2embed.dll
2010-09-22 23:25 . 2010-02-23 11:32105984----a-w-c:\windows\system32\drivers\mrxsmb.sys
2010-09-22 23:25 . 2010-02-23 11:3278848----a-w-c:\windows\system32\drivers\mrxsmb20.sys
2010-09-22 23:25 . 2010-02-23 11:32212992----a-w-c:\windows\system32\drivers\mrxsmb10.sys
2010-09-22 23:24 . 2009-07-11 19:32513024----a-w-c:\windows\system32\wlansvc.dll
2010-09-22 23:24 . 2009-07-11 19:32302592----a-w-c:\windows\system32\wlansec.dll
2010-09-22 23:24 . 2009-07-11 19:32293376----a-w-c:\windows\system32\wlanmsm.dll
2010-09-22 23:24 . 2009-07-11 19:29127488----a-w-c:\windows\system32\L2SecHC.dll
2010-09-22 23:22 . 2009-08-14 14:169728----a-w-c:\windows\system32\TCPSVCS.EXE
2010-09-22 23:22 . 2009-08-14 14:1617920----a-w-c:\windows\system32\ROUTE.EXE
2010-09-22 23:22 . 2009-08-14 14:1627136----a-w-c:\windows\system32\NETSTAT.EXE
2010-09-22 23:21 . 2009-08-14 16:29104960----a-w-c:\windows\system32\netiohlp.dll
2010-09-22 23:21 . 2009-08-14 14:1611264----a-w-c:\windows\system32\MRINFO.EXE
2010-09-22 23:21 . 2009-08-14 14:168704----a-w-c:\windows\system32\HOSTNAME.EXE
2010-09-22 23:21 . 2009-08-14 14:1610240----a-w-c:\windows\system32\finger.exe
2010-09-22 23:21 . 2009-08-14 14:1619968----a-w-c:\windows\system32\ARP.EXE
2010-09-22 23:21 . 2009-08-14 16:2917920----a-w-c:\windows\system32\netevent.dll
2010-09-22 23:19 . 2009-09-10 17:30213504----a-w-c:\windows\system32\msv1_0.dll
2010-09-22 23:09 . 2008-10-22 03:57241152----a-w-c:\windows\system32\PortableDeviceApi.dll
2010-09-22 04:34 . 2008-06-20 01:1497800----a-w-c:\windows\system32\infocardapi.dll
2010-09-22 04:34 . 2008-06-20 01:14105016----a-w-c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-09-22 04:34 . 2008-06-20 01:1411264----a-w-c:\windows\system32\icardres.dll
2010-09-22 04:34 . 2008-06-20 01:14622080----a-w-c:\windows\system32\icardagt.exe
2010-09-22 04:34 . 2008-06-20 01:14781344----a-w-c:\windows\system32\PresentationNative_v0300.dll
2010-09-22 04:25 . 2008-07-27 18:03158720----a-w-c:\windows\system32\mscorier.dll
2010-09-22 04:25 . 2008-07-27 18:0383968----a-w-c:\windows\system32\mscories.dll
2010-09-22 04:22 . 2010-02-20 23:3924064----a-w-c:\windows\system32\nshhttp.dll
2010-09-22 04:22 . 2010-02-20 23:3731232----a-w-c:\windows\system32\httpapi.dll
2010-09-22 04:22 . 2010-02-20 21:18411136----a-w-c:\windows\system32\drivers\http.sys
2010-09-22 03:59 . 2010-04-29 19:3938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 03:59 . 2010-04-29 19:3920952----a-w-c:\windows\system32\drivers\mbam.sys
2010-09-22 03:40 . 2010-09-22 03:4052224----a-w-c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-22 03:40 . 2010-09-22 03:4063488----a-w-c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-22 03:40 . 2010-09-22 03:40117760----a-w-c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-21 22:00 . 2010-09-21 22:00165632---ha-w-c:\windows\system32\mlfcache.dat
2010-09-21 22:00 . 2010-09-21 22:002788816----a-w-c:\users\Jinju\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-09-21 11:56 . 2010-09-21 11:56658184----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-09-21 11:28 . 2010-09-21 11:28--------d-----w-c:\programdata\Office Genuine Advantage
2010-09-21 05:37 . 2010-09-21 05:372384752----a-w-c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-09-21 05:28 . 2010-09-21 05:2920519176----a-w-c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2010-09-21 05:08 . 2008-01-19 07:361541120----a-w-c:\windows\system32\onex.dll
2010-09-21 05:08 . 2008-01-19 07:332623488----a-w-c:\windows\system32\SLsvc.exe
2010-09-21 05:06 . 2008-01-19 07:361013760----a-w-c:\windows\system32\wevtsvc.dll
2010-09-21 05:04 . 2008-01-19 07:35216064----a-w-c:\windows\system32\ntprint.dll
2010-09-21 05:03 . 2008-01-19 07:36242688----a-w-c:\windows\system32\pdh.dll
2010-09-21 05:02 . 2008-01-19 07:34394240----a-w-c:\windows\system32\dsquery.dll
2010-09-21 05:01 . 2008-01-19 07:371329152----a-w-c:\windows\system32\WMSPDMOE.DLL
2010-09-21 05:00 . 2008-01-19 07:3331744----a-w-c:\windows\system32\bitsigd.dll
2010-09-21 04:59 . 2008-01-19 07:3317408----a-w-c:\windows\system32\cfgmgr32.dll
2010-09-21 04:58 . 2008-01-19 07:33599552----a-w-c:\windows\system32\vsp1cln.exe
2010-09-21 04:57 . 2008-01-19 07:34102400----a-w-c:\windows\system32\wbem\mofinstall.dll
2010-09-21 04:57 . 2008-01-19 07:3683968----a-w-c:\windows\system32\wbem\wmiutils.dll
2010-09-21 04:57 . 2008-01-19 07:36742912----a-w-c:\windows\system32\wbem\wbemcore.dll
2010-09-21 04:57 . 2008-01-19 07:3630208----a-w-c:\windows\system32\wbem\wbemprox.dll
2010-09-21 04:57 . 2008-01-19 07:36357888----a-w-c:\windows\system32\wbemcomn.dll
2010-09-21 04:57 . 2008-01-19 07:36264704----a-w-c:\windows\system32\wbem\repdrvfs.dll
2010-09-21 04:57 . 2008-01-19 07:34191488----a-w-c:\windows\system32\wbem\mofd.dll
2010-09-21 04:57 . 2008-01-19 07:34263168----a-w-c:\windows\system32\wbem\esscli.dll
2010-09-21 04:56 . 2008-01-19 07:36139264----a-w-c:\windows\system32\SmiInstaller.dll
2010-09-21 04:56 . 2008-01-19 07:36704512----a-w-c:\windows\system32\SmiEngine.dll
2010-09-21 04:56 . 2008-01-19 07:36218624----a-w-c:\windows\system32\wdscore.dll
2010-09-21 04:56 . 2008-01-19 07:33130560----a-w-c:\windows\system32\PkgMgr.exe
2010-09-21 04:54 . 2008-01-19 07:34246784----a-w-c:\windows\system32\drvstore.dll
2010-09-21 04:54 . 2008-01-19 07:3535328----a-w-c:\windows\system32\mspatcha.dll
2010-09-21 04:54 . 2008-01-19 07:34305152----a-w-c:\windows\system32\msdelta.dll
2010-09-21 04:54 . 2008-01-19 07:34258560----a-w-c:\windows\system32\dpx.dll
2010-09-21 04:52 . 2008-10-21 05:251645568----a-w-c:\windows\system32\connect.dll
2010-09-21 04:51 . 2010-01-25 08:34511488----a-w-c:\windows\system32\RMActivate.exe
2010-09-21 04:51 . 2010-01-25 08:35523776----a-w-c:\windows\system32\RMActivate_isv.exe
2010-09-21 04:51 . 2010-01-25 12:48472576----a-w-c:\windows\system32\secproc_isv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 22:55 . 2010-09-23 22:550---ha-w-c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-09-23 20:30 . 2008-07-25 21:33--------d-----w-c:\users\Jinju\AppData\Roaming\OpenOffice.org2
2010-09-23 07:54 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-09-23 07:26 . 2007-06-29 13:00--------d-----w-c:\programdata\Microsoft Help
2010-09-22 00:25 . 2007-09-05 00:5097936----a-w-c:\users\Jinju\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 00:16 . 2006-11-02 10:2586016----a-w-c:\windows\Inf\infstor.dat
2010-09-22 00:16 . 2006-11-02 10:2551200----a-w-c:\windows\Inf\infpub.dat
2010-09-22 00:16 . 2006-11-02 10:25143360----a-w-c:\windows\Inf\infstrng.dat
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Sidebar
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Calendar
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Collaboration
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Journal
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Photo Gallery
2010-09-22 00:07 . 2006-11-02 12:37--------d-----w-c:\program files\Windows Defender
2010-09-22 00:01 . 2006-11-02 10:25665600----a-w-c:\windows\Inf\drvindex.dat
2010-09-21 23:14 . 2006-11-02 10:32101888----a-w-c:\windows\system32\ifxcardm.dll
2010-09-21 23:13 . 2006-11-02 10:3282432----a-w-c:\windows\system32\axaltocm.dll
2010-09-21 06:42 . 2007-06-29 12:58--------d-----w-c:\program files\Microsoft Works
2010-09-21 06:32 . 2008-08-07 02:45--------d-----w-c:\programdata\WildTangent
2010-09-21 06:32 . 2008-03-29 02:28--------d-----w-c:\program files\Safari
2010-09-21 06:32 . 2008-08-11 03:25--------d-----w-c:\program files\QuickTime
2010-09-21 06:32 . 2007-09-10 01:12--------d-----w-c:\program files\NetZero
2010-09-21 06:32 . 2008-08-11 03:29--------d-----w-c:\program files\iTunes
2010-09-21 06:32 . 2006-11-30 22:49--------d-----w-c:\program files\HP Games
2010-09-21 06:32 . 2008-08-11 03:27--------d-----w-c:\program files\Bonjour
2010-09-21 06:29 . 2007-10-22 07:00--------d-----w-c:\users\Jinju\AppData\Roaming\Move Networks
2010-09-21 06:29 . 2007-09-10 01:19--------d-----w-c:\program files\iPod
2010-09-21 06:29 . 2007-06-29 13:05--------d-----w-c:\program files\HP
2010-09-21 03:49 . 2007-09-05 02:3613025----a-w-c:\users\Jinju\AppData\Roaming\nvModes.dat
2010-09-21 03:25 . 2007-10-03 03:09--------d-----w-c:\programdata\Viewpoint
2010-09-19 22:45 . 2008-07-08 21:07--------d-----w-c:\program files\AVG
2010-09-15 22:51 . 2010-06-27 19:43--------d-----w-c:\programdata\WinZip
2010-09-14 04:00 . 2007-11-29 01:091356----a-w-c:\users\Jinju\AppData\Local\d3d9caps.dat
2010-09-13 13:49 . 2010-02-16 20:17--------d-----w-c:\program files\Microsoft Silverlight
2010-09-08 00:30 . 2009-05-28 18:37--------d-----w-c:\programdata\Motive
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*NOTE* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-03-07 1629184]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-21 1474560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-11-03 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-18 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-18 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-18 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Jinju\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\V CAST Music Manager\MEMonitor.exe [2007-11-2 951640]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-6-29 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  Quote

  KillAll::
  
  DDS::
  Trusted Zone: netzero.com
  Trusted Zone: netzero.net
  
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I do not need to see the log from this action.
  

oh and what is an HJT? You've never told me to run it before and I have no idea what that is...

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
• Accept the license agreement.
• Click the Open the Misc Tools section button.
  
• Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
  
• Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  
• Please post the log in your next reply.
  

You can uninstall it or download and install MSE which, in my opinion, is a better AV program. If you do decide to change AV's download and install the new one before uninstalling the old one. You will also have to re-install MicroSoft Word.

Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP

I attempted to log in to my Yahoo Mail account using Firefox v3.6.10 and received this message from FF.

Quote

This Connection is Untrusted
You have asked Firefox to connect
securely to login.yahoo.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you USUALLY connect to
this site WITHOUT problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

login.yahoo.com uses an invalid security certificate.

The certificate will not be valid until 1/4/2006 11:09 AM.

(Error code: sec_error_expired_certificate)

a young man who is supposedly computer savvy says that my computer router has a virus and its in my ethernet? Is this possible? How do i fix it? do i replace my ethernet adapter or my router to get rid of it? VERY CONFUSEDRouters can get viruses, they are removed by doing a factory RESET, and they are avoided by choosing and setting a strong password. But you need to be sure if you have a virus that the the infection is not SOMEWHERE else.
Since routers have no hard drive they can't get viruses but they can get hacked but a simple resets cures that problem.Quote from: SUPERDAVE on October 18, 2010, 12:50:35 PM

Since routers have no hard drive they can't get viruses but they can get hacked but a simple resets cures that problem.

Yesterday my father received a phone call. The man on the line said they were a Microsoft representative. They told him that he had a virus and to follow their procedures, they gained remote access to his computer. I'm am going over to his house later this afternoon, and am wondering how to turn the remote access off?

Luckily he didn't give them his credit card info. Hopefully they didn't steal all his info off his computer. I will run scans later and post them.

Here is the eset results:
C:\Documents and Settings\Paul_Kara\Application Data\Sun\Java\Deployment\cache\6.0\16\329ed4d0-3cd80ceda variant of Java/Agent.A trojan
C:\Program Files\Registry PATROL\RegistryPatrol.exea variant of Win32/Adware.RegistryPatrol application


Are those ok or should they be removed? I have no idea what the registry patrol isPlease run ESET again and this time, cure the infections and you should be good to go. THANK YOU SO MUCH!!!Quote

Java(TM) 6 Update 15
Out of DATE Java installed!

Adobe READER 8.2.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.10) Firefox Out of Date!

I am having PROBLEMS with these two horrible things. I have now done everything asked of me in topic 46313.0 loading the various bits of software and attaching the logs. I am hoping someone can help me remove these vriruses as a no of apps now won't run eg. Nero. I get errors on PaperPort (ISscript.msi) casefoundation.dll, pptd40nt.exe, xdocparse.dll and indexsearch.exe at startup.

I also cannot save files to CDs/DVDs or USBs (USB is a bit weird as I saved a Word file but it shows photos as saved but they can't be viewed. I am still getting various popups from Avast warning of threats from these viruses but now need to get get photos on a stick for my daughters 21st celebrations!

Any help gratefully received...

[recovering disk space - old attachment deleted by admin]If it's Ramnit.....

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
•Understanding virus names

•Threat aliases for Win32/Ramnit.A
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, JUMP) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and are a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community BELIEVE that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
•When should I re-format? How should I reinstall?

•Where to draw the line? When to recommend a format and reinstall?

Quote

Whenever a system has been compromised by a backdoor payload, it is impossible to KNOW if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

You mention RamnitA specifically. Mine is B does it make no difference? Am I still dead?

I am currently trying to remove some sort of an INFECTION from a computer.

It has tried to delete all files on the computer when using AVG so I installed avast. Avast finds a lot of PROBLEMS but when trying tol fix them crashes.

Also installed Agnitum as one of your steps and it didnt work saying sandbox.sys has failed to load. COuld not get it to work properly and then it wouldn't let me uninstall it. So downloaded clean.exe to finally rid the computer of it. Now installed COMODO which appears to be working fine.

Here are some of the filenames it has CAME up with (AVG)

Win32Ramnit-B

BVS:EXEdropper-gen

If this is a repost I apologise but it seems my first one disappeared




[recovering disk space - old attachment deleted by ADMIN]

I read somewhere that microsoft malicious removal tool has the same scanning ENGINE that microsoft security essentials has. Is this true? If so, would running a complete scan using MRT be the same as running a complete scan using MSE?I think I read somewhere it uses a "SUBSET" of the larger scanning engine that MSE has. I wonder what specifically it targets?Grrr, nope. It's not the same. I just RAN MRT in PE on a computer with 0 results, and a2 command line scanner in PE with only one low RISK virus (wimad). After all of that I hooked the HDD up to another PC, ran MSE and now MSE is finding stuff. Back to the drawing board.

here is the mbam LOG. I have been running this daily and have not found anything since the first running.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4734

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/2/2010 10:42:34 PM
mbam-log-2010-10-02 (22-42-34).txt

Scan type: Quick scan
Objects scanned: 198178
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Edited. What browser are you using to download Adobe updates?I have tried both internet explorer and firefox. They both will download and start to install reader than it fails towards the end stating that I don't have the rights. FLASH player appears to install correctly but every website I go to states that it is not installed.

Error 1402 could not open key.
hkey_local_machine\software\microsoft\windows\currentversion\run\optionalcomponents\imail.
verify that you have sufficient access to that key.Edited.Ignore the above postYou could try creating a new user account and see if it works OK. If so then transfer over DOCUMENTS and settings then delete the OLD account. Perhaps it would be best to start a new thread in the software forum. I'm quite sure it's not malware related.
Virus and mallware are creating big problem for a new computer users. I am not new user but i don't have enough idea about virus. How to enter the virus in our system. What it do with our system.

If some one guide me about virus. It is my pleasure

Thanks in advance.thanks Dave. I will try to do this. If it does not work I will create a post in software. Again thank you for all your help.

I ran the 3 scans.
Please note:
HJT DID NOT SHOW SOME SERVICES IN TASKMAN LIST (32:40...it is not miscount of System Idle, those absent from HJT report are listed below.)
I was running notepad and taskmanager while HJT was scanning. I unplugged DSL after installing and updating for each SCAN. Taskmanager was refreshed also. SeaPort.exe mysteriously installed; I used Revo deep uninstall but it is still listed in Taskmanager. It does not show in Revo list now.

1800 svchost.exe LOCAL SERVICE
1492 svchost.exe LOCAL SERVICE
1408 svchost.exe NETWORK SERVICE
1108 svchost.exe NETWORK SERVICE
780 csrss.exe SYSTEM
669 taskmgr.exe Marytwelveponies
4 SYSTEM SYSTEM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/10/2010 at 10:03 PM

Application Version : 4.44.1000

Core Rules Database Version : 5663
Trace Rules Database Version: 3475

Scan type : Complete Scan
Total Scan Time : 00:34:23

Memory items scanned : 367
Memory threats detected : 0
Registry items scanned : 5706
Registry threats detected : 0
File items scanned : 28830
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and

Settings\Marytwelveponies\Cookies\[emailprotected][1].txt
C:\Documents and

Settings\Marytwelveponies\Cookies\[emailprotected][1].txt

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4792

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/10/2010 10:22:59 PM
mbam-log-2010-10-10 (22-22-59).txt

Scan type: Quick scan
Objects scanned: 139749
Time ELAPSED: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend MICRO HijackThis v2.0.4
Scan saved at 10:29:27 PM, on 10/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\Marytwelveponies\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program

Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program

Files\WOT\WOT.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program

Files\MSN Toolbar\Platform\4.0.0417.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program

Files\MSN Toolbar\Platform\4.0.0417.0\npwinext.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program

Files\WOT\WOT.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

/installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe"

-hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN

Toolbar\Platform\4.0.0417.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search

Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet

Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes'

Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

RES://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1285695162671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_sit

e.cab?1285697002093
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) -

https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEC746F-6145-4CFD-8F18-F9B606B0671E}:

NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9727C47-ACC0-49A4-9C92-BD2801705DF6}:

NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program

Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program

Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program

Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO -

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc.

- C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7662 bytes
your hjt this is out of date and you did not post the log correctly go to below and post a new log , click do a system scan and save a log

http://www.filehippo.com/download_hijackthis/

SD,

It was BAD but we handled it moved on and had some FUN anyway lol thanks for ASKING.

I ran through your suggested list of procedures and I am just rebooting it now for the results.

I'm almost positive SOMEONE from here reccommended a site that sold memory and actually did the scan on your computer to tell one which one you needed and how much you can hold. Does that ring a bell? It was a while ago for me and a totally other PC.

Can't thank you enough for the time and help but if its not 100% a memory issue this pc might be a paper weight. lol

Well it did load firefox with yahoo as the home PAGE faster then usual. But Limewaire, which her kids use and online gaming, is still the same.

Again thanks much,
MP.Quote

I'm almost positive someone from here reccommended a site that sold memory and actually did the scan on your computer to tell one which one you needed and how much you can hold. Does that ring a bell? It was a while ago for me and a totally other PC.

...I'm almost positive someone from here reccommended a site that sold memory and actually did the scan on your computer to tell one which one you needed and how much you can hold. Does that ring a bell? It was a while ago for me and a totally other PC...

Hi All
Got a windows 7 machine with MSE locked. I tried to unload it and reload a fresh copy but started to an error...something like a Critical has happened and the machine will shut down in 1 min.

I did a safe boot and DISABLED MSE using msconfig. I than started in regular mode with the network cable unplugged and was able to uninstall MSE. Now the machine will come up normal but MSE can't be installed.

Ideas?
Thanks
Why cant it be installed? Do you get an error message at all? I ran into issues a long time ago with dirty uninstallers that left registry entries behind so it says its alraedy installed and not. I ended up using karenware Registry Pruner to find orphan entries and REMOVE them and reboot and was then able to reinstall the software.Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

There are a number of them available and some are more safe than others. Keep in MIND that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" ENTRY. One cleaner MAY find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

Ok so since I cleared cookies, Google seems to be doing better and it hasn't had that search lately
but sometimes it comes up with an extra window (most of the time it's blank) I think this often happens when I open a new tab but once in a while it can happen when I click on a link
I am using Firefox.


C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dlla variant of Win32/Adware.Yontoo.B application
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dlla variant of Win32/Adware.Yontoo.B application
C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[emailprotected]\components\arcadewebfirefox.dlla variant of Win32/Adware.Gamevance.CM application
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7edmm5iv.default\extensions\[emailprotected]JS/Redirector.NCA trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aadggcdddjdjdidjdbdadaggdedagfdf\background.htmlWin32/BHO.OEI trojan
C:\Documents and Settings\Owner\Local Settings\temp\dealcabby.exeWin32/Adware.DealCabby.A application
C:\Documents and Settings\Owner\Local Settings\temp\is135653842\MyBabylonTB.exeWin32/Toolbar.Babylon application
C:\Documents and Settings\Owner\Local Settings\Temporary INTERNET Files\Content.IE5\058G4Y2S\dealcabby[1].exeWin32/Adware.DealCabby.A application
C:\Documents and Settings\Owner\My Documents\Downloads\Angry Smileys Setup%FF_4fd745f23e391043701246_.exeWin32/Adware.MarketScore.A application
C:\Documents and Settings\Owner\My Documents\Downloads\donkey-kong.exea variant of Win32/InstallCore.AL application
C:\My Backup -- 12-02-04 0922PM\Documents and Settings\Owner\My Documents\CyberLink\Downloads\SoftonicDownloader62174.exea variant of Win32/SoftonicDownloader.A application
C:\My Backup -- 12-02-04 0922PM\Documents and Settings\Owner\My Documents\Downloads\FinalMediaPlayer2011Setup.exea variant of Win32/InstallIQ application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP208\A0043492.dllprobably a variant of Win32/Adware.180Solutions application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP208\A0043493.exeprobably a variant of Win32/Adware.HotBar.E application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP223\A0044225.exeWin32/Adware.MarketScore.A application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0048237.dlla variant of Win32/Adware.Gamevance.CL application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0048370.exea variant of Win32/Adware.Gamevance.CO application
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP283\A0063894.dlla variant of Win32/Adware.Gamevance.CM application


You could try uninstalling and re-installing FireFox.
Please run ESET again. It didn't seem to cure the infections.C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[emailprotected]\components\arcadewebfirefox.dlla variant of Win32/Adware.Gamevance.CM applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7edmm5iv.default\extensions\[emailprotected]JS/Redirector.NCA trojandeleted - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\180c027b-5cd59b3fmultiple threatsdeleted - quarantined
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aadggcdddjdjdidjdbdadaggdedagfdf\background.htmlWin32/BHO.OEI trojancleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WSL101BN\dealcabby[1].exeWin32/Adware.DealCabby.A applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\7zipSetup.exea variant of Win32/Adware.HotBar.P applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\Angry Smileys Setup%FF_4fd745f23e391043701246_.exeWin32/Adware.MarketScore.A applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\donkey-kong.exea variant of Win32/InstallCore.AL applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\PDFcreator.exea variant of Win32/Adware.HotBar.P applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\PlayBryte_FA_Setup.exea variant of Win32/Adware.iBryte.C applicationcleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\SlammingsSetup_FF.exeWin32/Adware.MarketScore.A applicationcleaned by deleting - quarantined
C:\My Backup -- 12-02-04 0922PM\Documents and Settings\Owner\My Documents\CyberLink\Downloads\SoftonicDownloader62174.exea variant of Win32/SoftonicDownloader.A applicationcleaned by deleting - quarantined
C:\My Backup -- 12-02-04 0922PM\Documents and Settings\Owner\My Documents\Downloads\FinalMediaPlayer2011Setup.exea variant of Win32/InstallIQ applicationcleaned by deleting - quarantined
C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exeWin32/Toolbar.Widgi applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP208\A0043493.exeprobably a variant of Win32/Adware.HotBar.E applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP223\A0044225.exeWin32/Adware.MarketScore.A applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0048237.dlla variant of Win32/Adware.Gamevance.CL applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP283\A0063894.dlla variant of Win32/Adware.Gamevance.CM applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP291\A0065084.exeWin32/Toolbar.Widgi applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067315.dllWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067316.dllWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067317.dllWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067318.dllWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067319.dllWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067321.exeWin32/Toolbar.Funmoods applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067323.exeWin32/Adware.DealCabby.A applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067348.exeWin32/Toolbar.Babylon applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067385.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067386.dlla variant of Win32/Adware.Yontoo.B applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067387.dlla variant of Win32/Adware.Gamevance.CM applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067390.exea variant of Win32/SoftonicDownloader.A applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067391.exea variant of Win32/InstallIQ applicationcleaned by deleting - quarantined
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP298\A0067392.exeWin32/Toolbar.Widgi applicationcleaned by deleting - quarantined
That looks better. How's your computer running now?I still can't mess with the task manager too much and I still get pop ups when I click on certain links but that's about my only problems so far
Please do even if you don't have your OS CD.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the SPACE between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
******************************************************
TIGHTEN Internet Explorer's security setting

* Since Internet Explorer is the leading browser it will always be the lead in attacks from the bad guys.
o Make your Internet Explorer more secure
1. From within Internet Explorer click the Tools menu and then on Internet Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the CUSTOM Level button.
+ Change the Download signed ActiveX controls to Prompt
+ Change the Download unsigned ActiveX controls to Disable
+ Change the Initialize and script ActiveX controls not marked as safe to Disable
+ Change the Installation of desktop items to Prompt
+ Change the Launching programs and files in an IFRAME to Prompt
+ Change the Navigate sub-frames across different domains to Prompt
+ When all these settings have been made, click on the OK button.
+ If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

Tighten Internet Explorer's security setting continued - Default Internet Explorer settings should be SET to high.

1. Start up IE then go to Tools > Internet Options > Security
2. Set the Security level for the Internet Zone to High. (If no slider is visible, click Default Level.)
3. Click the Trusted Sites icon.
4. Set the Security level for the this Zone to Medium. (If no slider is visible, click Default Level.)
5. Click OK.

Quote

Just out of CURIOSITY was there much wrong with my computer?

Okay, thanks very much SuperDave.

Are there any specific tools I can run from a thumb-drive in order to remove spyware/malware from a LAPTOP without connecting to the internet...?

Thanks in advance, and I am sorry if this topic has already been touched on.There are a few that will run from the flashdrive but all of my tools can be DOWNLOADED and transferred to the computer and run from there. UNFORTUNATELY, some will require an internet connection to FUNCTION.

Its running great!

The offending process no longer runs ( "scvhost.exe 32*") and my ram usage is back to normal levels

Thank you so much for helping me.

Out of curiosity just what exactly did my computer have, and what could it have been doing with a gig or so of ram?Quote

Out of curiosity just what exactly did my computer have, and what could it have been doing with a gig or so of ram?

• Click the Start button. Click Run. For Vista: type in Run in the Start SEARCH, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, DELETE its folders and files, hides System files and folders, and resets System Restore.
  

Hi,
This laptop has been nothing but problems since the day I got it. No I did not purchase an extended warranty. Yesterday I had the (no joke) 500th or so blue screen. This time if I press the wireless button it "Dumps". The time before that bleeko? Lavasoft? <--Viruses?

Advise?

Oh by the way...Malwarebytes and SuperAntiSpyware...0 items found.WHAT? Now I cannot right click on a picture (in my pictures) without the computer freezing? WTH?
Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the PROGRAM.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.
Says 0 crashes?? Do you just double click on the application icon?Please try this scanner. It may give me a better idea what's running on your computer.

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please ALLOW it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )
Here are those reports.

Just as a side note: I pressed the WLAN button and the blue screen came on and then it shut itself down. I'm back to being wired.

[year+ old attachment deleted by admin]The logs look clean and this is not like a malware infection. Does it do the same thing in Safe Mode? Try it in Safe Mode and let me know what happens.
You could also try running the Recovery Console and doing a repair. If you don't have the disk, the RC should already be installed on your computer.
Recovery Console Repair.Yes Sorry Dave. Blue screen in safe mode as well Quote from: radioflyer91355 on JULY 30, 2012, 08:32:32 PM

Yes Sorry Dave. Blue screen in safe mode as well

I'm at a friend's house for the next 2 days and she wants me to fix her computer. She says she got the PC as payment in return for a construction job on someone's house a couple years ago, and the computer has been freezing up with a BSOD when she or her kids use it to go online. I'm in school learning to be a computer tech, I'm on summer vacation, I have no job (yet) but I'm looking for my hands-on experience in PC tech stuff.

Earlier today I tried to wipe that computer's HDD and reinstall Windows XP from a Microsoft XP_sp2 disc, but before it would go into the install process, I got a BSOD with a 0x0000007B stop error that said to run chkdsk to test for HDD corruption. However, the computer boots up into XP normally. The friend wants to know if it has a VIRUS on it and what kind of malware removal program I could recommend/install for her, but I'm stumped on this - so can you recommend any free complete malware scan and removal programs that I could d/l and install on her computer so she will not have to keep paying monthly/yearly fees on it? She does not have a lot of money to spend.

Thanks in advance.1) You want to install sp3 not sp2. You can build a slipstream cd with nlite.
2) I would not try to clean the system of malware, I'd install from scratch.
3) BOOT to the Windows CD (you cannot install from within the OS) and first choose a FULL format (that will run chkdsk /r prior to formatting). You will need the sata driver(s) for the HD.
4) To answer your question more directly, good free AV apps include Microsoft Security Essentials, Avira and Avast. Good free malware apps to install in addition to an av app are MalwareBytes and/or SuperAntiSpywareQuote from: Allan on August 01, 2012, 04:09:58 PM

2) I would not try to clean the system of malware, I'd install from scratch.
3) BOOT to the Windows CD (you cannot install from within the OS) and first choose a FULL format (that will run chkdsk /r prior to formatting). You will need the sata driver(s) for the HD.
4) To answer your question more directly, good free AV apps include Microsoft Security Essentials, Avira and Avast. Good free malware apps to install in addition to an av app are MalwareBytes and/or SuperAntiSpyware

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• Click the Report button and copy/paste the contents of it into your next reply
  

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and SECURITY tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can REFER to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot GUARANTEE that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is BASED on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me KNOW what you have decided to do in your next post. Should you have any questions, please feel free to ask.

hi,

every time i press the search button on ebay, avast finds malware showing this:

hxxp://include.ebaystatic.com/v4js/en_US/e637/Finding_Common_e63710150401_6b_en_US.js\Finding_Common_e63710150401_6b_en_US

JS:Pdfka-OE [Expl]

its getting very annoying.. thanks

John

Disabled linkLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:57 AM, on 10/9/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot MODE: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage MANAGER\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO CLASS - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\The Print Shop 23\Remind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development COMPANY, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: QuickPlay Background CAPTURE Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 11827 bytes
anyone?When I open that link I get a page cannot be found.
When you go to ebay, how do you go about doing it?i just use firefox as my browser, and go straight to ebay's homepageTry manually updating your antivirus.

I have problems accessing google and yahoo search engines which I assume is a virus. The relevant logs are attached.



[Saving space, attachment deleted by admin]Welcome to CH.

1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar
- Ask Jeeves

5. Click Change/Remove for each and uninstall all found.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
• R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=029&gwCountry=US&language=en&PURCH_DT_MONTH=03&PURCH_DT_DAY=23&PURCH_DT_YEAR=2006&PROD_SERIAL_ID=CNN5510PP4&application=305&modelID=EL470AA&LF=blue
• O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
• O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
• O1 - Hosts: 74.125.45.100 secure-plus-payments.com
• O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
• O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
• O1 - Hosts: 74.125.45.100 www.getavplusnow.com
• O1 - Hosts: 74.125.45.100 securesoftwarebill.com
• O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
• O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
• O1 - Hosts: 64.86.17.32 google.ae
• O1 - Hosts: 64.86.17.32 google.as
• O1 - Hosts: 64.86.17.32 google.at
• O1 - Hosts: 64.86.17.32 google.az
• O1 - Hosts: 64.86.17.32 google.ba
• O1 - Hosts: 64.86.17.32 google.be
• O1 - Hosts: 64.86.17.32 google.bg
• O1 - Hosts: 64.86.17.32 google.bs
• O1 - Hosts: 64.86.17.32 google.ca
• O1 - Hosts: 64.86.17.32 google.cd
• O1 - Hosts: 64.86.17.32 google.com.gh
• O1 - Hosts: 64.86.17.32 google.com.hk
• O1 - Hosts: 64.86.17.32 google.com.jm
• O1 - Hosts: 64.86.17.32 google.com.mx
• O1 - Hosts: 64.86.17.32 google.com.my
• O1 - Hosts: 64.86.17.32 google.com.na
• O1 - Hosts: 64.86.17.32 google.com.nf
• O1 - Hosts: 64.86.17.32 google.com.ng
• O1 - Hosts: 64.86.17.32 google.ch
• O1 - Hosts: 64.86.17.32 google.com.np
• O1 - Hosts: 64.86.17.32 google.com.pr
• O1 - Hosts: 64.86.17.32 google.com.qa
• O1 - Hosts: 64.86.17.32 google.com.sg
• O1 - Hosts: 64.86.17.32 google.com.tj
• O1 - Hosts: 64.86.17.32 google.com.tw
• O1 - Hosts: 64.86.17.32 google.dj
• O1 - Hosts: 64.86.17.32 google.de
• O1 - Hosts: 64.86.17.32 google.dk
• O1 - Hosts: 64.86.17.32 google.dm
• O1 - Hosts: 64.86.17.32 google.ee
• O1 - Hosts: 64.86.17.32 google.fi
• O1 - Hosts: 64.86.17.32 google.fm
• O1 - Hosts: 64.86.17.32 google.fr
• O1 - Hosts: 64.86.17.32 google.ge
• O1 - Hosts: 64.86.17.32 google.gg
• O1 - Hosts: 64.86.17.32 google.gm
• O1 - Hosts: 64.86.17.32 google.gr
• O1 - Hosts: 64.86.17.32 google.ht
• O1 - Hosts: 64.86.17.32 google.ie
• O1 - Hosts: 64.86.17.32 google.im
• O1 - Hosts: 64.86.17.32 google.in
• O1 - Hosts: 64.86.17.32 google.it
• O1 - Hosts: 64.86.17.32 google.ki
• O1 - Hosts: 64.86.17.32 google.la
• O1 - Hosts: 64.86.17.32 google.li
• O1 - Hosts: 64.86.17.32 google.lv
• O1 - Hosts: 64.86.17.32 google.ma
• O1 - Hosts: 64.86.17.32 google.ms
• O1 - Hosts: 64.86.17.32 google.mu
• O1 - Hosts: 64.86.17.32 google.mw
• O1 - Hosts: 64.86.17.32 google.nl
• O1 - Hosts: 64.86.17.32 google.no
• O1 - Hosts: 64.86.17.32 google.nr
• O1 - Hosts: 64.86.17.32 google.nu
• O1 - Hosts: 64.86.17.32 google.pl
• O1 - Hosts: 64.86.17.32 google.pn
• O1 - Hosts: 64.86.17.32 google.pt
• O1 - Hosts: 64.86.17.32 google.ro
• O1 - Hosts: 64.86.17.32 *Blocked Russian URL*
• O1 - Hosts: 64.86.17.32 google.rw
• O1 - Hosts: 64.86.17.32 google.sc
• O1 - Hosts: 64.86.17.32 google.se
• O1 - Hosts: 64.86.17.32 google.sh
• O1 - Hosts: 64.86.17.32 google.si
• O1 - Hosts: 64.86.17.32 google.sm
• O1 - Hosts: 64.86.17.32 google.sn
• O1 - Hosts: 64.86.17.32 google.st
• O1 - Hosts: 64.86.17.32 google.tl
• O1 - Hosts: 64.86.17.32 google.tm
• O1 - Hosts: 64.86.17.32 google.tt
• O1 - Hosts: 64.86.17.32 google.us
• O1 - Hosts: 64.86.17.32 google.vu
• O1 - Hosts: 64.86.17.32 google.ws
• O1 - Hosts: 64.86.17.32 google.co.ck
• O1 - Hosts: 64.86.17.32 google.co.id
• O1 - Hosts: 64.86.17.32 google.co.il
• O1 - Hosts: 64.86.17.32 google.co.in
• O1 - Hosts: 64.86.17.32 google.co.jp
• O1 - Hosts: 64.86.17.32 google.co.kr
• O1 - Hosts: 64.86.17.32 google.co.ls
• O1 - Hosts: 64.86.17.32 google.co.ma
• O1 - Hosts: 64.86.17.32 google.co.nz
• O1 - Hosts: 64.86.17.32 google.co.tz
• O1 - Hosts: 64.86.17.32 google.co.ug
• O1 - Hosts: 64.86.17.32 google.co.uk
• O1 - Hosts: 64.86.17.32 google.co.za
• O1 - Hosts: 64.86.17.32 google.co.zm
• O1 - Hosts: 64.86.17.32 google.com
• O1 - Hosts: 64.86.17.32 google.com.af
• O1 - Hosts: 64.86.17.32 google.com.ag
• O1 - Hosts: 64.86.17.32 google.com.ar
• O1 - Hosts: 64.86.17.32 google.com.au
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

OK here we go.

Delete Combo-Fix and download a new copy to your desktop. This time don't rename it. http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
SessionLauncher
DCTDZCF
GGXIX

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

File::
c:\windows\Tasks\OGALogon.job
c:\windows\system32\OGAEXEC.exe

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
c:\documents and settings\Administrator\Application Data\AVG8
c:\documents and settings\Randy\Local Settings\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\NortonInstaller

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeThanks evilfantasy...Here is the new ComboFix log:

ComboFix 09-10-11.01 - Randy 10/11/2009 18:48.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.393 [GMT -4:00]
Running from: c:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091011-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\OGAEXEC.exe"
"c:\windows\Tasks\OGALogon.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\AVG8
c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
c:\documents and settings\Administrator\Local Settings\Application Data\Symantec\CEDUrl.txt
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\00000082\00000105\00000349\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\00000105\00000349\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\00000082\00000105\key.txt
c:\documents and settings\All Users\Application Data\Norton\symdata.xml
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h50m14s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h50m14s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h50m14s\Log.Lue
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h50m14s\NortonInstall-09-20-2009-17h50m14s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\BHCA-0x0770.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\NortonInstall-09-20-2009-17h52m03s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\SymIMexe-0x0634.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-17h52m03s\tuIH-0x0404.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h07m52s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h07m52s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h07m52s\Log.Lue
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h07m52s\NortonInstall-09-20-2009-21h07m52s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h09m31s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h09m31s\NortonInstall-09-20-2009-21h09m31s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h10m28s\NortonInstall-09-20-2009-21h10m28s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h14m36s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h14m36s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h14m36s\NortonInstall-09-20-2009-21h14m36s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\BHCA-0x09A8.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\NortonInstall-09-20-2009-21h15m33s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\SymIMexe-0x05A8.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-20-2009-21h15m33s\tuIH-0x03A4.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h46m49s\BHCA-0x072C.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h46m49s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h46m49s\NortonInstall-09-21-2009-16h46m49s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h46m49s\OCSCtl-0x0228.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h46m49s\SymIMexe-0x0498.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-16h47m42s\NortonInstall-09-21-2009-16h47m42s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h28m54s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h28m54s\Install.2.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h28m54s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h28m54s\Log.Lue
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h28m54s\NortonInstall-09-21-2009-17h28m54s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\BHCA-0x0254.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\Install.2.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\NortonInstall-09-21-2009-17h30m29s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\SymIMexe-0x0680.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-17h30m29s\tuIH-0x00A0.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h57m26s\BHCA-0x0088.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h57m26s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h57m26s\NortonInstall-09-21-2009-18h57m26s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h57m26s\OCSCtl-0x0384.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h57m26s\SymIMexe-0x0398.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\09-21-2009-18h58m24s\NortonInstall-09-21-2009-18h58m24s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\Url.txt
c:\documents and settings\Randy\Local Settings\Application Data\Symantec
c:\documents and settings\Randy\Local Settings\Application Data\Symantec\CEDUrl.txt
c:\program files\messenger\msmsgs.exe
c:\windows\system32\OGAEXEC.exe
c:\windows\Tasks\OGALogon.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DCTDZCF
-------\Legacy_GGXIX
-------\Legacy_SESSIONLAUNCHER
-------\Service_DCTDZCF
-------\Service_GGXIX
-------\Service_SessionLauncher


((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 01:58 . 2009-10-11 01:58--------d-----w-c:\documents and settings\Randy\Application Data\Office Genuine Advantage
2009-10-11 01:15 . 2008-04-14 00:1156320----a-w-c:\windows\eventlog.dll
2009-09-27 13:00 . 2009-09-27 13:00--------d-----w-c:\program files\iPod
2009-09-26 21:53 . 2009-09-26 22:07--------d-----w-c:\program files\Trend Micro
2009-09-26 15:40 . 2009-09-15 10:5452368----a-w-c:\windows\system32\drivers\aswTdi.sys
2009-09-26 15:40 . 2009-09-15 10:5423152----a-w-c:\windows\system32\drivers\aswRdr.sys
2009-09-26 15:40 . 2009-09-15 10:5327408----a-w-c:\windows\system32\drivers\aavmker4.sys
2009-09-26 15:40 . 2009-09-15 10:5397480----a-w-c:\windows\system32\AvastSS.scr
2009-09-26 15:40 . 2009-09-15 10:5693424----a-w-c:\windows\system32\drivers\aswmon.sys
2009-09-26 15:40 . 2009-09-15 10:5694160----a-w-c:\windows\system32\drivers\aswmon2.sys
2009-09-26 15:40 . 2009-09-15 10:55114768----a-w-c:\windows\system32\drivers\aswSP.sys
2009-09-26 15:40 . 2009-09-15 10:5520560----a-w-c:\windows\system32\drivers\aswFsBlk.sys
2009-09-26 15:39 . 2009-09-15 10:591279968----a-w-c:\windows\system32\aswBoot.exe
2009-09-26 15:39 . 2009-09-26 15:39--------d-----w-c:\program files\Alwil Software
2009-09-25 22:19 . 2009-09-25 22:19--------d-----w-C:\VundoFix Backups
2009-09-24 20:47 . 2009-09-24 20:46411368----a-w-c:\windows\system32\deploytk.dll
2009-09-24 12:26 . 2009-09-24 12:26--------d-----w-c:\windows\system32\Service
2009-09-23 21:49 . 2009-09-23 21:49--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-23 21:49 . 2009-09-23 21:49--------d-----w-c:\documents and settings\Randy\Application Data\SUPERAntiSpyware.com
2009-09-23 21:38 . 2009-09-23 21:38--------d-----w-c:\program files\CCleaner
2009-09-22 03:03 . 2009-09-24 04:3370254592--sha-w-C:\NRTPage.sys
2009-09-21 20:59 . 2009-09-21 20:5991896----a-w-c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 20:46 . 2009-09-21 20:46--------d-----w-c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-09-21 02:48 . 2009-09-25 22:07--------d-----w-c:\documents and settings\All Users\Application Data\PC Tools
2009-09-21 01:18 . 2009-09-21 01:18--------d-----w-c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-20 21:54 . 2009-09-20 21:54--------d-----w-c:\documents and settings\Randy\Local Settings\Application Data\Downloaded Installations
2009-09-20 21:25 . 2009-09-20 21:25--------d-----w-c:\documents and settings\Randy\Application Data\Malwarebytes
2009-09-20 20:35 . 2009-09-25 22:07--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 20:25 . 2009-09-20 20:25--------d-----w-c:\documents and settings\Administrator\Application Data\AT&T
2009-09-20 20:22 . 2009-09-20 20:22--------d-----w-c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-20 20:22 . 2009-09-20 20:22--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 20:20 . 2009-09-20 20:20--------d-sh--w-c:\documents and settings\Administrator\PrivacIE
2009-09-20 04:12 . 2009-09-20 04:12--------d-sh--w-c:\documents and settings\Administrator\IETldCache
2009-09-19 23:02 . 2009-09-19 23:02319----a-w-C:\drmHeader.bin
2009-09-14 11:29 . 2009-09-24 02:1175732---ha-w-c:\windows\system32\mlfcache.dat
2009-09-14 01:02 . 2009-09-14 01:02--------d-----w-c:\program files\iPhone Configuration Utility
2009-09-14 01:01 . 2009-09-14 01:01--------d-----w-c:\program files\Safari
2009-09-14 00:51 . 2009-09-14 00:53--------d-----w-c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-14 00:43 . 2009-09-14 00:44--------d-----w-c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 18:07 . 2006-07-01 01:03--------d-----w-c:\program files\Common Files\Symantec Shared
2009-10-10 19:47 . 2006-07-01 01:05--------d-----w-c:\program files\MUSICMATCH
2009-09-27 13:01 . 2009-08-16 17:37--------d-----w-c:\program files\iTunes
2009-09-27 13:00 . 2009-08-16 17:31--------d-----w-c:\program files\Common Files\Apple
2009-09-27 12:56 . 2006-07-01 00:44--------d-----w-c:\program files\Java
2009-09-26 00:20 . 2006-07-05 22:06--------d-----w-c:\documents and settings\Randy\Application Data\ATI
2009-09-26 00:20 . 2006-07-01 00:57--------d-----w-c:\documents and settings\Administrator\Application Data\ATI
2009-09-24 12:52 . 2008-07-09 19:51--------d-----w-c:\documents and settings\Randy\Application Data\AT&T
2009-09-24 12:52 . 2008-07-09 19:50--------d-----w-c:\documents and settings\All Users\Application Data\AT&T
2009-09-24 12:52 . 2008-07-09 19:51--------d-----w-c:\program files\AT&T
2009-09-23 21:12 . 2006-07-01 01:00--------d-----w-c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-21 22:15 . 2006-07-08 14:0891896----a-w-c:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 21:21 . 2006-07-05 23:02--------d-----w-c:\documents and settings\All Users\Application Data\WildTangent
2009-09-21 21:21 . 2006-07-01 01:04--------d-----w-c:\program files\WildTangent
2009-09-15 01:21 . 2009-08-16 17:38--------d-----w-c:\documents and settings\Randy\Application Data\Apple Computer
2009-09-09 12:19 . 2009-01-24 17:39--------d-----w-c:\program files\Microsoft Silverlight
2009-08-28 23:42 . 2009-08-16 17:3240448----a-w-c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-16 17:322065696----a-w-c:\windows\system32\usbaaplrc.dll
2009-08-17 12:04 . 2009-08-17 12:04--------d-----w-c:\program files\MSBuild
2009-08-17 12:04 . 2009-08-17 12:04--------d-----w-c:\program files\Reference Assemblies
2009-08-16 17:38 . 2009-08-16 17:37--------d-----w-c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-16 17:37 . 2009-08-16 17:35--------d-----w-c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-16 17:36 . 2009-08-16 17:36--------d-----w-c:\program files\Bonjour
2009-08-16 17:32 . 2009-08-16 17:32--------d-----w-c:\program files\Apple Software Update
2009-08-16 17:31 . 2009-08-16 17:31--------d-----w-c:\documents and settings\All Users\Application Data\Apple
2009-08-14 13:40 . 2009-08-14 13:40--------d-----w-c:\documents and settings\All Users\Application Data\TomTom
2009-08-14 13:39 . 2009-08-14 13:39--------d-----w-c:\documents and settings\Randy\Application Data\TomTom
2009-08-14 13:39 . 2009-08-14 13:39--------d-----w-c:\program files\TomTom International B.V
2009-08-14 13:39 . 2009-08-14 13:39--------d-----w-c:\program files\TomTom HOME 2
2009-08-14 13:37 . 2009-08-14 13:37--------d-----w-c:\program files\TomTom DesktopSuite
2009-08-05 09:01 . 2004-08-11 22:00204800----a-w-c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07403816----a-w-c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07322928----a-w-c:\windows\system32\OGAAddin.dll
2009-07-17 19:01 . 2004-08-11 22:0058880----a-w-c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 22:00286208----a-w-c:\windows\system32\wmpdxm.dll
2009-01-19 14:36 . 2009-01-19 14:361898----a-w-c:\program files\Daily Planner Plus 6.2.lnk
2006-09-10 16:36 . 2006-09-10 16:3656--sh--r-c:\windows\system32\177D90C9E0.sys
2007-11-25 17:37 . 2006-07-30 16:4788--sh--r-c:\windows\system32\77830626E5.sys
2009-04-13 16:33 . 2006-07-30 16:474496--sha-w-c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [emailprotected]_18.27.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-11 22:55 . 2009-10-11 22:5516384 c:\windows\Temp\Perflib_Perfdata_c4c.dat
+ 2009-10-11 22:55 . 2009-10-11 22:5516384 c:\windows\Temp\Perflib_Perfdata_25c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2008-01-03 21:4673728----a-w-c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-07 247144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-15 185872]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-23 122368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-24 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-03-03 1355938]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-30 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\Brmfl07a\\FAXRX.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Roxio\\Video Convert 10\\VideoConvert10.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/26/2009 11:40 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/26/2009 11:40 AM 20560]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/7/2009 10:31 AM 92008]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch BAR = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\VirtualExpander\VEShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Randy\LOCALS~1\temp\clclean.0001
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-11 19:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 23:00
ComboFix2.txt 2009-10-11 18:31

Pre-Run: 23,064,145,920 bytes free
Post-Run: 23,044,698,112 bytes free

326--- E O F ---2009-09-22 02:17
Looking good. Lets clean up a little and run a quick scan to see what's left, if anything.

Go ahead and delete any of the special tools and files we downloaded to your desktop. Everything but ComboFix.

* Click START then RUN - Vista users PRESS the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

Alternate MBAM download link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Also let me know how the computer is running now.

,Well evilfantasy according to this scan looks like you hard work has paid off, but I'll let you tell me...Thank you so much for your dedication in helping folks like me...The MalwareBytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3

10/11/2009 8:14:43 PM
mbam-log-2009-10-11 (20-14-43).txt

Scan type: Quick Scan
Objects scanned: 112363
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Yes it looks good.

How is the computer running now?It's running great...thanks so much for your help...I commend you for your tireless efforts...Thank you!!! Do you recommend any specific AV software...I had been running AT&T's until recently when this problem happened...Thanks again...Your welcome. Glad we got it. I've only helped remove that infection once before now and it shows in my instructions. Oh well, next time I know what to and not to do.

Avast is one of the best there is. I always recommend it or Avira Antivir.

You also might go ahead and run the Kaspersky scan again to see if everything is indeed gone. Malwarebytes and ComboFix aren't virus scanners, they're only antimalware scanners.

Here are some other suggestions. Let me know if you have any questions.

USE the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

My desktop has started to do the following:

When I turn on the power button it will boot up and when it gets to the user password it turns off the computer.
If I unplug the computer and LEAVE it unplugged for awhile then restart it, it will boot up and work until I TRY to run the antivirus PROGRAM (both AVG and Onelivecare safety scan) the program starts to run then turns off. (turns off means instantly, without a normal shut down) If I turn on the system it will reboot but turn off as soon as I get to the user password again. and again and again

I have checked all the connections, cleaned out the tower and removed all the dust, replaced the internal battery but don't know how to get an antivirus program to run.

Any ideas as to the problem? Try booting to safe mode and running the av from there - can you do that?My F keys won't respond, I can't get to the safe mode boot screen. I can get into setup screen by pressing the delete keyIs there an "F-Lock" key on the keyboard? If so, use it to toggle the F-keys and then try again. Otherwise you'll need to try a DIFFERENT keyboard. If you still can't get to safe mode, use msconfig's boot.ini tab and the /safeboot OPTION.

Don't transfer any files....you said in reply#2 that AVG detected Virut.....you will infect another PC if you're not careful.

Sorry Dave ... had to throw in the heads up.Thanks for the heads up karnac, completely forgot that i could infect the pc again!

edit:

However from what i remember only the windows SYSTEM files where infected by virut. What i am saying is, if i transfer only my data for example my documents/photos/movies/Application e.t.c from which none was infected will that be a problem? Or is it better to not take the risk and just wait for guidance in order to disinfect the pc completely before doing anything?Quote from: Sander on October 26, 2009, 08:20:40 PM

better to not take the risk and just wait for guidance

Here's what's going on with my laptop:

My Web email is sending bogus emails to my contacts. I can see some of these emails in the Sent folder of my Web email, but not in my OUTLOOK Sent folder.

I use Norton 360, always keep it up to date. Since the email spam began, I've run several different spyware and malware programs and my computer comes up clean.

I don't access my email at public spots, only at home.

I've tried working with my email provider (AT&T) on this problem, but the technicians haven't been able to help and suggested I contacted Yahoo for help, which I know is a dead-end street.

Here are some oddities that no ONE at AT&T can explain (and I don't know if they have anything to do with the spam coming from my email). AT&T and Yahoo ask users to create a sign-in seal as a way to verify that you're on a legit site when you want to check your Web mail. My sign-in seals always disappear from one day to the next. Also, in my settings for my AT&T Webmail, there's an email address there that I didn't enter and that I can't change or delete. The AT&T tech told me it's Yahoo's Hong KONG office; HOWEVER, several months AGO, I received spam from the same address.

I'd really like to find a way to stop the spam and would greatly appreciate any help. Thanks --- Chris

P.S. I have a Lenovo ThinkPad with Vista Home Premium.

Thanks for viewing and my regards to your effort in reply.
How do i upgrade my BIOS.The booting devices not detecting by bios and thats why i wanted to uphrade itAdemil4vic,
Welcome back. But you still have not told what OS you have and how old your is your COMPUTER. If the computer was made in the last three years, it will not need a BIOS update.aa
To find out what version of BID you have, you can run a utility program that will TELL you.

You can Google for a ANSWER to your question. But first, you want to be sure that it is the right thing to do.

Ok. Let's try this one.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
• If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
• Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
• When you have re-booted,and tell me how your computer is running now

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

however the instructions you gave me don't quite match what I saw

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Got through all that without any problems.

Thanks for all your help!

But your copy of windows must be genuine not an PIRATED one. It RUNS an genuine validation test before installing and doesnt install if the genuine check fails.

Also, when I go to Comodo and hit browse, then put the file name in, it says it doesn't exist. I'm not sure where to find it using the browse command, I went through some of the documents on my computer, but didn't see it? Not sure if I'm doing that option correctly.Quote

when I go to Comodo and hit browse, then put the file name in, it says it doesn't exist

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

Good lord, this is getting extremely frustrating!! That didn't work either! Got to the page to start the scan, and get this message:

Loading Bitdefender QuickScan...
Notice the browser confirmation message above and accept the plug-in installation by clicking the bar above. From the contextual menu please choose 'Install ActiveX control...' and you will be prompted to install the application. To be able to use Bitdefender QuickScan please click 'Install'..
* using default browser settings

except there is no bar or anything to accept ActiveX. Nothing happens, just sits there. Tried it 3 times.